b'<html>\n<title> - CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PRIVATE SECTOR RESPONSES</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PRIVATE SECTOR \n                               RESPONSES\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n             SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                            FEBRUARY 8, 2012\n\n                               __________\n\n                           Serial No. 112-112\n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n82-628                    WASHINGTON : 2014\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="baddcad5fad9cfc9ced2dfd6ca94d9d5d794">[email&#160;protected]</a>  \n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          FRED UPTON, Michigan\n                                 Chairman\n\nJOE BARTON, Texas                    HENRY A. WAXMAN, California\n  Chairman Emeritus                    Ranking Member\nCLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan\nED WHITFIELD, Kentucky                 Chairman Emeritus\nJOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts\nJOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York\nMARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey\nGREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois\nLEE TERRY, Nebraska                  ANNA G. ESHOO, California\nMIKE ROGERS, Michigan                ELIOT L. ENGEL, New York\nSUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas\n  Vice Chairman                      DIANA DeGETTE, Colorado\nJOHN SULLIVAN, Oklahoma              LOIS CAPPS, California\nTIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania\nMICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois\nMARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas\nBRIAN P. BILBRAY, California         JAY INSLEE, Washington\nCHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin\nPHIL GINGREY, Georgia                MIKE ROSS, Arkansas\nSTEVE SCALISE, Louisiana             JIM MATHESON, Utah\nROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina\nCATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia\nGREGG HARPER, Mississippi            DORIS O. MATSUI, California\nLEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin \nBILL CASSIDY, Louisiana              Islands\nBRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida\nPETE OLSON, Texas\nDAVID B. McKINLEY, West Virginia\nCORY GARDNER, Colorado\nMIKE POMPEO, Kansas\nADAM KINZINGER, Illinois\nH. MORGAN GRIFFITH, Virginia\n\n                                 7_____\n\n             Subcommittee on Communications and Technology\n\n                          GREG WALDEN, Oregon\n                                 Chairman\nLEE TERRY, Nebraska                  ANNA G. ESHOO, California\n  Vice Chairman                        Ranking Member\nCLIFF STEARNS, Florida               EDWARD J. MARKEY, Massachusetts\nJOHN SHIMKUS, Illinois               MICHAEL F. DOYLE, Pennsylvania\nMARY BONO MACK, California           DORIS O. MATSUI, California\nMIKE ROGERS, Michigan                JOHN BARROW, Georgia\nMARSHA BLACKBURN, Tennessee          DONNA M. CHRISTENSEN, Virgin \nBRIAN P. BILBRAY, California             Islands\nCHARLES F. BASS, New Hampshire       EDOLPHUS TOWNS, New York\nPHIL GINGREY, Georgia                FRANK PALLONE, Jr., New Jersey\nSTEVE SCALISE, Louisiana             BOBBY L. RUSH, Illinois\nROBERT E. LATTA, Ohio                DIANA DeGETTE, Colorado\nBRETT GUTHRIE, Kentucky              JOHN D. DINGELL, Michigan (ex \nADAM KINZINGER, Illinois                 officio)\nJOE BARTON, Texas                    HENRY A. WAXMAN, California (ex \nFRED UPTON, Michigan (ex officio)        officio)\n\n                                  (ii)\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Greg Walden, a Representative in Congress from the State of \n  Oregon, opening statement......................................     1\n    Prepared statement...........................................     4\nHon. Anna G. Eshoo, a Representative in Congress from the State \n  of California, opening statement...............................     7\nHon. Edward J. Markey, a Representative in Congress from the \n  Commonwealth of Massachusetts, opening statement...............     8\nHon. Joe Barton, a Representative in Congress from the State of \n  Texas, opening statement.......................................     8\n    Prepared statement...........................................    10\nHon. Lee Terry, a Representative in Congress from the State of \n  Nebraska, opening statement....................................    12\nHon. Mike Rogers, a Representative in Congress from the State of \n  Michigan, opening statement....................................    12\nHon. Doris O. Matsui, a Representative in Congress from the State \n  of California, opening statement...............................    13\nHon. Cliff Stearns, a Representative in Congress from the State \n  of Florida, prepared statement.................................   114\nHon. John D. Dingell, a Representative in Congress from the State \n  of Michigan, prepared statement................................   115\n\n                               Witnesses\n\nBill Conner, President and Chief Executive Officer, Entrust......    14\n    Prepared statement...........................................    17\n    Answers to submitted questions...............................   119\nRobert B. Dix, Jr., Vice President, Government Affairs and \n  Critical Infrastructure Protection, Juniper Networks...........    26\n    Prepared statement...........................................    29\n    Answers to submitted questions...............................   127\nJames A. Lewis, Director and Senior Fellow, Technology and Public \n  Policy Program, Center for Strategic and International Studies.    42\n    Prepared statement...........................................    44\n    Answers to submitted questions \\1\\\nLarry Clinton, President and Chief Executive Officer, Internet \n  Security Alliance..............................................    51\n    Prepared statement...........................................    53\n    Answers to submitted questions \\2\\...........................   136\nPhyllis Schneck, Vice President and Chief Technology Officer, \n  Public Sector, McAfee, Inc.....................................    73\n    Prepared statement...........................................    76\n    Answers to submitted questions...............................   210\n\n                           Submitted Material\n\nMajority memorandum..............................................   116\n\n----------\n\\1\\ Mr. Lewis did not answer submitted questions for the record \n  by the time of printing.\n\\2\\ Additional information provided by Mr. Clinton and referenced \n  on page 141 is available at http://www.verizonbusiness.com/\n  resources/reports/rp_data-breach-investigations-report-\n  2011_en_xg.pdf.\n\n\n CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PRIVATE SECTOR \n                               RESPONSES\n\n                              ----------                              \n\n\n                      WEDNESDAY, FEBRUARY 8, 2012\n\n                  House of Representatives,\n     Subcommittee on Communications and Technology,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 9:39 a.m., in \nroom 2322 of the Rayburn House Office Building, Hon. Greg \nWalden (chairman of the subcommittee) presiding.\n    Members present: Representatives Walden, Terry, Stearns, \nShimkus, Rogers, Blackburn, Bilbray, Bass, Gingrey, Scalise, \nLatta, Guthrie, Kinzinger, Barton, Eshoo, Markey, Doyle, \nMatsui, Barrow, Christensen, and Waxman (ex officio).\n    Staff present: Carl Anderson, Counsel, Oversight; Gary \nAndres, Staff Director; Ray Baum, Senior Policy Advisor/\nDirector of Coalitions; Nicholas Degani, FCC Detailee; Neil \nFried, Chief Counsel, Communications and Technology; Debbee \nKeller, Press Secretary; Katie Novaria, Legislative Clerk; \nDavid Redl, Counsel, Communications and Technology; Jeff Cohen, \nDemocratic FCC Detailee; Kara Van Stralen, Democratic Special \nAssistant; Shawn Chang, Democratic Chief Counsel, \nCommunications and Technology; and Roger Sherman, Democratic \nChief Counsel, Energy and Commerce.\n\n  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF OREGON\n\n    Mr. Walden. I am going to call the order the Subcommittee \non Communications and Technology. I want to welcome our members \nand our witnesses for today\'s hearing on cybersecurity threats \nto communications networks and private sector responses.\n    Back in October, the House Republican Cybersecurity Task \nForce recommended that the committees of jurisdiction review \ncybersecurity issues. So this hearing continues our committee\'s \nreview of cybersecurity issues with an examination of threats \nto communications networks and the responses of the private \nsector. Threats to communications networks have come a long way \nin a very short time and they are very, very real and serious.\n    Before coming to Congress, I spent about 22 years as a \nradio broadcaster. And as a small businessman, I had to worry \nabout securing our communications network, and back then, 20 \nyears ago, it was relatively straightforward. You had to have a \nfence around the tower and you couldn\'t let people get near the \ntransmitter and a few things like that. And every once in a \nwhile somebody would come and shoot an insulator out or \nsomething and you kind of got grumpy and had to repair that, \nand every once in a while some idiot would try to cut the guy \nwires, and those usually spun around and got them. That never \nhappened at my stations, but it does happen occasionally. But \nall of that was sort of security of that wireless age. Not \nanymore.\n    While physical security remains important, cybersecurity \nhas also become a pressing concern. Now a small business \nconfronts a dizzying array of threats online from the Zeus \nTrojan horse to Stuxnet, from LulzSec to botnets. These threats \nare serious. Unless our cyber defenses hold, a bad actor could \ndrain the bank account of a business, crash an online company\'s \nWeb site, or launch a barrage of cyber attacks on a company\'s \nnetwork. Those are serious consequences for any business, and \nespecially for the small businesses that are at the heart of \ncreating new jobs in this economy. And indeed, in our small \nbusiness, I don\'t know, 10 years or so ago when we did create a \ncomputer network and put everything up on digital audio, our \nmain server was hacked and taken over, and all of a sudden it \nstarted running slower and slower and slower and eventually we \ndetermined it had been overtaken.\n    Every month, we learn more about these cyber threats, and \nwhat we have learned thus far is of great concern. I am \nconcerned that our communications networks are under siege. I \nam worried that the devices consumers use to access those \nnetworks are vulnerable, and I am concerned that our process \nfor looking at communications supply chain issues lacks \ncoordination. I am also concerned that our cyber defenses are \nnot keeping pace with the cyber threats.\n    Now, in this hearing, we are lucky to have the voices of \nfive private sector witnesses to guide us through the complex \nissue of cybersecurity. I am hoping that you will tell me that \ncyberspace is secure and we can all rest easy at night. \nUnfortunately, I have read your testimony and it is not so. So \nI expect that you will tell us that the threats to our \ncommunications networks are all too real, American businesses \nare losing dollars, jobs, intellectual property and much, much \nmore because of cyber crime and cyber espionage, and that our \nnational security is potentially at risk as well.\n    I also expect that you will explain what the private sector \nis doing to fortify our cybersecurity defenses. The private \nsector owns most of the critical infrastructure--the wires, the \nservers, the towers and base stations--that make up our \ncommunications networks, and they are on the front lines of \ncybersecurity. So I want to know what cybersecurity services \nare being offered to consumers, what protections are being \ndeployed in our communications networks, and what affirmative \nsteps the private sector has taken to lock down the supply \nchain and to combat cyber crime.\n    I also expect to hear what you think the appropriate--and \nunderscore ``appropriate\'\'--the Federal role is. Are Federal \nlaws and regulations helping or interfering with information \nsharing? Are Federal regulations of cybersecurity practices \nappropriate, and if so, how? Should the Federal Government be \nproviding incentives for Internet service providers and other \nmembers of the private sector to invest and innovate in the \ncybersecurity arena? And how should our country\'s fiscal state \nshape our discussion of the Federal role?\n    These questions and others will form the basis for deciding \nwhat cybersecurity legislation, if any, is needed in the near \nterm, and how we can best secure cyberspace in the long run. So \nI want to thank the panelists today for taking time out of your \nschedules to be here to help inform this important subcommittee \nand the Energy and Commerce Committee on what we should do and \nhow we can be better informed in doing our job.\n    [The prepared statement of Mr. Walden follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T2628.001\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.002\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.003\n    \n    Mr. Walden. With that, I would recognize the gentlelady \nfrom California, the ranking member of the subcommittee, Ms. \nEshoo, for an opening statement.\n\n OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Ms. Eshoo. Thank you, Mr. Chairman, for convening this \nmorning\'s important hearing, and I want to welcome the \nwitnesses and I am especially pleased that Juniper Networks and \nMcAfee, two outstanding Silicon Valley companies, are here to \ntalk to us about tackling the challenges of cybersecurity this \nmorning.\n    We all recognize the serious threat to our Nation\'s \ncommunications networks. Since 2006, the number of Federal \ncybersecurity incidents reported to the Department of Homeland \nSecurity has increased by 659 percent. That is a whopping \nnumber. And the economic impact of these incidents is equally \nsignificant. A recent study by the Ponemon Institute estimated \nthat the median annualized cost of cyber crime to a victim \norganization is $5.9 million per year, an increase of 56 \npercent from 2010.\n    The more we rely on the Internet to conduct our business, \nthe more vulnerabilities we create for hackers to exploit. \nHaving served as a member of the House Intelligence Committee \nfor 8 years, I am very well aware of the threat, not just from \ncriminal hackers but also obviously from other countries. But \ntalking about the problem is not enough. We need to act, and \nthat requires the help of both the private sector and the \nFederal Government. The private sector really represents 95 \npercent of this, the Federal Government the other 5 percent.\n    One of the first steps to tackling this growing threat is, \nI think, education and training. Whether at home or in the \nworkplace, every American should understand what they can do to \nprotect themselves against a cyber attack. Improved information \nsharing is also a key aspect of our Nation\'s response to \ncybersecurity. If we are going to ask industry to report \ncybersecurity incidents to the government, then we need to \nestablish a clear process to do so.\n    I am pleased to support our colleague Mike Rogers\' effort, \nthe Cyber Intelligence Sharing and Protection Act of 2011. That \nis one of three or four bills in the House. There are least \nthree or four in the Senate as well.\n    It is also important to recognize the timely alerts to \nconsumers and businesses can be the difference between an \nisolated cybersecurity incident and one that impacts millions \nof users. A voluntary ISP code of conduct currently being \ndeveloped by the FCC is one of the proposed ways to alert \nconsumers when a botnet or other malware infection is \ndiscovered.\n    Today\'s hearing is a very important opportunity for us to \nbetter understand our subcommittee\'s role in cybersecurity \nincluding what role the FCC and NTIA should play in protecting \nour Nation\'s communication networks and how the private sector \nand other Federal agencies should interact with them.\n    So thank you to all of the witnesses, those that come from \nSilicon Valley to instruct us, and with what remaining time I \nhave I would like to yield to Mr. Markey.\n\nOPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN \n        CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS\n\n    Mr. Markey. I thank the gentlelady.\n    Last week, FBI Director Robert Mueller testified that cyber \nthreats will soon surpass terrorism as the number one threat \nfacing the United States. We know from the Department of \nHomeland Security that there have already been threats to the \nutility sector. We also know that Russia and China have probed \nour electricity grid to find vulnerabilities.\n    Our economy hinges on a reliable flow of power with losses \nthat go into the billions of dollars with every major blackout. \nOur national security also depends upon it since 99 percent of \nthe electricity used to power our military facilities including \ncritical strategic command assets comes from the commercially \noperated grid.\n    Last September, I asked all five commissioners from the \nFederal Energy Regulatory Commission under our jurisdiction to \nname the number one threat to electricity reliability. All five \ncommissioners agreed, cyber threats are the number one threat \nto the grid.\n    In 2009, the full Energy and Commerce Committee unanimously \npassed the GRID Act, which I authored along with Chairman \nUpton. That bill gave FERC the authority to quickly issue grid \nsecurity orders or rules that vulnerabilities or threats have \nnot been adequately addressed by the industry. It was killed in \nthe Senate. All five FERC commissioners also agreed that giving \nFERC this authority would increase America\'s ability to secure \nour electric grid.\n    With cyber threats growing by the day threatening our \nsecurity and our economy, it is imperative that this committee \npass the GRID Act so that we can move it forward and empower \nthe FERC to move quickly to safeguard the electric grid from \ncyber threats that are not sufficiently addressed by industry. \nWe should listen to FBI Director Mueller, to the FERC and to \nthe warnings coming from Russia and China. We should pass the \nGRID Act soon.\n    I yield back.\n    Mr. Walden. I thank the gentleman for his comments, and we \nare now going to recognize the chairman emeritus of the \ncommittee, Mr. Barton.\n    Before I do that, I just want to say how important it is to \nhave members who have been so engaged on this, and especially \nwe are blessed to have Anna here, who served on the \nIntelligence Committee, and Mike Rogers, who chairs it now, and \nLee Terry and Mr. Latta and Mr. Murphy, who is not part of the \nsubcommittee but were on the cybersecurity task force the \nSpeaker appointed, so all of that is most helpful as we tackle \nboth of these issues.\n    I now recognize the gentleman from Texas, Mr. Barton.\n\n   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN \n                CONGRESS FROM THE STATE OF TEXAS\n\n    Mr. Barton. Thank you, Chairman Walden. I thought Mr. \nMarkey was going to say the experts said the biggest threat to \nour grid was the EPA, but he went a different way with that.\n    Back in 2006, Subcommittee Chairman Upton held a hearing on \nthis very same issue, and as full committee chairman, he and I \nsent a letter to the GAO asking them to take a look at this \nissue. The response that we received then is the response that \nwe are receiving today and that is that it is quite possible \nthat we could have a major attack, a cyber attack, in this \ncountry that would dramatically affect our country.\n    According to the Norton cyber crime report for this last \nyear, cyber crime is a $388 billion industry with 431 million \nadults experiencing at least one cyber crime in the last year. \nIn another study, research has showed that the median \nannualized cost of cyber crime for companies is over $6 million \na year with the range being between $1.5 million to $36 million \nper year. Now, these are real numbers, real statistics and that \nis for the year 2011.\n    As we use the Internet more and more every day, it is \nabsolutely imperative, Mr. Chairman and Ranking Member Eshoo, \nthat we really take this seriously, and as you have pointed out \nand Anna has pointed out, it is good to have the chairman of \nthe Select Committee on Intelligence on this subcommittee \nbecause he has access to information that could be useful if \nand when we decide to legislate.\n    So thank you, Mr. Chairman, for holding the hearing. As you \nknow, there is an EPA hearing downstairs in the energy \nsubcommittee, so I will be shuttling back and forth.\n    [The prepared statement of Mr. Barton follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T2628.004\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.005\n    \n    Mr. Walden. Mr. Chairman, if you don\'t mind yielding to Mr. \nTerry?\n    Mr. Barton. I will yield 2 minutes.\n\n   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF NEBRASKA\n\n    Mr. Terry. Thank you, Mr. Barton and Mr. Chairman.\n    This is an extremely important hearing and that we have to \nelevate the level of discussion and potential solutions.\n    There is only one silver bullet that exists to prevent \ncyber crimes. That is to completely disconnect your computer \nfrom any network. Use it as a paperweight. Maybe just play \nsolitaire. That is it. If you are going to engage in any level \nof commerce using the Internet, you are at risk, and the only \nthing we can do is to try to minimize it. There is no silver \nbullet.\n    Why these folks are here today is for us to understand what \ntools may be available. In the cyber task force, one of the \nthings that we concluded is that the vast majority of everyday \nhacking can be maybe not prevented but go a long way which is \nbasic security features offered by private sector today or the \nnetworks or ISPs. But we have to have people to actually \npurchase those or use those tools. In fact, there was one \nincident in Omaha with our entity that controls our facilities \nthat never thought that it was important to have those type of \nsecurities, and guess what? They were hacked and all of their \ninformation was stolen.\n    But then the next level is where it gets dicey. How do you \nprotect people? How do they protect their data? We can\'t engage \nin setting the standards because frankly we set the standards. \nBefore the ink is dry on the bill, the standards have changed.\n    So you are here to help us understand what solutions may be \navailable to minimize and help secure our infrastructure, and I \nwant to thank you all for being here today. Does anybody else \nwant 48 seconds?\n    Mr. Walden. Mr. Rogers.\n\n  OPENING STATEMENT OF HON. MIKE ROGERS, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF MICHIGAN\n\n    Mr. Rogers. Thank you very much. In the short time that we \nhave, I can\'t tell you a more important issue.\n    There are a lot of things that can keep you up, as the \nchairman of the Intelligence Committee, and this one is one of \nthe main ones. Eighty percent of the attacks that happen every \nday can be prevented by the operator. It is those other 20 \npercent that are the devil in the details. Between criminal \nattacks, economic espionage, disruption or attacking, as we \nwould call it, on cybersecurity, we have a very real and \npresent danger when it comes to cyber threats to our networks.\n    Nobody is more integrated than the United States, and \ntherefore we are more at risk than other countries. I do \nbelieve it is unprecedented in history that such a massive and \nsustained intelligence effort by a government to blatantly \nsteal commercial data and intellectual property to use against \nthe United States is well underway. We don\'t talk about it a \nlot because companies are reluctant to talk about it. The real \nnumber we think is closer to somewhere between $300 billion and \n$1 trillion in lost intellectual property per year. Countries \nlike China are leading that charge. Russia is not far behind. \nIran\'s capabilities are getting better, and the most concerning \nare non-nation states who are developing cyber capability to \nconduct disruption and attack activities against targets like \nthe United States. All are serious problems.\n    I want to thank Anna Eshoo. We did a seminar out at \nStanford University on this very issue. I think it was well \nreceived. Her support of this bill is incredibly important. I \nlook forward to hearing from the witnesses, and I appreciate \nyou being here so that we can get to that next step and \nactually do something that helps us have a fighting chance \nagainst these cyber threats.\n    I yield back, Mr. Chairman.\n    Mr. Walden. The chair recognizes the gentlelady from \nCalifornia, Ms. Matsui, who is going to control Mr. Waxman\'s \ntime.\n\nOPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Ms. Matsui. Thank you very much, Mr. Chairman, for holding \ntoday\'s hearing, and I would also like to welcome our witnesses \nhere today and look forward to your testimony.\n    There is no doubt that cyber attacks are real and continue \nto pose significant threats to several aspects of our economy. \nCommunications networks are one of many areas that our Nation \nmust protect and assure safety and soundness, particularly as \nwe consider deploying an advanced nationwide broadband network \nfor public safety. Advanced IP-based technologies and public \nsafety communications heighten the concerns for cybersecurity. \nThis new network, however, will share many of the same cyber \nconcerns as any other network. This is something we have to \ntake seriously and must protect.\n    Moreover, our economy continues to experience ever-evolving \ningenuity and innovation in the American technology industry. \nOne of those technologies which will continue to play a \nprominent role in our economy, both in the public and private \nsector, is cloud computing. We are also seeing consumer cloud \napplications like the iCloud. As I see it, one of the key \nissues is the challenge of cybersecurity relating to the cloud.\n    The challenge is to find the critical balance of continuing \nto foster American innovation and growth while combating cyber \nattacks. For the most part, the private sector will need to be \nup to the challenge of managing itself and its networks from \npotential cyber attacks. That said, I do believe that some \nbalance may be appropriate where the government must work \ntogether in partnership with the private sector on enhancing \nour Nation\'s cybersecurity preparedness. Simply put, one cannot \ndo it without the other.\n    Small businesses, many of whom rely on the broadband \neconomy, are also very susceptible to cyber attacks. In many \ninstances, small businesses cannot fend off such attacks \nbecause they do not have a plan or lack the resources. Such an \nattack, though, would be very costly to their businesses. \nDuring this economic recovery, the last thing small business \nowners in my district and across the country need to worry \nabout is a cyber attack that will hinder their business.\n    I am pleased that the FCC recently launched a public-\nprivate partnership, the Small Biz Cyber Planner, which is an \nonline tool that will allow small businesses to create \ncustomized cybersecurity plans. It is important that we \ncontinue to educate small businesses and the public in general \nabout the risks that cybersecurity poses to small businesses, \nthe government and to our economy as a whole. I also believe a \nstrong public-private partnership is critical to protect \nagainst cyber attacks. It is my hope that partnership continues \nto foster moving forward.\n    I look forward to exploring appropriate jurisdiction of \nthis committee, given the communications and technology \nrelevance of cybersecurity. I look forward to hearing from the \nwitnesses today and hope that we will have future hearings in \nthis subcommittee so that we can also hear more about the \ngovernment\'s efforts to combat cyber attacks.\n    Again, I thank the chairman for holding today\'s hearings, \nand I would be happy to yield to anyone on our side if they \nwould like to. OK. I yield back the balance of my time.\n    Mr. Walden. The gentlelady yields back the balance of her \ntime.\n    We will now proceed to the witnesses. We have a very \ndistinguished panel. We thank you again for being here today to \nshare the information you have in your testimony, and we are \ngoing to start with Mr. Bill Conner, who is the President and \nChief Executive Officer of Entrust. Mr. Conner, thanks for your \ntestimony and we look forward to your comments.\n\n   STATEMENTS OF BILL CONNER, PRESIDENT AND CHIEF EXECUTIVE \n     OFFICER, ENTRUST; ROBERT B. DIX, JR., VICE PRESIDENT, \n  GOVERNMENT AFFAIRS AND CRITICAL INFRASTRUCTURE PROTECTION, \n JUNIPER NETWORKS; JAMES A. LEWIS, DIRECTOR AND SENIOR FELLOW, \nTECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND \n   INTERNATIONAL STUDIES; LARRY CLINTON, PRESIDENT AND CHIEF \n  EXECUTIVE OFFICER, INTERNET SECURITY ALLIANCE; AND PHYLLIS \n SCHNECK, VICE PRESIDENT AND CHIEF TECHNOLOGY OFFICER, PUBLIC \n                      SECTOR, MCAFEE, INC.\n\n                    STATEMENT OF BILL CONNER\n\n    Mr. Conner. Good morning, Mr. Chairman and distinguished \nmembers of the subcommittee. It is a privilege and honor to \nspend a morning here with you out of the cyber warfare game to \ndiscuss and educate what is happening below the screen.\n    I would like to focus my early comments on the arms race on \none particular vector of security, and it is called man in the \nbrowser. Now, that vector of security is probably the leading \ncyber stealer in the world today, and it has been around a \nwhile and certainly impacts the small and medium business and \nit is certainly impacting the change and nature of stealing IP \nand money both at a country state and at an organized-crime \nstate.\n    Specifically, it is known as Zeus. It is commonly now \ncombined with SpyEye. For those of you don\'t know, Zeus was the \noriginal man in the browser software. It started out of the \nUkraine and Russia. It went under its own merger and \nacquisition by its lead competitor in the underground world \ncalled SpyEye. Their tools and technology were next generation. \nThey merged in the fall of 2010 behind the scenes. As law \nenforcement started to attack it, the guy took his money and \nran, combined it. In February of last year, that new code is \nout on the market. You can buy it off the Internet and buy it \nwith 24/7 support. So no longer do you have to be intelligent \nto write the code. You buy it, you pay for the support, and \nthey will help you design your attack vector on which banks, \nwhich geographics you want to do.\n    How does this technology work? It is real simple. It is \nvery complicated. You cannot find it with the traditional \nsoftware that you have on your desktop, whether it is an \nantivirus or the operating system looking for it. It is cloaked \nsoftware that is really targeted at small and medium business \nbecause it is targeted for money. This is a for-money game for \nthat. What it basically does, it targets a small or medium \nbusiness that probably doesn\'t have the technology or banking \nunderstanding with its supplier to understand how to deal with \nit. How does it work? I am a treasurer at a small business. I \ngo online to my financial institution. I say I want to move \n$1,000 or $10,000, let us say $10,000, to a supplier. I have an \nagreement with my local bank to have online bill pay. I type \nthat in. The bank sees that but before the bank sees it, this \nsoftware wakes up in the browser and changes the payees from \none supplier to, let us say, six mules. It changes the dollar \namount from $10,000 to $100,000, so what the bank sees is \n$100,000 going to six people. That bank says guess what, we\'ve \ngot good security, you had to use a password, it is on your IP \naddress in your network and your location. I am going to send \nit back because I want a one-time passcode, 30-year-old \ntechnology that we are trying to apply to the digital world. It \nsends it back to the controller of your business and says \nplease confirm by putting your passcode that is going to expire \nin 30 seconds that you authorized this transaction. That \nsoftware wakes back up, converts that $100,000 back to $10,000, \nsix payers back to one. You type in your passcode, hit enter to \nsend it back, and guess what? That $100,000 is now gone from \nthe bank. You lose it, the bank loses it. Six mules that are \ngoing to feed that money back into organized crime around the \nworld are off and running.\n    Unlike the personal side where I am protected by FDIC, my \nfriends, you are protected as a small or medium business by \nnothing, the contract you have written, and if you look around \nthis wonderful country of ours, there is no clear case law. \nThere is case law on both sides of this because the banks said \nI did nothing. We have had cases overturned that even though a \nbusiness had only done four transactions in the last year and \n20 transactions happened in six hours totaling $2 million when \nonline was only $500,000, that is what is happening.\n    The good thing is, the technology exists to deal with that \ntoday. The banks aren\'t doing it and small businesses don\'t \nknow what to do. So our belief is very straightforward. Much \nlike quality, there wasn\'t a lexicon. To deal with \ncybersecurity, we need a lexicon. Much like quality, it isn\'t a \none time like year 2000. We need to do it over time. That is \nwhy education is critical.\n    The second thing you must do is have public-private \npartnership. I co-chair the DHS piece. I can tell you, the \nlegislative laws around this do not work for anybody, and I \nthink you have got to break public-private at different levels \nfrom intelligence to the people like me that try to secure the \nU.S. government and others to energy grids where Department of \nEnergy works with those types of organizations.\n    And finally, we must take a unified effort in public and \nprivate to defend because it is an arms race and it is a pace \nas we mentioned earlier. Thank you.\n    [The prepared statement of Mr. Conner follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T2628.006\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.007\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.008\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.009\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.010\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.011\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.012\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.013\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.014\n    \n    Mr. Walden. Mr. Connor, thank you. Excellent testimony. I \nthink we are going to have to recess so we can all go deal with \nour own campaign accounts, and we will be back in about an \nhour. We really appreciate it, and we look forward to getting \ninto questions with you and exploring it further.\n    We are now going to go to Mr. Robert Dix, who is Vice \nPresident of Government Affairs and Critical Infrastructure \nProtection for Juniper Networks, which I believe is from your \ndistrict.\n    Mr. Dix. Proudly.\n    Mr. Walden. We are delighted to have you here. Thanks for \ncoming the distance to share your wisdom with us, and please \nproceed.\n\n                   STATEMENT OF ROBERT B. DIX\n\n    Mr. Dix. Thank you, Chairman Walden, Ranking Member Eshoo \nand members of the subcommittee. Good morning. Thank you very \nmuch for inviting me to testify about cybersecurity.\n    Juniper Networks is a publicly held private corporation, \nhardware and software manufacturer, headquartered in Sunnyvale, \nCalifornia, with offices and operations around the world. \nInformation technology and communications networks are embedded \nin all manner of the Nation\'s critical infrastructure including \npower plants and the electrical grid, water filtration systems, \nfinancial systems and transportation networks, just to name a \nfew.\n    While sectorwide risk assessments conducted or being \nconducted in the IT and communications sectors validate that \nnetworks are resilient, it is important to acknowledge that the \nrisk continues to grow and change and our efforts to protect \nand prevent must be sustained and agile. In recognition of this \nreality, the private sector is working every day to protect \nagainst cyber threats through self-driven research and \ninnovation, industry collaboration, and partnerships with \ngovernment.\n    Let me share just a few examples. In 2007, a group of \nprivate sector companies came together to address the issue of \nsoftware assurance and improving the development process \nintegrity of software and hardware products. SAFECode, the \nSoftware Assurance Forum for Excellence in Code, is a group of \ncompanies and subject-matter experts that has set aside their \ncompetitive interest to gather and share industry best \npractices through a series of written deliverables that are \navailable not just to the participating companies but to the \nindustry at large.\n    Additionally, in 2008, a group of private sector companies \ncame together to address the need for collaborative, global \nincident response by forming ICASI, the Internet Consortium for \nAdvancement of Security on the Internet. Once again, the \nparticipating companies who compete vigorously in the \nmarketplace routinely share information in an effort to \nmitigate anomalous and abnormal network activity globally \nbecause the cause is greater than any one company.\n    Across the 18 critical infrastructure sectors, we have \norganizations such as ISACs, Information Sharing and Analysis \nCenters, since 1988 working on the operational issues. \nAdditionally, we have sector coordinating councils that were \nderived as a result of the National Infrastructure Protection \nPlan in 2006.\n    The Partnership for Critical Infrastructure Security is the \ncross-sector coordinating council representing all 18 critical \ninfrastructure sectors and working with the Federal Senior \nLeadership Council under the NIPP partnership framework to \nadvance the mission of critical infrastructure protection and \ncybersecurity. In fact, we are currently working with the \nadministration on the implementation around Presidential Policy \nDirective #8 for national preparedness and the review and \nupdate of HSPD-7 regarding an all-hazards approach to critical \ninfrastructure protection and cybersecurity.\n    Mr. Chairman, the number of users connecting to the \nInternet and other networks will continue to grow. Global \nInternet traffic is increasing at a rate of 40 to 50 percent a \nyear and is expected to grow to 4 billion users in 2013. The \nexplosion in the use of smartphones and tablets and the advent \nand growth in the use of social media is rapidly changing the \nworkplace and how we communicate--example, an average of 10,000 \ntweets per second the last 3 minutes on the Super Bowl on \nSunday evening--while introducing cyber risks in a way that few \nof us could have imagined only a short time ago. This is the \nessence of technology. It enables us to do what we never could \nhave imagined, and that includes those with nefarious motives. \nThe convenience of the technology has changed banking, \npurchasing, and sharing of personal financial information.\n    So it is only reasonable to expect that the conversation \nabout cybersecurity must include a discussion about economics \nbut there are two sides to this coin. If we focus only on \ntechnology and technology development, we are likely to miss \nthe opportunity to examine the challenges and impediments to \ntechnology and solution adoption. The market is delivering \ninnovation at an unprecedented pace in history. However, the \nevidence would suggest that adoption of available solutions has \nnot kept pace and should be a topic of further examination and \ndiscussion. Many low-cost and no-cost solutions are available \nto improve any users\' protection profile. Accordingly, there \nare many things we can do together. It is reported by reliable \nsources that some 80 percent of the exploited vulnerabilities \nare the result of poor or no cyber hygiene. For me, this is \nbasic blocking and tackling. If we can raise the bar of \nprotection, it makes it more difficult and more costly for the \nbad guys to do harm.\n    When our Nation was confronted a couple of years ago with \nthe threat of the H1N1 virus, we mobilized as a Nation to warn \nand advise folks how to protect themselves from the risks of \ninfection. We have the opportunity to use that same model for a \nsustained awareness program to help educate citizens, small \nbusiness, students, nonprofits, and other stakeholders how to \nprotect themselves from the risks of malware, phishing, and \nother forms of infection in cyberspace.\n    Chairman Walden, Ranking Member Eshoo and members of the \nsubcommittee, we must move beyond just thinking about the \nchallenges of today to thinking about the risk profile of \ntomorrow. Today\'s cyber attacks are more complex and often \ndifficult to detect and can target classes of users, even \nspecific users, gaining access to valuable data and causing \nsignificant harm. With a commitment to working together in a \ncollaborative manner, the United States will lead the effort to \nthe protection, preparedness, and resilience of critical \ninfrastructure and cybersecurity.\n    On behalf of my colleagues across the industry and the \nproud employees of Juniper Networks, I thank you again for the \nopportunity to testify before you this morning. The threat is \nreal, the vulnerabilities are extensive, and the time for \naction is now. The American people are counting on us to get \nthis right and the private sector looks forward to continuing \nthe collaborative relationship between Congress, the \nadministration, and private industry on this important issue. \nThank you.\n    [The prepared statement of Mr. Dix follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T2628.015\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.016\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.017\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.018\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.019\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.020\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.021\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.022\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.023\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.024\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.025\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.026\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.027\n    \n    Mr. Walden. Mr. Dix, thank you very much for sharing those \ncomments with us.\n    We now go to Dr. James A. Lewis, Director and Senior \nFellow, Technology and Public Policy Programs, Center for \nStrategic and International Studies. Dr. Lewis, thank you for \nbeing with us. We look forward to your testimony as well.\n\n                  STATEMENT OF JAMES A. LEWIS\n\n    Mr. Lewis. Thank you, Mr. Chairman, and I would like to \nthank the committee for this opportunity to testify.\n    One thing that military and intelligence experts would \nagree on is that the cybersecurity problem is getting worse, \nnot better. There is straightforward evidence that what we are \ndoing now isn\'t working. Most of these experts also believe \nthat we will not change our laws and policies until there is a \ncrisis. I hope they are wrong.\n    We all recognize the growing dependence of our economy on \ncyberspace and the risk this creates. Director of National \nIntelligence Clapper testified last week about how Iran, which \nis eagerly developing cyber attack capabilities, is losing its \nreluctance to attack the American homeland. FBI Director \nMueller testified, as you heard, that the threat we face now \ncomes from terrorism but in a few years the bigger threat will \ncome from cyber attack.\n    The ability to launch damaging attacks is spreading from a \nfew advanced nations to many countries and many hostile groups. \nThere is disagreement among when hackers will disrupt critical \nservices in the United States, but most estimates put it at \nsometime in the next couple of years. Cyber crime and espionage \nare rampant now, costing American jobs and damaging American \neconomic competitiveness and national security.\n    This morning, I was trying to think of what I could say \nthat would be a little different, and I remembered that I \nattended, as a back bencher for the Director of Central \nIntelligence, some of the first meetings in the Clinton \nadministration on commercializing the Internet. Back then, we \nthought that it would be used for e-commerce, that it would be \neBay and Amazon. We didn\'t expect a global network that would \nbecome the premier vehicle for espionage and a potential avenue \nfor attack. We thought that if we made tools and information \navailable, if we freed up encryption, companies and people \nwould voluntarily secure the networks. I am a little \nembarrassed sometimes when I see a paper I wrote for the White \nHouse in 1996 that said that because I was wrong. We made the \nsame mistakes in our approach to critical infrastructure \nprotection.\n    There were three big errors. The incentives for \ncybersecurity vary from company to company and sector to \nsector, and usually they are insufficient. There are legal \nobstacles that limit the ability of governments and companies \nto cooperate and to share information. And in any case, we need \na coordinated defense, not a grab bag of individual actions. \nFinally, we did not expect to face world-class opponents, as \nyou heard from some of the earlier testimony, even midrange \nopponents with access to world-class tools. We overestimated \nincentives and underestimated threats and legal obstacles, and \nI would like to point out that Congressman Rogers\' bill would \nbe very useful if we could get it passed in removing some of \nthe legal obstacles that hamper our ability to provide an \nadequate cyber defense. A serious defense requires coordination \nand mandatory action. The big telecom companies are pretty good \nat securing themselves and don\'t need more regulation but the \nother sectors are in bad shape. Some people say regulation is \nburdensome, but if we do not hold critical infrastructure to \nmandatory standards, we guarantee a successful attack. Nor does \nregulation damage innovation. An unregulated Internet is not a \nsubstitute for a business-friendly environment that innovation \nreally needs.\n    Partnership and cooperation must become more than an \nexchange of slogans. Australia has a good model, we heard about \nthat, where the government encouraged Internet service \nproviders to develop a code of conduct to deal with malware. \nThat appears to be working. We are considering in the United \nStates similar options.\n    Finding ways to expand the use of DNSSEC. DNSSEC is a good \nstory. This is a fundamental rule set, the addressing framework \nfor the Internet. We identified problems with it 20 years ago. \nWe identified fixes for it 12 years ago. We have not \nimplemented these fixes. This is one where finding some new \napproach to get people to move faster would be really crucial. \nThe Defense Industrial-Based Initiative, which shares \nclassified threat information, is another good example of how \nto do real cooperation.\n    There are many opportunities to improve cybersecurity, but \ntaking advantage of them will require a new approach. I think \none thing I can say is everyone wants to make things better. We \nall realize the scope of the problem, and everyone wants to do \nstuff. Hearings like this provide an opportunity to find that \nnew approach that will truly serve national security.\n    I thank the committee for the opportunity and look forward \nto your questions.\n    [The prepared statement of Mr. Lewis follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T2628.028\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.029\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.030\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.031\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.032\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.033\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.034\n    \n    Mr. Walden. Dr. Lewis, thank you. We appreciate your \ntestimony, and we will have a few questions for you, especially \non the Australia model.\n    We are going to go now to Mr. Larry Clinton, President and \nChief Executive Officer of Internet Security Alliance. Mr. \nClinton, thank you for being here today. We look forward to \nyour comments.\n\n                   STATEMENT OF LARRY CLINTON\n\n    Mr. Clinton. Good morning, Mr. Chairman, members of the \ncommittee.\n    There has been a dramatic change in the cyber threat \npicture in the last 18 to 24 months. Our main concern is not \nhackers or kids in basements. The fact that a cyber system has \nbeen breached is no longer the metric which determines whether \nor not an attack has been successful. Cyber attacks have grown \nincreasingly sophisticated using what is commonly referred to \nnow as the advanced persistent threat, or the APT. APT \nattackers are pros. They are highly organized, well-funded, \noften state-supported, expert attacks who use coordinated sets \nof attacking methods both technical and personal. Perhaps most \nindicative of these attacks is if they target a system, they \nwill almost invariably compromise or breach it. Unfortunately, \nconventional information security defenses don\'t work against \nthe APT. Attackers are successfully evading all antivirus \nintrusion and traditional best practices, remaining inside the \ntarget\'s network while the target believes they have been \neradicated.\n    This doesn\'t mean that we have no defense. It means that we \nneed to modernize our notion of what constitutes cyber defense. \nTraditional approaches including Federal regulation will not \nsolve the problem because they are going to be largely reactive \nand will not stay ahead of the changing threat nature. Worse, \nbad regulation could be counterproductive, leading companies to \nexpend their limited resources on building in-house efforts to \nmeet regulatory demands rather than focusing on security.\n    The fundamental of stopping the advanced threat is to \nunderstand our biggest problems are not technological, they are \neconomic. Independent research has consistently shown that the \nsingle biggest barrier to combating the cyber threat is cost. \nPresident Obama\'s Cyberspace Policy Review said many technical \nand management solutions that would greatly enhance our \nsecurity already exist in the marketplace but are not being \nused because of cost and complexity. Just last week, Bloomberg \nreleased an extensive study that found that to reach an \nacceptable, not ideal, acceptable level of security in critical \ninfrastructure would require a 91 percent increase in spending.\n    The private sector has been extremely responsive to \ncombating the cyber threat. Average spending on cybersecurity \nin the telecommunications industry is $67 million a year with \ngovernance, by the way, including regulatory compliance, being \nthe single biggest thought.\n    Despite the fact that our critical infrastructure is under \nconstant attack, we have never had an instance of serious \nbreakdown, mass deaths, evacuations, economic catastrophe, \nsimilar to what we have seen in the environmental area. This \nsuccess is due in large part to the flexibility generated by \nthe current system, which relies on voluntary partnerships \nwhere an industry understands and can manage the systems best \nand use their intimate knowledge to respond rapidly to emerging \nthreats in a fashion they believe can best protect the system \nrather than being driven by a preset government directive. \nNevertheless, there is a great deal that Congress can do and \nthe Commerce Committee can do to improve our cybersecurity \nright now.\n    First of all, we need to get the government\'s house in \norder. The National Academy of Sciences, the GAO, and just last \nweek the DOE Inspector General have all documented systemic \nproblems in managing government cyberspace. These need to be \naddressed immediately.\n    Second, we need to provide the right mix of incentives and \nregulation. For industries where the economies of the industry \nare tied directly to a regulatory format such as electric \nutilities, water, transportation, etc., the current regulatory \nstructure can be used to motivate and fund needed cyber \nadvancements. For industries where the economics are not \ninherent to a regulatory structure, adding a new regulatory \nstructure will impede innovation and investment, making us less \nsecure. In these sectors, we need to motivate by providing \nappropriate market incentives to spur greater security and \ninvestment. An excellent example of this approach is Mr. \nRogers\' bill, which passed the Intelligence Committee a couple \nof weeks ago, which uses liability reforms to stimulate \nadditional information sharing. However, liability reform is \nonly one of many incentives that need to be unleashed to help \nus secure our cyber networks. Other incentives include better \nuse of government procurement, streamlining regulation in \nreturn for demonstrated security improvements, greater use of \nprivate insurance, and streamlined permitting and licensing. \nThis incentive-based approach was spelled out in some detail in \nthe ISA cybersecurity social contract in 2008 and was also \nendorsed by President Obama in the Cyberspace Policy Review in \n2009, the multi-trade Association and Civil Liberties Coalition \nwhite paper on cybersecurity in 2010, and the House Task Force \nreport in 2011.\n    A great deal of work needs to be done to fill out how these \nincentive models can be used in the various sectors. In the \nmeantime, Congress ought to enact FISMA reform or to do the \nRogers information sharing bill and should do a good deal to \nbetter coordinate amongst themselves. Passing that package of \ncybersecurity reforms would be a historic and politically \nachievable goal.\n    Ladies and gentlemen of the Commerce Committee, you are \ndealing with the invention of gunpowder. Mandating thicker \narmor is not going to work any more than building deeper moats \nwas going to stop the horders and the invaders who invented \ncatapults or the Maginot Line was able to stop the Germans in \nWorld War II. We need a different approach. We need a \ncontemporary and creative approach that engages the private \nsector with government, not having the government control what \nthe private sector does.\n    We really look forward to continuing to work with you.\n    [The prepared statement of Mr. Clinton follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T2628.035\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.036\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.037\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.038\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.039\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.040\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.041\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.042\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.043\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.044\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.045\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.046\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.047\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.048\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.049\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.050\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.051\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.052\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.053\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.054\n    \n    Mr. Walden. Mr. Clinton, thank you very much for your \ntestimony. We appreciate it.\n    Our next and final witness today is Phyllis Schneck, who is \nVice President and Chief Technology Officer of the Global \nPublic Sector, McAfee Incorporated. Dr. Schneck, thank you for \nbeing here today. We look forward to your comments.\n\n                  STATEMENT OF PHYLLIS SCHNECK\n\n    Ms. Schneck. Good morning, Chairman Walden and Ranking \nMember Eshoo and other members of the subcommittee. Thank you \nvery much for the opportunity to be here this morning, and \nthank you for your interest in cybersecurity as it applies to \nthe telecom sector.\n    My testimony will focus this morning on four areas: the \nthreat landscape, the communications sector\'s unique role in \ncybersecurity, private sector technologies and policy \nrecommendations to enable greater cross-sector cyber \nresilience.\n    First, just a bit of background. My technical background is \nhigh-performance computing and cryptography. I was raised in \nthis back to the days of the radio tower. My father was one of \nthe first in supercomputing in this country and taught me to \nwrite code. I know how to exploit code, but I was taught the \nresponsibility of that and the responsibility of the computing \npower that we have and I am confused on and passionate about \nprotecting that and protecting good science. I am also focused \non partnership. Outside of McAfee as a volunteer, I ran the \nprivate sector side of the FBI\'s InfraGard program, about which \nDirector Mueller testified several times. I ran that for 8 \nyears and grew that program from 2,000 subject-matter experts \nacross the critical infrastructure sectors to 33,000, and today \nchair the national board of directors for the National Cyber \nForensics and Training Alliance, which brings together the top \nfraud analysts from the banking sector, telecom, \npharmaceuticals, and others with the FBI under the same roof \nand other organizations and governments, do analytics that \nhelped to arrest 400 cyber criminals worldwide in the past 2 \nyears.\n    A little bit about McAfee. We are based in Santa Clara. We \nare the world\'s largest dedicated security company. We protect \nbusiness, governments and consumers all over the world from the \nfull spectrum of cybersecurity attacks. We are a trusted \npartner and adviser on cybersecurity throughout the world, and \nas a wholly owned subsidiary of the Intel Corporation enjoy \ndriving that innovation that goes directly to the hardware. The \nbuck stops at the hardware, so the adversaries can get in in \nseveral different ways, but when a piece of hardware knows not \nto execute a malicious instruction, that is when we have the \nenemy.\n    As you have heard this morning, the cyber threat landscape \nhas evolved. Obviously it is not a dorm-room activity anymore. \nIt is more a mass espionage. There are two kinds of companies \nand agencies across the world, public sector and private, those \nwho know they are owned and those who don\'t. We are looking at \nthe mass movement of money markets and jobs between countries \nand companies and we are looking at the threat of destruction \nshould they desire. This enemy is faster and smarter than we \nare at times. They are certainly faster. They have no \nintellectual property boundaries, no legal boundaries, no \npolicy boundaries, and in many cases, they have plenty of \nmoney. They have absolutely no obstacles to execute on our \ninfrastructure.\n    Which leads us to the role of the Internet service \nproviders. In the days when I sent my first packets between my \nsister\'s room and mine, there was nothing in that route except \none address on the other. Now we have an unknown set of routes \nbut we have an ability and a great infrastructure run by the \nISPs that deliver our traffic and that of the adversary very \nreliably. So the enemy has now used our great cyber \ninfrastructures that we built as the good guys over the world \nas a mass executive transport system for malware. They haul \npackets at high speed. They do a great job. They are fairly \nsecure, as was mentioned earlier, but the current Internet \narchitecture allows everything to get delivered to the grid, to \nthe banks, to the rest of the critical infrastructure.\n    ISPs can play a key role in better cybersecurity. They are \nalready doing some of this but they have some challenges. One \nthing they can do is help detect this traffic in the network \nfabric and use some global threat intelligence to do that, and \nI will explain that in just a moment, but imagine if our \nnetwork fabric was smart enough not to route the traffic of an \nadversary and only to route good traffic. Secondly, demand more \nsecure technologies and equipment from the market. Demand that \nthose technologies are armed with proactive technologies and \nnot let a malicious instruction run. And third, ISPs can\'t \ncarry the burden alone. As was said earlier, it is up to every \nsystem to be hardened, up to every company and user to harden \ntheir enterprise, and good cyber hygiene plays a role in that.\n    What are the challenges that the ISPs face today? Just to \nname a couple, you have things such as Stored Communications \nAct of 1986, a little while ago. That was before I sent my \nfirst packet. It prevents sharing information outside of the \ntelecoms, so imagine the difficulty in enabling the global \nthreat picture that the enemies use. We can\'t make that rule \nbecause legally we can\'t combine our information together. \nSecondly, it costs a lot of money. Clean bandwidth costs money \nand users aren\'t willing to pay that difference, so we need \nsome help leading to some policy recommendations and some \nproactive technologies.\n    First and foremost, we can put threat intelligence together \nand map a global cyber radar map of where the enemy is at any \ntime. At McAfee, across 160 million endpoints, we see a risk \nprofile in every IP address on the Internet. Other companies do \nthis. Telecoms do this. Governments can do this if we can share \nthat information together and make a global threat picture and \nprevent those malicious instructions from running, whether it \nis application listing or working with the hardware, keep the \nenemy out.\n    So for the policy recommendations, we support the \nrecommendations in Representative Thornberry\'s work, certainly \nwith information sharing, insurance reforms and tax credits, \nand certainly in the bill of Representative Rogers and \nRepresentative Ruppersberger enabling the government to finally \nfacilitate the good information sharing, to put that \ninformation together to not only provide liability protections, \nprotections for privacy and for civil liberties, but to balance \nout the advantage that the adversaries had over us until now. \nLet the government facilitate that collaboration so we can \nbuild that global threat picture, feed it back into the network \nfabric, and have it grow as a living, breathing system to feed \nus the information in return. ISPs play a central role in the \nglobal digital infrastructure. They can help us. We can help \nthem. We have to work on this legal and policy framework for \nglobal information sharing.\n    Thank you very much for requesting McAfee\'s views on these \nissues. I look forward to answering any questions.\n    [The prepared statement of Ms. Schneck follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T2628.055\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.056\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.057\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.058\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.059\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.060\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.061\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.062\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.063\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.064\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.065\n    \n    Mr. Walden. Very impressive testimony. Thank you. Thanks \nfor all the work you do to try to keep us secure.\n    We will now go into our question phase, and I wonder, Mr. \nClinton, you talked about incentives and were fairly specific. \nCan you dive down a little deeper in terms of what that means \nin terms of more specifics on the incentives that would make a \ndifference here?\n    Mr. Clinton. Certainly, sir. Thank you. We are supportive \nof the approach that was articulated in the House Task Force \nreport which suggests that a menu of incentives needs to be \ndeveloped because different industries are responsive to \ndifferent things. The defense industrial base may be attracted \nby a procurement incentive, the banking industry maybe by an \ninsurance incentive, the utilities perhaps by getting rid some \nof the outdated regulation that is based in an analog form \nrather than digitalized. So you need to have a set of \nincentives.\n    On the other hand, you need to have some agreement as to \nwhat needs to be incentivized, and for that, what we have \nsuggested and is in the multi-trade association paper that I \nspoke of before is that we need to have some independent entity \nwhich does not create the standards or practices but simply \nevaluates the standards and practices, an underwriters \nlaboratory for cybersecurity, if you will, and then \norganizations would choose to elect a higher or lower level of \nadoption based on their business plan and their business plan \nwould be improved because they would have access to lower \nliability costs, lower insurance, better chance to get a \nFederal contract, etc. So we are saying that we need a new \nsystem, not a government mandate system, but a system where \nthere are government roles such as providing the incentives and \nthere are independent roles, something like this underwriters \nlaboratory, and then responsibility for the owners and \noperators.\n    Now, in those sectors of the economy where the economics is \nalready built into a regulatory model, then you can use that \nregulatory model. You don\'t need a new regulatory model. You \ncan use it. For example, if you are dealing with the utilities, \nthey have generally a fairly detailed regulatory structure. The \nproblem that they are having is that they get mandates at one \nlevel and the funding comes at another level so there is going \nto have to be a correlation done on the government side. But \nbasically we think you need an independent set of entities \nindicating what needs to be incentivized. That can be done on a \ncontinuing basis. Government needs to provide the incentives \nand industry needs to implement them.\n    Mr. Walden. All right. Very helpful. Thank you.\n    Dr. Schneck, so when you and your sister were trading \npackets when you should have been sleeping, obviously, doing \nyour homework, turn out the lights, that was when this threat \nwas really computer to computer. Now we understand it to be \nbigger than that, broader than that and whole networks that can \nbe taken down. So can you describe what those threats look like \nand what should happen there?\n    Ms. Schneck. Absolutely. We did that over a 1200-baud modem \nover a phone line.\n    Mr. Walden. I remember a 300-baud modem where you put the \nphone in the little coupler.\n    Ms. Schneck. Right. So the threat really looks at an \ninstruction that executes off the site of memory, not the piece \nof memory in your computer that holds some word-processing \nprogram but it is where your computer grabs the next \ninstruction, what do I do next. At the root of every exploit or \nattack, it is, I am controlling my will on your machine, \nwhether I am telling your machine to send out a lot of traffic \nor adjust something that might change the settings on something \nthat controls circuit relays on an industrial system. I am \nallowing--my will is being changed on your machine, I am \nexecuting on your machine. So as was pointed out earlier, you \ncan buy these exploits on the Net. You can even unleash botnets \ntogether in a screen that looks like it came off of Quicken. It \nis a spreadsheet, and you can choose addresses to which to send \nit. You are simply relying on someone else\'s construction of a \npiece of code, and we see in McAfee labs 66,000 new variants of \nthese pieces of code every day called malware that allow my \nwill to be instructed on your machine.\n    So the idea is, well, it is twofold. One is to catch the IP \naddresses that are spreading it across the Internet and that \ngoes to that threat position, sharing that global threat \npicture. I can\'t forecast the weather without the weather from \nall the different States or countries, and that comes from \nenabling the information sharing, but also the ability to \ndetect an instruction that is doing something it shouldn\'t do. \nResilience means I can run even if the enemy gets in so the \nenemy will get in. The biological analogy is the disease is in \nyour body but it will never hurt you. So we have to let many \ninstructions get in because they will and simply be resilient \nto that, and that is the ability to work at the operating \nsystem level instead of having to judge every instruction, are \nyou good or bad, because we have shown that is not effective, \njust know what is good and don\'t let anything else run. That is \nknown as application white listing in the community. And then \ndown at the hardware level, understand what an instruction \nshould be accessing or shouldn\'t and just block it, and we can \ndo that.\n    Mr. Walden. I am glad you are on our side.\n    Ms. Schneck. Thank you.\n    Mr. Walden. Mr. Conner, you were talking about Zeus merging \nwith SpyEye. Some of us wondered maybe that should have gone \nthrough like an FCC approval process for a merger and it would \nnever have happened. All right. Now we will get serious.\n    I am going to turn to my friend and colleague from \nCalifornia, who brings so much to this discussion and debate, \nMs. Eshoo, for 5 minutes for questions.\n    Ms. Eshoo. Well, I want to thank each one of you for your \noutstanding testimony. I think that this is one of the best \npanels that has been assembled on a given subject matter and it \nis highly instructive.\n    I can\'t help but feel that this is like trying to get socks \non an octopus, though. I mean, it is massive. And I think that \nwe all have a pretty good sense of what the threat is. I don\'t \nthink that we have a clear picture of really what to do with \nit. There are so many agencies. There was a mention of a 1986 \nlaw that I want to hear more about. We have talked about \npublic-private partnerships. We know that 95 percent of this is \nin the private sector, 5 percent in the government. Where do we \nbegin with this? What are the legal roadblocks as any of you \nsee them right now that are holding us back to do what my next \nquestion would be, what is the new paradigm? And if we have \nvery good pieces in place right now, what do we keep, what \nshould we get rid of? And to Dr. Schneck, do you agree with \nthis notion of Mr. Clinton\'s of an underwriters lab? That \nsounds very interesting to me.\n    So I don\'t know who wants to begin with what, maybe with \nlegal roadblocks that you know of. I think it was Dr. Schneck, \nwere you the one that mentioned the 1986 law? I am not familiar \nwith that and what it is blocking.\n    Ms. Schneck. So I am not a lawyer.\n    Ms. Eshoo. Neither am I.\n    Ms. Schneck. But the overall premise and the reason I \nmentioned that is because the adversary has the ability to act \non us very quickly because they have no roadblocks. We have the \nultimate weapon, and that is, we own the infrastructure that \nworks at the speed of light, and if we can put the instructions \ntogether and the intelligence together to work as your body \ndoes, it attacks a virus that comes in because it knows it \ndoesn\'t belong there, it doesn\'t need to have a meeting to do \nso. We need the Internet to work the same way so the routers \nand the machines that route our traffic, they need to \nunderstand that something is bad, and to do that, we have to \nreplace the chemical and biology with the intelligence from \ndata and that means getting data from all sides of the equation \nthat we control from the private sector. We have to be able to \ncombine that with data in the government sector, not even in \nthe classified realm. That would help, but this is all un-\nclass. And then some of those laws actually prevent the ISPs \nfrom combining that data together. I don\'t have the answer \nlegally on how to make that work while also preserving the \ncivil liberties and privacy, which are crucial. But we have to \nfind a way to put together at the indicator level this address, \nthis location could hurt you and make that accessible to a \nrouter at several hundred gigabits per second.\n    Ms. Eshoo. Now, what you just described, would that fit in \nwith Mr. Clinton\'s idea of an underwriters lab, or not?\n    Ms. Schneck. I think it is different.\n    Ms. Eshoo. It is different. OK. Did anyone ever tell you \nthat you look like David Gergen? I was looking at you and I \nthought, I know he reminds me of someone.\n    Mr. Clinton. Well, I am pretty flattered. I hear David is \nupset when the comparison is made.\n    I agree with Phyllis. I think that it is a--we are talking \nabout kind of different things. First of all, with respect to \nthe legal issues, after he got elected, President Obama \nappointed Melissa Hathaway to do a 60-day cyber review on the \nNational Security Council staff and the largest portion of that \nis appendix A, which is a thick document going through all of \nthe legal barriers that need to be reviewed, so that is a place \nto start.\n    Essentially what we have here is, we have a whole bunch of \nlaws that were written for an analog world and we are now in a \ndigital world. I mean, we have still laws on the books dealing \nwith how you manage your videotapes. I haven\'t had a videotape \nin quite a while. So there is a lot that can be done to work \nout that legal underbrush and modernize things. We have \nsuggested some of those things are regulatory and could be \noffered as incentives, you know, to get away from some of these \nburdens. Some of them, for example, are duplicative auditing \nrequirements. We are all for auditing but we should have one \nunified cybersecurity audit and you pass that audit and you \ndon\'t have to do the rest of the audits but there are multiple \nState, local, Federal, different agencies that are involved in \nthis, so organizations are spending a lot of their time and \nmoney doing redundant things. We should strip away a whole \nbunch of those sorts of things.\n    The last thing on where you start, I would strongly suggest \nthat Congress start by cleaning up the Federal Government\'s \nroles and responsibilities. That is a much more limited system. \nYou can make a lot of progress really quickly while we are \ncontinuing to work with a public-private partnership model that \nwe currently have.\n    Ms. Eshoo. Thank you. I am out of time.\n    Mr. Walden. I will yield to the gentleman from Nebraska, \nMr. Terry. Before I do so, it strikes me, we ought to get this \nappendix A and maybe have a task force of this subcommittee \nthat really gets into the weeds and that more deeply, and we \nhave got people who have great experience here.\n    Mr. Terry. So where do we start, Mr. Clinton?\n    Mr. Clinton. Well, as I said, I would start first of all at \nthe Federal level. We need to straighten out roles and \nresponsibilities of the Federal Government and between \ngovernments at the Federal, local and State levels. So, for \nexample, I mentioned the problem that we have in the utility \nsector where we have mandates that exist at one level, the \nfunding comes at another level, and what we have to do is \nrealize that solving some of the cybersecurity problem is going \nto cost us some money. Unfortunately, when you have State \npublic utility commissioners, they are resistant to increasing \nthe rate base, and this is understandable, but we have to find \nsome way to get a pass-through on some of these things.\n    So I think a good review and scrubbing of the governmental \nissues is one place to start. Simultaneously, we have a lot of \nactivity already going through the public-private partnership \nthat can use a number of these things. Mr. Rogers\' bill is a \ngood example. And then I think we need a really concentrated \neffort on working on these other incentive programs, exactly \nwhat do we need to do with the insurance industry to get them \nto be bigger players, exactly what----\n    Mr. Terry. In what way?\n    Mr. Clinton. Well, you know, private insurance is one of \nthe most effective pro-social motivators we have. People drive \nbetter, they give up smoking, et cetera.\n    Mr. Terry. So cyber insurance?\n    Mr. Clinton. Cyber insurance, sure, so that if there is--\nthe problem that we have in insurance, there is a couple of \nproblems. One of the problems is, we don\'t have enough \nactuarial data because the data is being held.\n    Mr. Terry. Doesn\'t Google have all of that?\n    Mr. Clinton. Pardon me?\n    Mr. Terry. I am sorry.\n    Mr. Clinton. A lot of the insurance guys would like----\n    Mr. Terry. You guys were good at humor. I tried it.\n    Mr. Clinton. A lot of the insurance guys would like to \nshare data but this runs into antitrust problems, OK, because \nto be sharing data for rates, but actually if we could get them \nto share that, perhaps in a public-private partnership, we \nwould get a more realistic view of what the threat is. Right \nnow they set everything at maximum, but if we share data, we \ncould get a more realistic view of what the threat is. We think \nthis would bring down insurance rates. When you bring down \ninsurance rates, more people will buy the insurance. When more \npeople are buying the insurance, more insurance companies will \nget in, and we get a virtuous cycle going on and we can use \ninsurance to motivate better cybersecurity investment.\n    Mr. Terry. All right. Mr. Dix, one question for you, and \nyou can add on wherever you want, but you mentioned that, you \nknow, for everyday users, small businesses, it is a just a \nmatter of cyber hygiene, so I say, OK, you pull out your soap \nand you wash. What does that really mean and what can you do? \nWhat can we do as small business people or whatever?\n    Mr. Dix. So again, as I mentioned, I think we need a \ncomprehensive and sustained national education and awareness \ncampaign that tells the user constituencies how better to \nprotect themselves from the infection in cyberspace. Leveraging \nthe resources of the Federal Government such as the Small \nBusiness Administration, the Internal Revenue Service, the U.S. \nPostal Service, and other agencies that interact with citizens \nand businesses every day would be a place to help message that, \ncreating and leveraging a model like we did with H1N1 where we \nhave a sustained plan of public service announcements that \ndrive people to a place where they can get information. It \nmight even be nice if every Member of Congress had a link on \ntheir constituent Web page that directed folks to the National \nCybersecurity Alliance or the Internet Security Alliance as a \nplace to learn basic best practices, low-cost or no-cost things \nthat they can do to protect themselves.\n    If I might add, another piece of the fundamental blocking \nand tackling is to ensure an operational capability that \npresents something like a National Weather Service or a CDC \ncapability where we have a picture into what is going on in the \nnetworks at all times in steady states and in points of \nescalation. I raise that because many of us work together \nthrough the National Security Telecommunications Advisory \nCommittee and delivered a report to the President in May of \n2009 that recommended the creation of a joint coordination \ncenter, a joint public-private integrated 24/7 operational \ncapability to improve detection, prevention and mitigation. We \nhave got to get in front of this. Most of our time now is spent \nin response and recovery. Part of the problem we ran into, \nlegal barriers. Once we got into trying to integrate, we \ndeveloped a model in the private sector. Once we began to try \nand integrate that capability with the government, the lawyers \ntold us they couldn\'t talk because they couldn\'t share this \ninformation. Hopefully Representative Rogers\' bill will help \nbreak down some of those barriers, but we should have an \noperational capability that has a picture as to what is going \non in the network at all times and we have those kinds of data \nfeeds available. Organizing them and having a National Weather \nService or CDC type of capability is long overdue.\n    Mr. Terry. Thank you.\n    Mr. Walden. The gentleman\'s time has expired.\n    I believe Mr. Waxman is next for 5 minutes for questions.\n    Mr. Waxman. Thank you very much, Mr. Chairman.\n    Dr. Schneck, and anybody else who wants to respond to this \nquestion, what special considerations do the growing use of \nsmartphones and tablets present?\n    Ms. Schneck. Thank you. There are several. Smartphones and \ntablets are just small computers. They have the exact same \nvulnerabilities that all the other machines have that you are \nused to, and they have tens of thousands times of memory in \nthem that the guidance systems do that took our first Apollo \nrockets to the moon. So when you think about the power that is \nin your hands, you now have the ability twofold. One is that it \nenables the enemy to, if it is not secured appropriately, it \nenables an adversary to use it as a platform to get into your \nenterprise network. In the interest of time, I am going to \nsimplify this a lot, but people are wanting to use the home \ndevice at work, and what happens is, once the adversaries \ndiscover they can use that unprotected home device that happily \nhouses Angry Birds and launch an attack into the enterprise \nnetwork because companies are letting folks use the small \ndevices.\n    So there are technologies to lock that down. We do a lot of \nthat. We manage that worldwide. But you are looking at a \nmassive explosion of small devices. The lady mentioned the \ncloud. These devices leverage the cloud because they don\'t have \nas much processing power as the big machine. So most of your \nprocessing is done in the cloud. You have to pay extra \nattention to the security on that motion data at rest and \nshared resources where your data are when they are not on the \nphone. Your personal information most likely is all over that \nphone, pictures of your friends and family, locations. If you \nlose it, you want to make sure you have a remote capability to \ndestroy that. It is a wonderful device, but it has access to, \nagain, all the critical infrastructure. If you are working on \none and it is talking to your network, it has access now to \nyour personal information.\n    So I think it brings a wonderful new--I spoke about this at \nthe consumer electronics show. It brings a wonderful new sense \nof fun to computing and it also brings new dangers that we \nneed, to quote my colleagues here, to get out in front of \nbefore this is yet another massive vector because mobility is \nmultiplying.\n    Mr. Lewis. Just real quickly, every once in a while I talk \nto hackers just to see what they are up to, and recently one of \nthem told me that the price for a toolkit to hack an iPhone is \nabout $200,000 on the black market, and he said for other \nphones it is only $10,000. So, you know, I don\'t know. What \nthis is going to do, though, it is going to force us to pay \nmore attention to the service providers, to the big telecos, to \nthe ISPs to the cable companies. Responsibility is going to \nshift away from the edge, away from the consumer to the service \nprovider.\n    You don\'t patch your cell phone. You know, you don\'t \nprogram it. You depend on its computing becoming a service, and \nthat will change the contours of security and change the \nrequirements for regulation.\n    Mr. Conner. With all due respect, I disagree with that. If \nyou look at Metcalfe\'s law and if you look at just what \nhappened with Apple and AT&T, the value has shifted. It shifted \nfrom the carriers to the endpoints, and this is about identity, \nand I will give you a good example. The threat I talked about \ngoing out of band or using a mobile network and a device is a \nsurefire way to stop that kind of transaction today, and it is \nsafe and it is protected. It uses digital signature through a \nwireless carrier network and on a mobile device with digital \nsignature which is probably why to try to hack the device costs \na heck of a lot more on an iPhone or iPad than a normal phone. \nAnd if you use that, the probability on that attack factor, you \ndon\'t break it.\n    So I think there are good pieces and I think my personal \nexperience, the minute you think you are going to stop all this \nin the network, the ID and IP address is no longer the \nidentity. The number one thing people fake is who you are, what \nyou are, and the application of who are you, and that is the \nhardest thing to combat in terms of good guys versus bad guys. \nThe threat I showed you is not the identity of the person that \nis doing it. He has faked your identity, and no perimeter \ntechnology, no network can deal with that until they deal with \nthe endpoint itself.\n    Mr. Lewis. I don\'t think we are disagreeing, though. I \nthink that you are going to see that the authentication \ntechnologies you are talking about will depend ultimately on \nthe service provider.\n    Mr. Waxman. Well, let me ask one question, and I know I \ndon\'t have much time, but many of you mentioned in your \ntestimony how communications networks are central to most other \ncritical infrastructure sectors. How does this then relate to \nthe importance of this committee in addressing cybersecurity of \ncommunications networks? Anybody want to respond to that?\n    Mr. Lewis. Well, I think that in the opening remarks, a few \nof you mentioned some of the things that are going on at NTIA \nand FCC that could reduce risk, right, and one of the examples \nwe have heard about is of course this measure to get the \nInternet service providers to adopt a voluntary code of conduct \nfor dealing with malware. It is a good thing to do. It is sort \nof basic-level stuff. The FCC has an effort to promote the use \nof DNS security, DNSSEC, and this is--not to get too \ncomplicated, but this is a growing vulnerability. It is \nrelatively easy to fix. Other countries have moved faster than \nthe United States. It is something that we can probably do on a \ncollaborative basis.\n    The third thing to look at is some of the responsibilities \nfor other activities, other protocols. This is a place where \nyou don\'t want the government creating technology, right. It is \nnot for this kind of level of technology. But you do want it \nmaybe coordinating a response, and so when you look at FCC, \nwhen you look at NTIA, the DNSSEC, the ISP efforts, some of the \nother measures, Commerce is doing similar things, this is where \nyou can play a big role.\n    Mr. Waxman. Thank you, Mr. Chairman.\n    Mr. Walden. With the committee\'s indulgence, we were all \ngoing to ask you about the Australia model, and then we all \nforgot. Without objection, would you mind addressing the \nAustralia model?\n    Mr. Lewis. Well, Phyllis talked about this as well. Your \nISP probably has a pretty good idea of what is going on on your \ncomputer at home, right, and right now they don\'t really do \nmuch about it, and I think Bob talked about this as well. You \nknow, there is basic hygiene things that most people don\'t do. \nYour ISP has fairly good knowledge when you are running \nmalware, when you are part of a botnet, not perfect knowledge \nbut good knowledge. What actions can they take to stop that? \nAnd in Australia, Australia is not the only country that does \nthis anymore, at one point they thought the attorney general \nwill come in and tell the ISPs what to do, because the ISPs \nwere not doing anything. This was a failure of incentives, \nright. And there was a tussle, a political tussle. At the end \nof the day, the ISPs--and Australia is a little easier because \nit is a smaller country. They said how about if we come up with \na voluntary code of conduct that will let us deal with the \nmalware threat, and with a little guidance and help and \ninvolvement from the attorney general and the Australian \nfederal police, which is roughly equivalent to some of our \nFederal agencies, they came up with a pretty good system that \nworks pretty well.\n    This will not deal with the advanced threat but it will \ndeal with--you know, quick, name a country in the world that is \nthe biggest supplier of botnets used in cyber crime. It is the \nUnited States, and it is not because we are cyber criminals, it \nis because we are incompetent in our defenses. The Australian \nmodel changes that. We are number one, hey, great.\n    There are some issues, and I will just do them quickly. \nOther countries that do this--Germany. Germans have a lighter \napproach. What happens in Germany is, you get a little popup on \nyour screen that says basically we notice you are infected, \ncall this number if you want help. Australians and some of the \nother countries that do this say click here and we will clean \nyour computer for you. A few other places that don\'t go public, \nthey just intervene without your knowledge. You have a privacy \nissue. You have to be careful about that. One of the things \nthat comes up over and over again is, Should we isolate \ninfected computers? Should we cut infected users off from the \nInternet. Some companies are beginning to do this. You are \nputting such a burden on me that I am just going to cut you \noff. A big issue. If you look at the places where we have data, \nthere is an amazing drop in the rate of infection. So this \nworks, and it would be useful if we followed the Australians, \nthe Germans, the Japanese, the Turks, any number of countries.\n    Mr. Conner. I will give you two other points on Australia \nthat are, I think, relevant to this group. Australia is also \nlooking at their energy grid, and granted, their energy grid is \na little different architecture than the United States, more \nlike Ireland and others, but in the process that we are working \nwith them, they are starting with the infrastructure part and \nthe actual production side, the energy creation, one, to lock \ndown the authentication of the systems within the creation of \nthe power and starting there, and then going to the export of \nthat power through the grid as it extends through the different \ncarriers all the way to the endpoint in terms of that. We are \ninvolved with other companies here in the United States helping \nthem do that.\n    The other piece is, as they look at health care, they think \nthat is a critical area in terms of being able to have health \ncare cards, a novel idea when you get to privacy concerns here, \nbut as I say, you can\'t have privacy without security and \npolicy.\n    Mr. Walden. Thank you, and thanks for the indulgence of the \ncommittee. I am going to go to--oh, Dr. Schneck. I am sorry. Go \nahead.\n    Ms. Schneck. One point, if that is OK.\n    Mr. Walden. Yes, sure.\n    Ms. Schneck. So I think that the example in Australia is a \nbeautiful example of this need for information sharing. I would \nchallenge the wording a little bit from Dr. Lewis, and I don\'t \nthink he meant it this way, but the ISPs don\'t know what is \ngoing on in your computer. They are not watching your banking. \nThey are not watching you work. They see because they own that \nblock of addresses. They see the behavior from that block of \naddresses as a footprint as it tries to send traffic, which the \nISPs are able to track to protect you from malware. They see \nthat footprint, just like McAfee sees it, reflect on things \nthey own, and from that they can see where traffic has come in, \nfor example, a ridiculously large volume in a short period of \ntime from a certain set of machines and they can look at those \nmachines and say these are infected with certain code, and they \ncan then, in the Australian model, let you know, and so the \nquestion becomes, how do they let you know. I think it is a \ngreat example of the use of that intelligence picture. It shows \nhow with Representative Rogers\' work, we could actually get a \nlarger intelligence picture. That is what makes for the humans \nthat the pretty weather map picture that Mr. Dix recommends. \nBut also, you have the ability now to look at who is infected \nwhere and start looking at these incentives. How do we \nincentivize the general public to do this hygiene? Most people \nwith a computer don\'t know what it does all night when they are \nsleeping. If they knew, they would clean it up. It is not that \nhard. So I think this is a really neat exercise on the \ninformation sharing and the incentives.\n    Mr. Walden. I appreciate that, and I appreciate the \ncommittee\'s indulgence in just trying to get some more \ninformation out there.\n    Mr. Rogers, thank you.\n    Mr. Rogers. Thank you very much. I know we are short on \ntime.\n    Mr. Conner, are you familiar with the company DigiNotar or \nwhat used to be the company DigiNotar?\n    Mr. Conner. Very much so.\n    Mr. Rogers. And signatures and attribution is very, very \ndifficult, although I think we are getting better. It is pretty \ndifficult. Can you briefly--I think it would be good for the \ncommittee to hear the story of DigiNotar and how a viable \ncompany went away in about a month after being hacked and what \nit does, quickly, and what happened and why this is important \nto move forward.\n    Mr. Conner. So if you look at the Internet when it was \ncreated, the little yellow lock, everyone sees the little \nyellow lock on their browser and on their PC and they think \nthey are safe. Very few people know what that little yellow \nlock means, and what it is supposed to mean is the \ncommunication path is secure between you and the Web site that \nyou are communicating with and who is on each end of that. The \nproblem is in the SSL world, which is kind of the security \nlevel of that, the identity on each side of that may or may not \nbe who it is reported to be. We co-chaired along with Verisign \na new standard on that extended validation because if you go to \nyour Super Bowl last week, you will see people advertising, \nhosting and selling that little yellow lock for $19 for your \nbusiness Web site. The only problem is, the verification of who \non the end of that is, is pretty lax. And they just look at the \nserver and go well, that must be you.\n    So the issue was, this one company that provides the little \nyellow lock, in this case, predominantly in the Netherlands, \nwas breached, and they were breached from Iran just as many \nother security vendors have been breached. We get a target \nevery day from country states, our little 350-person company \nwith no help to the U.S. government, thank you very much, to \ndefend that. Well, this little company got attacked just like \nComodo did, just like others did, and they breached that little \nyellow lock that said who they were and they began to take down \nthe government security because that government used the little \nyellow lock for all its online capabilities, and the people in \nIran, guess what, used that little yellow lock to say they were \nGoogle and other people. So anyone in Iran that was Googling \ncontent in that country was able to give up to the Iranian \ngovernment whatever they were looking at, whatever they were \ndoing, and one government was basically shut down for at least \n60 days, and unfortunately, to those of us in the security \nworld, we found out about it through the browser forum and \nactually Entrust was a partner to that group, and it ended our \nrelationship with them prior to that, and even we weren\'t \nnotified. So that talks about to your question of the legal \nframework of what is going on here and the disclosure \nrequirements.\n    Mr. Rogers. Thank you. And I just think that was a great \nexample of a nation-state using its intelligence services to \nco-opt something like that. And by the way, DigiNotar is no \nlonger a company, so if you want----\n    Mr. Conner. Yes, it is out of business.\n    Mr. Rogers [continuing]. To talk about the cost, there is a \nhack that took this company and is now out of business, so----\n    Mr. Conner. Well, be careful. It was a subsidiary of a \npublic business that still exists that acts like it didn\'t \nhappen.\n    Mr. Rogers. But the contracts that it has in the \nNetherlands no longer exist?\n    Mr. Conner. No, that is correct.\n    Mr. Rogers. OK.\n    Mr. Conner. That is exactly correct.\n    Mr. Rogers. It is an American company that actually owned \nit?\n    Mr. Conner. That is right. And I think the point that you \nare on, Congressman, is an important one. There are ways--we \nhave been attempted to be hacked by the same group. We have \nwatched them try that over the last 12 months. Two of the \npeople that own the yellow locks in the United States and \nabroad have been taken down relative to Iran being able to \nbreak in and impersonate those pieces. So it is happening every \nday.\n    Mr. Rogers. I thought it was important for the committee to \nhear that particular case because it shows how sophisticated \nand how dangerous it can be if somebody has a nefarious purpose \nother than criminal. Criminal is bad enough. This was other \nthan criminal. And I see my time is almost up so I am going to \nask two questions and close up.\n    Mr. Lewis, I would like you to talk about, we have been \nthrough a long time. It has been very difficult to get to a \nplace where we have a very narrow focus on how to move to the \nnext step. Just talk about the challenges of why we think it \nhas been difficult to even get a very narrow change in the law.\n    And lastly, Dr. Schneck and maybe Mr. Dix can talk about \nthis, you talked about hardware. There is much concern about \nhardware entering our system that may be malicious and very \ndifficult for us to understand exactly what that hardware is \ndoing in our systems, and I am hoping you can talk about that \nand what we might be able to do from a regulatory and/or \ncautionary position on behalf of the United States Government \nto make sure that those type of hardware systems don\'t enter \nour system and some of our hardware systems are not exposed \nwhen they leave this country to manipulation by foreign nation-\nstates.\n    Mr. Lewis. Thank you, because those are hard questions. \nThey are great questions but I am glad Phyllis got one of them. \nSo, you know, the neutral answer is to say when you look at a \nnew technology, it usually takes the United States somewhere \nbetween 20 and 50 years to figure out to get it in order. So \nyou look at airplanes, steamboats, railroads, electricity, \ncars. We are in year 18 for the Internet. So we are not doing \ntoo bad, I guess. I mean, we have a couple years to sort this \nout.\n    A little more pointed answer: We have so many old ideas. \nThey have not gone away. If it was in PDD-63, which was the \nClinton administration policy, and we are still trying it, it \ndoesn\'t work. Give it up. And the second thing is, as you have \nheard, we have old laws that are real obstacles. You of course \nare trying to fix this but if it is the Electronic \nCommunication Privacy Act designed for dial telephones, you \nhave serious issues here. You have business issues, you have \nprivacy issues. So it is a hard problem and it will take time \nto work out, but the prevalence of the old thinking and the \ndifficult legal environment we have has really slowed us down \nand put us at risk.\n    Mr. Rogers. Mr. Dix or Dr. Schneck?\n    Mr. Dix. First of all, I would like the record to reflect \nthat Mr. Lewis and I agree on that last point. Thank you. First \nof all, let me just touch on the hardware issue because the \nwhole supply chain risk management issue, you know, it is \ninteresting to me, the last count, there is 155 different \nsupply chain risk management initiatives in the government \ntoday. We need to coordinate those issues. And quite frankly, \norganizations like ours, we invest heavily in what we call our \nbrand integrity program because our reputation is how we grow \nour business. So we invest from concept to delivery in our \nproducts, in our hardware and software products.\n    To make this short, one of the things that I think that \nthis body could help with, as we sit here today and we deal \nwith this supply chain risk management problem, the Federal \nGovernment still continues to buy from untrusted sources. There \nis a cultural cost to government of cost and schedule across \nthe departments and agencies where in order to save 5 cents on \na widget, we are buying from low cost, low bid. As a result of \nthat, we end up in the gray market and then we wonder why we \nhave counterfeit or malicious products in our government supply \nchain. We should be buying from trusted sources. If there is \nsome reason why we are not going to buy from trusted sources, \nthere should be a justification, it should be public, and the \nliability from that should accrue to whoever the acquirer is.\n    Mr. Rogers. Dr. Schneck, can you just comment on that as \nwell?\n    Ms. Schneck. I do agree. I will also add that we look at \nsupply chain again as an issue of your product integrity. We do \nrigorous testing, both the manufacturing and acquisition. We \nwould also believe in leveraging some of the existing standards \nto really focus on a product integrity issue, because what you \nwant to know is, did that widget that you bought, is it exactly \nwhat you think you bought. That is the heart of the issue. So \nit is rigorous testing and expanding some of the existing \nstandards.\n    Mr. Rogers. Just to clarify for the record, Mr. Chairman, \nso we are at risk if we integrate into the U.S. system non-\ntrusted sources of product? I want to make sure I am clear on \nthat.\n    Mr. Dix. I certainly think it increases the risk.\n    Mr. Rogers. Thank you.\n    Mr. Lewis. I used to do the supply chain stuff when I was \nin the government sort of on both sides of the table, and a \ncouple points on that. First, right now it so easy to hack, you \nknow, that you have to assume that our Chinese and Russian \nfriends are taking the low-cost approach to espionage. Why \nshould they not do it? The second one is, it is very hard to \npush this out to a global supply chain. We are not going to be \nable to get out of that. So this is an exceptionally difficult \nissue that will probably force us to think about how we are \ngoing to work with foreign suppliers. And there is not really a \nchoice here. So what I do think will happen--I will just say \nthis real quick--right now hacking is so easy, why bother. If \nwe ever manage to improve our defenses, they will switch to \nsupply chain.\n    Mr. Walden. I appreciate that. Here is the problem. I am 5 \nminutes over his time and I think members are----\n    Mr. Rogers. But this is a Clinton we can all agree with \nright here.\n    Mr. Walden. The gentleman\'s time has long ago expired, and \nI appreciate the patience of the committee members who haven\'t \nhad a chance to ask a question yet, so we will try to get back \non schedule. Mr. Doyle.\n    Mr. Doyle. Thank you, Mr. Chairman. Thank you for putting \nthis hearing together, and to the panelists, your testimony and \nyour answers to the questions have been very informative.\n    I want to follow up on a line of questioning that Mr. \nWaxman had to Dr. Schneck. Dr. Schneck, I know in your \ntestimony, McAfee labs predicts an increase in attacks on \nsmartphones and mobile devices in the future, and it is my \nunderstanding, your company had partnered with a research \nfacility at Carnegie Mellon University sci lab, which is in \nPittsburgh, the district I represent, about how businesses and \nemployees handle mobile device security, and apparently this \nstudy showed that most of lost and stolen mobile devices create \nsome of the biggest concern for businesses. About 40 percent of \nthe organizations surveyed have had lost or stolen devices and \nhalf of those devices contained business-critical data. \nFurther, about 50 percent of mobile users that were studied, we \nfound out they store their passwords and their PIN numbers and \ncredit card information on their mobile devices, which I am \ncompletely guilty of. I am going to erase them as soon as this \nhearing is over.\n    It seems to me that one way to tackle this is to make sure \nthat the devices that employees are using are secure in the \nfirst place so that if an employee uses them, that the data \nremains secure or you could remove that data from a remote \nsource, and to follow up with what Mr. Waxman asked you, to \nyour knowledge, could you elaborate on what is being done by \ndevice manufacturers and app developers to secure their \nproducts for commercial use?\n    Ms. Schneck. So we look at protecting them once they are \nreceived so from what we have worked with, there are a couple \nof vectors on what they are doing before delivery. You know, \none is--I will take the application side first. When people \ndownload an application, they rarely think about is this \napplication secure. One of the biggest dangers we see is not \ndid I catch a virus, it is did I go and purposely download \nsomething with a big smiley face on it and a great app that did \nsomething neat for me, but what it is actually is, it is a \npretty picture and delivery of malcode. One of those \ninstructions will get to be a platform to enter your network \ncorporate or to start shipping back your personal information \nfor sale in the Russian underground. So that is one risk. And \nthe app developers, so some companies are very careful in the \napp markets and only approved or back to the trusted source \npoint, the only approved apps are there for sale. Other \ncompanies are more open about it and it is up to the user to be \nvery careful about what you download.\n    Mr. Doyle. Mr. Conner, do you have some thoughts on that?\n    Mr. Conner. Yes. We work with all of them, so from the \nAndroid operating system to iOS to the Microsoft, the first \nthing we are working with each of them on is, how do you \nidentify the device itself securely and authenticate that back \nto your company, because if you don\'t know it is connected to \nyour company, you have got your first issue and kind of the \nconsumerization and the enterprise.\n    The second theme becomes, how do you then work with the \napplications that go into that phone, and each one of those \necosystems do that differently. Some have sandboxing where they \nthen can use our security or others to make sure they know who \nis coming in to put that there. They all three have very \ndifferent testing mechanisms to test those apps in terms of \nthat sandbox and how they communicate that back and forth. And \nthen the third thing we are working with each of them on is how \nyou secure email and content and communication, whether it is \nmobile, no different than we did with laptops and desktops \nbefore.\n    Mr. Doyle. Mr. Dix?\n    Mr. Dix. Yes, and good old U.S.-based innovation has \ndelivered today. Available in the market today, a capability to \nlock, locate and wipe those devices on demand.\n    Mr. Lewis. We are getting close to maybe having a solution \nto authentication. It has been the holy grail for about 20 \nyears.\n    Just a quick story to help put this in perspective. There \nused to be just one government-approved private company in \nNorth Korea. Do you know what they made? They made mobile phone \napps. I see a pattern.\n    Mr. Doyle. And just another general question for the panel. \nDo you think the FCC has any role to increase mobile device \nsecurity, and what should that be? Mr. Conner?\n    Mr. Conner. Absolutely. In fact, you look at the FCC, the \ncritical infrastructure there. I mean, I spent 10 years at AT&T \nand another 10 putting electronics and systems into those type \nof companies. It starts with that. I mean, I said you can look \nat the mobile networks as either good or bad. It can stop the \ncrime I talked about today if used correctly with technology \nthat cannot be broken today. So I think that if you think of \none governing body trying to own each of these pieces, it is \nfolly. I think DOE needs to work with the public partnership \nand private partnership for its domain. I think Commerce and \nTreasury needs to work it, and I think FCC needs to own that \ninfrastructure around that ecosystem because to think that the \nattack vectors that the bad guys are taking against us are one \nsize fits all is just ludicrous.\n    Mr. Doyle. Very good. Mr. Chairman, thank you.\n    Mr. Walden. Thank you, Mr. Doyle.\n    We will now go, I think Mr. Gingrey is next in order.\n    Mr. Gingrey. Mr. Chairman, thank you.\n    This question is for the entire panel. Maybe we will start \nwith Mr. Conner. Some have argued that before we enter the \ncybersecurity debate, we should heed the Hippocratic oath and \nmake sure that in the first place we do no harm. If there were \none caution that you could offer us before legislating, what \nwould that be? Mr. Conner, why don\'t we start with you?\n    Mr. Conner. Well, I think the way I would start as a \ngovernment is the bully pulpit, frankly. I spend a lot of my \npersonal time with this team and others, spend a lot of time \neducating, and I think quality is a great example that this \ngovernment got right. They didn\'t need equality. They just got \non the bully pulpit and said quality is important. And when I \nthink of security, the lexicon was not here. It still isn\'t \nhere the way it was. If someone started quality, saying I am \ngoing to get to six sigma, they wouldn\'t know what it meant \nwhen quality started before the book. You heard cost equality. \nI hear cost of security. We are focused on what cost. Are you \nfocused on the total cost of security or just the cost to \nimplement something? So I would start with education and your \nbully pulpit.\n    The second thing I would start on is the inability of \nbusinesses to talk to governments or to themselves because of \nantitrust and the patchwork legislation in the States. I am \ntired of it being it a one-way communication street to \nintelligence and nothing in return, and I understand they \nlegally can\'t do it, but as the company that is tasked with \nprotecting our government and governments and enterprises and \ncitizens, it is pretty folly to me. I can only give you \ninformation; you cannot give me any.\n    Mr. Gingrey. Mr. Conner, thank you.\n    We will go to Mr. Dix and move rapidly.\n    Mr. Dix. Thank you very much. Two quick things. One is, \ncontinue to inspire and drive an environment that supports \ninnovation and investment, and secondly, be cognizant of the \nfact that the bad guys move fast. We need to have speed, \nnimbleness and agility in our ability to respond. Attempting to \ncomply with a compliance model that takes a long time to build \nand implement slows us down and imposes impediments to our \nability to have speed, nimbleness and agility.\n    Mr. Lewis. In 2007, we had an intelligence disaster----\n    Mr. Walden. I don\'t believe your microphone is on.\n    Mr. Lewis. In 2007, we had an intelligence disaster in this \ncountry. The details are still largely classified. In 2008, \nDOD\'s Supernet was hacked. We were unable to get the opponent \noff for about a week. In 2010, we saw Google and about 80 other \ncompanies get whacked, lose intellectual property. Most of them \nhave not reported it but this will show up in Chinese products \nin about 5 years. Last year we saw Stuxnet, which was the \nability to destroy physical infrastructure using cyber attack, \nand we have a list at CSIS of major cyber events, mainly \nbecause I got tired of people asking me when we would have a \ncyber Pearl Harbor. The list is up to 90.\n    So I think what we need now is, we need to stop saying do \nno harm. We need to move out. We need to do a coordinated \ndefense.\n    Mr. Gingrey. Dr. Lewis, so you think we definitely need \nlegislation?\n    Mr. Lewis. I do, and I think there are things--one thing \nthat we can say now that we couldn\'t have said 5 years ago, we \nnow have a pretty good idea of how to do this between the \nexperts up here, some of the other places. There are agencies \nthat have done a particularly good job. We now have a good idea \nof how to reduce risk and we need to implement that.\n    Mr. Gingrey. Mr. Clinton?\n    Mr. Clinton. I agree that we do need legislation. The \nquestion is, what is the legislation that we need. I do \nsubscribe to the ``do no harm\'\' theory. I think the one thing \nthat I would tell the committee is to understand that this is \nnot a technology issue. It is an enterprise-wide risk \nmanagement issue. The problem we have is that in the \ncybersecurity world, all the incentives favor the bad guys. \nAttacks are cheap. They are easy. They are really profitable. \nIt is a terrific business model. Defense is hard. We are \nfollowing the attackers around. It is really hard to show \nreturn on investment to what you prevent, and criminal \nprosecution is virtually nonexistent. So I would go back to the \nlast thing I said before I finished my oral statement: \nUnderstand that you are dealing with the invention of \ngunpowder. This is an entirely different thing. You can\'t just \ntake 20th century models and plug it in here because you can \npass legislation that will do harm, that will take away needed \nresources from where they need to be. We need a creative 21st \ncentury approach, and a lot of what we are seeing in the public \npolicy world is not that.\n    Mr. Gingrey. Mr. Clinton, thank you.\n    In the last 12 seconds, last but not least, Dr. Schneck.\n    Ms. Schneck. Let us take this is an opportunity, unleash \nthe power of the private sector. We built this thing. We didn\'t \nbuild it with security. Now we understand this adversary. Let \nus take the information we have, the data we have, the ISPs see \nall the mobile phone activity. They can see that. They can \nprotect that. Incentivize us so that we can still eat when we \nget done doing it but let us make sure that we build business \nmodels around building security in from the hardware up, and I \nthink you will see this world change in a few worlds.\n    Mr. Gingrey. I thank the panel for their excellent \nresponses, and Mr. Chairman, I yield back.\n    Mr. Walden. Thank you, Dr. Gingrey.\n    Ms. Eshoo and I were talking about, we are going to lock \nthe doors and not let you out until you give us all the ideas \nthat we need to do here, and we will let you out today. But \nseriously, in terms of helping us understand how to get this \nright. You have a lot of them but in your testimony but if you \ncould help us drill down very specifically, at least within the \njurisdiction we have, we would really appreciate very specific \nsuggestions back.\n    We are going to go now to Ms. Matsui from California. Thank \nyou for participating.\n    Ms. Matsui. Thank you, Mr. Chairman, and I have to say, \nthis is probably the most interesting and scary testimony I \nhave ever heard. But I think that quite frankly, our country \ndoesn\'t realize what risk we have, and I think the things we \nhear about over the news are things--talk about hacking but \nthey are at a level, a personal level that people understand. \nThis is far beyond that. It really affects every sector of our \neconomy, our country, the way we live. So I truly believe that \nthis education process is going to be very, very important. And \nI also believe that people like you have to step up to talk \nabout it in ways that the public could understand. \nCybersecurity, everybody sort of understands it but doesn\'t \nunderstand it. So I think with every advance in technology, we \nopen ourselves up, and our daily lives can be impacted so much.\n    I wanted to follow up a little bit more on the cloud-based \nservices. Businesses and governments are now going into the \ncloud, and what are the unique challenges facing the cloud with \nrespect to cybersecurity and are we prepared, are we thinking \nahead, knowing what we know now about how we address these \nchallenges, and why don\'t we just start over here with Mr. \nConner?\n    Mr. Conner. It is something that is getting a lot of \nattention from everybody, and I think a lot of people are \nrunning before they thought it through. I think it is very \napplication and business sensitive, depending what you put in \nthe cloud. Some stuff you put in the cloud, it is user name and \npassword sensitive, that is fine, but if you are putting \nvaluable financial information and intellectual property in the \ncloud, you have two issues. The security within the cloud is \nnot what the security was within a mainframe data center today, \nand how do you authenticate to the cloud is still a matter of \nhow you choose to implement that, and I think that is very \nnaive.\n    Ms. Matsui. So are we still at a place though where we \ncould start looking at that and incorporate, you know, how we \nintegrate some of these things into some of the information-\nsharing activities. We are still OK right now, but right now \nyou talk about the cloud as a very sexy thing so people are now \njumping to it.\n    I was curious also, Dr. Lewis, that you mentioned that \ngovernment should find ways to incentivize companies, and Dr. \nSchneck was talking about the same thing. What types of \nincentives would be the most effective, in your opinion? And I \nwould also like to hear from Dr. Schneck too.\n    Mr. Lewis. There are basically four kinds of incentives. \nThere is regulation, and we are going to need some of that, not \ntoo much, and it varies from sector to sector. There are tax \nbreaks. I mentioned this to the Republican task force on \ncybersecurity. They thought this was not the best year to go \nafter tax breaks. There are subsidies, right, and we might need \nsubsidies for research and development, perhaps some other \nthings. Finally, there is a coordinating effect, right? Someone \nhas to lead, and you can find this--maybe a good story from the \nAustralian example. If you pull industry together and point \nthem in the right direction, they will come up with some really \ngood stuff and we can find some examples in the Defense \nDepartment where that has worked pretty well. So regulation, \ntax breaks, subsidies, and that might include building \nsomething into the rate structure for some critical \ninfrastructure, and then coordination.\n    Ms. Matsui. Dr. Schneck, do you agree?\n    Ms. Schneck. Not entirely. I think regulation draws a box \naround the technologies that you are forced to adapt. It puts \nall your money there. It takes it away from science innovation, \nand even worse, it shows the bad guy what we are not \nprotecting. But I do favor the rest. I favor tax incentives. \nYou know, we believe in insurance reform. Anything that allows \na company to be creative, invest upfront in cybersecurity, \nbecause the upfront investment is a lot easier and a lot more \nfun than the cleanup, and it is a lot cheaper. I testified \nearlier a couple months ago about small businesses and \nincentives being needed when--we don\'t realize the small to \nmedium businesses make up, you know, 99 percent in some cases \nin our business fabric, and if you think about where some of \nthe newest technologies come from, not just cyber but maybe our \njet engine comes out of a startup of a couple really bright \nguys out of college, they are not going to invest a whole lot \nin cybersecurity necessarily when they get that huge SBIR \ngrant, but if built into that grant was some positive incentive \nor some extra money saying you will get this money from the \ngovernment only if you promise to secure it, and we could be \ndoing that for all levels of companies.\n    Ms. Matsui. So government does have that type of role, \nthough, and I think the part that I am looking at is, who \nconvenes all this way? How do you do this so you all work \ntogether? Because I think you are absolutely right, the \nbusiness sector can work together and have the solutions but \nhow do we get to the next point?\n    Mr. Conner. Well, I think the first thing you have got to \ndo is relieve the legal obligation when we sit with CEOs. In my \nfirst public-private, all the CEOs agreed until they went and \ntalked to their legal counsel, and guess what? Then it went \ncompletely dead because no one wants to go public. For one, you \nhave got an antitrust issue of sharing, and second is, the \nminute you go public, you create a standard to be sued \ncriminally as well as civilly, and that is the reality as a \ngovernment person doesn\'t understand, but if you are a CEO, \nclass actions mean something and suits mean something, and the \nminute I say something, I now put a different standard to me to \nbe held to.\n    Ms. Matsui. Well, thank you very much. I see my time has \nrun out. This is very fascinating.\n    Mr. Walden. Thank you.\n    We now go to Mr. Latta from Ohio. We look forward to your \ncomments as well.\n    Mr. Latta. Well, thank you, Mr. Chairman. I appreciate it. \nAnd I thank the panel for being here. For someone who did serve \non the cybersecurity task force, I can tell you, it is like you \ngo home, go to your office, it is like, do I really want to \nturn that thing on now or not.\n    And if I can go back first, Mr. Conner, you know, talking \nabout the yellow lock that you engaged with Mr. Rogers in a \ndiscussion about. You know, a lot of times they tell you if the \nhttps comes up, you are safe. Are you going to tell me that is \nnot true now?\n    Mr. Conner. The only thing I would tell you is, unless that \nchrome goes green, I wouldn\'t assume that you are safe.\n    Mr. Latta. OK. Because the reason I ask that, you know, we \nhave to get this message out to our constituents and the \nAmerican people, and I know that a lot of folks see that little \nyellow lock come up and say I am fine. I hate to say that my \ndaughters were on some social networking and we had a problem \nfor about four days before somebody could spend--I don\'t want \nto say how much money it took to get the thing fixed before we \ncould get back on the computer. But, you know, I am really very \ncognizant of the fact now of watching for that https to come \nup, because again, it also goes to the whole point of, you \nknow, again, let us say you do online banking or people do \ncertain things, we need to be able to communicate that, so that \nis one thing.\n    If I could ask Mr. Dix and Dr. Schneck this question. You \nboth mentioned in your testimony the idea of creating trusted \nrelationships online either through authenticated emails or \nthrough white lists. Could you elaborate on these ideas and \nexplain how they differ from the previous cybersecurity \nmeasures like spam filters and blacklisting?\n    Mr. Dix. Ladies first.\n    Ms. Schneck. So our focus on trusted relationships are in \nthe macro and a little bigger. I would say that we all need to \nwork together, and we do. Organizations such as Bob mentioned, \norganizations such as the NCFT and the InfraGard show that \ngovernment and private work together. I think we are dealing \nonline today with a world much different than spam filter. I \nused to help build a spam appliance many companies ago, and \nwhat we looked at then was only the email vector. Now you have \nthe web vector, the firewall vector, the mobile vector. Again, \nthe enemy is faster. So when you start looking at trusted \nrelationships online, we had at least 30 different parameters \nwe looked at just at email. It wasn\'t just, ``Did I trust the \nsender?\'\' It was all kinds of things and indicators in that \nnote. And now you multiply that. So you have, from our \nperspective in protecting against cybersecurity threats at all \nthe different vectors, we have over 1,000 different parameters \nof trust that we look at, and it is not just an established \nrelationship. It is what has your behavior been lately as in \nthe last two milliseconds and the last 15 years.\n    Mr. Dix. Continuing to advance the development and \nimplementation of the national strategy for trusted identifies \nin cyberspace is a step in the right direction, and that is an \nexample where industry and government working with NIST have \ncome together to deal with this issue of identity. Every one of \nmy colleagues here has mentioned the issue of identity as being \na root issue in this entire trust discussion that we are having \nhere today. So there is an effort underway. It is \ncollaborative. It is producing results and moving to \nimplementation for the in stick would be a step in the right \ndirection.\n    Mr. Latta. Mr. Conner?\n    Mr. Conner. Just the last comment on that is, the irony of \nthis is, you think of who are the most trusted identifiers we \nuse. They are usually government issued. And I think this is \none area our government needs to get out of the U.S. think and \ninto the rest-of-the-world think.\n    Mr. Latta. Let me kind of go on with this, because, you \nknow, again, when you are looking at, you know, people trusting \nwhat they are doing on the Internet and banking, I don\'t care \nwhat it is, but when we were talking about trust, this is \nanother discussion that was held a little bit earlier, you \nknow, talking about not buying from the low cost, low bid and \nyou need to buy from that trusted source, but how do you know? \nHow do you know even if you buy from somebody that is trusted \nthat that stuff is still good without going--I mean, how do you \ngo through unless you are testing? Are you testing constantly? \nI will throw that out to all of you.\n    Mr. Dix. So since I brought that up, I will take that \nfirst, with your permission, sir. So each of us that are \nmanufacturers has a network of authorized resellers and \ndistributors that we utilize in the distribution of our \nproducts into the marketplace. That is a place to start from, \nunderstanding who those authorized providers are. There is also \na great deal of work that is going on right now through the \nTrusted Technology Forum and the Open Group to be able to \ncreate a certification and accreditation process for suppliers, \nworking collaboratively with the government again in a \nstandards-based approach to being able to address this issue. \nSo there is some good work that is going on right now, but the \nfundamental piece of it in my mind is cultural. We are still \nevaluating people and departments and agencies on their ability \nto meet cost and schedule. That drives a certain behavior \nbecause it doesn\'t have security as a paramount foundation of \nthat conduct.\n    Mr. Latta. Mr. Chairman, I see my time is expired and I \nyield back.\n    Mr. Walden. Thank you very much.\n    Dr. Christensen, you are now recognized for questions.\n    Mrs. Christensen. Thank you, Mr. Chairman, and thank you to \nall of the panelists.\n    This is a general question. The FCC\'s Communication \nSecurity, Reliability and Interoperability Council has been \nformulating recommendations for best practices to ensure \noptimal security and reliability of communication systems, so \nhow do you see this process contributing to improvements in \ncybersecurity, or said another way, what is FCC\'s role in the \ncoordinated defense that we heard about?\n    Mr. Lewis. I am really glad you said that because I have \nbeen sitting here trying to remember what CSRIC stood for. I \nhad gotten all but two of the letters.\n    We have all said, when you talk about cloud, when you talk \nabout mobile, that we are moving to a world where the role of \nthe service providers is going to be more important, and that \nis where FCC and NTIA are the lead agencies right now. There \nare others of course that are involved but FCC originally \nlooked at this issue and they were afraid that if they took too \nactive a role, as I understand it, they might be seen as trying \nto regulate the Internet, and they wanted to avoid that. So \ninstead, they have taken on an approach that works more on \ncoordination with private sector experts, with developing \nvenues for these private sector experts to get together and \nencouraging them to come up with a voluntary approach, and one \nof the things I had said to FCC staff a while ago is, try the \nvoluntary approach, and if it works, great. If it doesn\'t work, \nthen we have to think about more mandatory measures. So far it \nlooks like it is working, though. So I understand they have \nsome measures they might roll out in the next few months. \nCommerce has some other things they are doing. This is where \nthe service providers and their regulators will be one of the \nkey elements of cybersecurity in the future.\n    Mrs. Christensen. Anyone else?\n    Mr. Dix. So they are in a position to serve in a key role \nin this education and awareness campaign that we talked about \nand coordinating that at the national and in a sustained manner \nto help deliver messages to constituent stakeholders whether \nthey are home users all the way up to large enterprises, \nworking with the carriers and the content providers to be able \nto help deliver that message. So I think there is a key role in \nthat part of it in showing leadership around how we advise \npeople how to protect themselves.\n    Mrs. Christensen. Ms. Schneck?\n    Ms. Schneck. Just one point in addition, having worked with \nthem a bit over the past few months, they are setting a great \nexample. Their house is in order from a cybersecurity \nperspective. They have some new leadership and they are really \nlooking--they are reaching out to the private sector saying \nwhat are the best practices. They are reaching out, from what \nthey tell us, to other CIOs and the government. So when you \ntalk about the need to get the government\'s house in order, I \nthink that is an exemplary piece. And in addition, they have a \ngroup of people really looking at these policies and really \nlooking at these issues. We have never seen that before. So I \nthink this is a good time for them to not only build on the \nawareness they launched, I believe it was last spring with the \nSBA to the hygiene program point, but then jump on that for the \nlarger enterprises also as an example.\n    Mrs. Christensen. Well, Mr. Conner, and this is probably \nwhat you are referring to at the SBA, but your testimony notes \nthat according to the FCC, three out of every four small and \nmid-sized businesses report having been affected by cyber \nattacks. So what is the role of the FCC in preventing the \nattacks or aiding the small business community?\n    Mr. Conner. Well, I think increasingly the networks \nunderpin all those attacks so you have got the ISPs, you\'ve got \nthe carriers themselves and you got the devices attaching to \nit. I think one of the areas that we must remember is, is it \nnot always outside where those attack vectors come from, and \njust like organized crime found its way inside organizations, I \nthink increasingly we are going to have to look at that as an \nattack vector, and that should be something that the FCC takes \ninto consideration as they look at how to deal with it in \naddition to the ISP filtering and the other pieces they use.\n    But one thing I would caution, I hear a lot of rhetoric \naround building separate networks, and having lived in a world \nthat I am old enough that we had separate networks, I think the \nreliability when things like 9/11 and tsunamis happen, the \nbenefit of having multiple networks and the Internet outweigh \nthe needs of a protected, isolated network because I don\'t \nbelieve in today\'s world that is a real answer.\n    Mrs. Christensen. I don\'t have any other questions, Mr. \nChairman. I will yield back the balance of my time.\n    Mr. Walden. I thank the gentlelady for yielding.\n    I believe Ms. Blackburn is next for questions. Then I will \ngo to Mr. Shimkus next.\n    Mrs. Blackburn. I will skip.\n    Mr. Shimkus. Thank you, Ms. Blackburn, and thanks for the \npanel. Sorry, we have two competing panels, and I apologize for \nnot hearing all the testimony.\n    Let me go to Mr. Lewis. You mentioned in your written \ntestimony the importance of domain-name system security, \nDNSSEC. Could you describe the problem with the current \nimplementation of domain-name systems and why DNSSEC is \nimportant?\n    Mr. Lewis. Well, I think what you have heard from all us is \nwhen the people who designed the Internet designed it as a DOD \nnetwork and then they thought it would grow out a little bit. \nThey didn\'t worry about trust. They didn\'t worry about \nauthentication. Phyllis knew it was her sister at the other \nend, right? When we did this, we didn\'t have to worry about \nthis and so the domain-name system, which is the addressing \nsystem, is vulnerable to spoofing. It can be manipulated and, I \nthink as you have, redirect traffic. So you think as far as you \ncan tell on your machine you are going to a legitimate site and \nit could instead be the government of Iran or a Russian cyber \ncriminal. You can spoof it. And DNSSEC uses authentication \ntechnologies largely so that we reduce that ability, really \nalmost eliminate it, to impersonate another site.\n    Mr. Shimkus. Yes, and I think the challenge with this \ncommittee is, it is so high tech, so--you know, we are \nlaypeople for the most part. It is just very tough for \nlaypeople to understand. That is why we have experts like you \ncome. A lot of us do understand domain, just the basics, why \nyou have a domain. Now ICANN is exploding domain names, and \nwith that, should we--and this is one for the whole panel--\nshould we be working with ICANN to roll out DNSSEC?\n    Mr. Conner. I think everybody is already working that. I \nwould tell you be aware of newfangled toys. DNSSEC has a \npromise but it also has liabilities today that are equal to the \nliabilities we have today. Will it be there in 5 to 10 years? \nWe hope sooner, but it is not there, not even close. I think we \nhave got to use the capabilities we have like EBSSL where the \nchrome turns green and you know you are safe, and when someone \nsays your identity is who it is, it is, and I think that is \nwhere I put the focus instead of buying $19 authenticate \ntechnology to take a responsibility liability for your identity \nand who that is, and if it costs you 500, I mean, that is where \na bully pulpit starts to make a difference in our technology.\n    Mr. Shimkus. Mr. Dix, anyone else want to respond? Anyone \nelse? That is fine, because I want to go to a couple other \nthings. I also deal with democracy movements in former captive \nnations, eastern Europe, whatever you want to call them, and \nfollowed the cyber techs in Estonia years ago, the meddling by \nChina and Russia and their neighbors and continue to be very \nconcerned, although the new technological age is allowing \ndemocracy movements to get their word out, to communicate, and \nthat keeps evolving. But you also see governments like the \ngovernment of Belarus try to clamp down on that and which I \nhave also been very concerned about. So that is just a \nstatement. I mean, it just an evolving--it is like a \ncompetitive market. People want to get information but the bad \nguys want to get around and it moves too fast that we can \nreally regulate. I have always said that about this \nsubcommittee and the tech community, there has got to be a lot \nof self-interest that gets people to move before they get \ncaught.\n    Let me just segue real quickly into, I serve on the Energy \nCommittee and we go to power plants all the time. I am a big \nproponent of nuclear power. And Mr. Terry\'s opening statement \ntalked about, well, you could be secure if you just had a \ndesktop alone and were no longer connected. Now, with WiFi and \nstuff, who knows what folks could end up doing. But the power \nutility system relies so much on data going to RTOs, really \nwhat they are producing is excitable electrons to get on the \ngrid, which if that all we had to worry about and had a closed \nsystem, we would be fairly safe, but it is all the monitoring \nand calculation of the load. What is the solution to the \nutility industry? Does anyone have----\n    Mr. Conner. Two thoughts. One is, as I testified earlier, \nthat is why you have to start with DOE\'s elite. Electrical is \nvery different than nuclear at the source. We believe you have \ngot to start within the power production plant itself. We are \nworking with large manufacturers in terms of how do you \nauthenticate everything in that power production plant because \nyou want to know what parts, whether they are original ones or \nthe alternate parts coming in, who they are and where they are \nfrom. And frankly, that doesn\'t matter whether they come from \ngood or bad sources, just know where they come from and that \nthey are there.\n    The second thing we then focus on is, who is accessing \nthose systems and sharing that information so only the people \nwith the right authorization or identity can see it. And then \nthe third thing we are working with them is, how that data is \nshared because data, in and of its own, at one location will \nnot solve a grid by definition.\n    Mr. Lewis. Two other quick points. The idea of a secure \nnetwork, a standalone secure network, just doesn\'t make any \nsense. People bring their iPhone to work and they plug it in to \ncharge, and we have seen that happen twice with allegedly \nisolated air gap networks, so forget it.\n    We need to think about securing the industrial control \nsystems, the SCADA networks. This is an avenue of attack. It is \na different kind of network technology. Right now, it is the \ntypical thing. When you buy it, the password is ``password\'\' \nand the user name is ``admin\'\' and it doesn\'t take a lot of \nactivity for foreign opponents to figure that out. People also \nneed to look at how their critical infrastructure connects to \nthe Internet. When you talk to nuclear companies, for example, \nthey will usually tell you we are not connected. When you do \nthe actual survey, what you find is, you know, sure, so we need \nto have some way to bring the industry--some companies do \ngreat. Others need some help and we need to figure out how to \ndo that.\n    Ms. Schneck. And one point on that, the good news is, a lot \nof these industrial control systems are the same across sectors \nso if you can get some best practices and some incentives in \none sector, they will multiply across from the grid to even \ntransportation and nuclear in some cases. Authentication is one \nvector. Another is what gets executed. It goes back to the \ninstruction. It is a malicious instruction from someone you \ndon\'t want going to execute on a system that talks to something \nthat controls physical infrastructure, and that comes from \nworking at the component level, making sure that you have \ntechnology in those components that looks at whatever operating \nsystem is on that and says only execute these things. This is \nactually pretty simple on these because they only do one job in \nlife. They are a component on the SCADA system. It is not \njust--it is not like they are a big server so you can lock down \nwhat they do.\n    Mr. Shimkus. Thank you, Mr. Chairman. Thank you.\n    Mr. Walden. Thank you.\n    We will now go to Ms. Blackburn for 5 minutes for \nquestions.\n    Mrs. Blackburn. Thank you, Mr. Chairman, and thank you all \nfor being here and for your patience with us.\n    I want to say just a couple of things. I think it is so \nimportant that the industry lead on this. Anything that we do, \nas different members have said today, is going to be passe \nbefore the ink is dry on whatever it is that we do. As we look \nat the security issues, I think that your guidance is there.\n    Another thing. We have spent some time in this committee \nand also in CMT, Commerce, Manufacturing and Trade, looking at \nthe issue of privacy and the data security issue, the breach \nnotification issue, which is a component of what we have here, \nand quite frankly, I think that most people do not realize the \nvulnerability that exists in their home with the computer that \nis there, and believe you me, I hear about it a lot with my \ndistrict in Tennessee with all the songwriters and entertainers \nand the individuals that are in logistics informatics or \nfinancial service informatics or health care informatics and \nauto engineers. So the problems are compounding for this every \nday. But as we look at the privacy issue and in my \nconversations with them, let me ask you about Federal \npreemption. And as we look at our standards on breach \nnotification, data security, I wonder if you all have any \nthoughts on putting in Federal preemption language and making \ncertain that we are working from one standard and the \nimportance of that.\n    Mr. Clinton. Ms. Blackburn, if I could, we are supportive \nof Federal preemptive notification requirement. I think we have \n47 different ones now. For a multi-state company, it is very, \nvery difficult to work on the similar themes that I have been \nhammering on throughout today and generally is that we have to \nunderstand that it is not a technical problem, it involves \ncost. If we can find a way to reduce cost, we can have good \nstandards but we don\'t have to have multiple good standards. So \nwe can lower compliance costs, increase simplification, we will \nhave better adherence, we will have better security, better \nprivacy and at lower cost, and I think that that ability to cut \nthrough kind of the government falling all over itself at the \nvarious levels is critical to getting that done, so I am very \nsupportive of that.\n    Mrs. Blackburn. OK.\n    Mr. Conner. I would second that. I would tell you the \nsingle largest legislation issue that has brought security from \nbeing in the Stone Age to today is probably California 1386. \nWhy? Because it said if it happens, you have a carrot and a \nstick. If you tried to protect yourself with encryption, you \nare safe, and if you haven\'t, you are liable for a class-action \nsuit. That is singly the shot that was heard around the world, \nat least in the United States. The problem being, as Larry \nsaid, we have got too many State legislations, a patchwork, so \nthat needs to get dealt with because it is an inextricable link \nto cybersecurity in terms of that.\n    The second piece I would tell you is the regulation that \njust was passed by the FCC about disclosure is going to have \njust as profound impact. The problem is, it is only public \ncompanies, and that disclosure is pretty nebulous in terms of \nbeing meaningful for you as a small business person in \nKnoxville or Nashville or Memphis in terms of what that means \nto you.\n    Mrs. Blackburn. OK. Thank you. I will yield back.\n    Mr. Walden. The gentlelady yields back, and now I think our \nfinal questioner is Mr. Bilbray from California. We welcome \nyour comments. You are recognized for 5 minutes.\n    Mr. Bilbray. Thank you, Mr. Chairman.\n    Mr. Conner, do you believe that law enforcement has the \ntools they need to go after cyber criminals as described in \nyour testimony?\n    Mr. Conner. No, they do not. I have to tell you, if you \nlook at the attempts that are being made with DHS and within \nJustice to have the criminal network geared up, I mean, part of \nthe problem is, we look at it and there are one-time uses for \ncritical events. Well, unless you use it every day, that system \nis never going to be ready. We partnered with Interpol to do \njust that. They have 6,000 agents worldwide, and their issue \nwas--because I certainly didn\'t have the money--Interpol is \ntreated like a country now under passport control. We were able \nto put their passport information so it has biometrics. \nUnfortunately, this country doesn\'t deal with that in its \npassport today. It is first generation digital. The second \nthing it has--and this is all on commercial chips--it has \nsoftware to do logical access so those 6,000 agents if they go \nafter a tsunami, they can go on any network, including an \nInternet cafe, and be secure in getting access to that \ninformation, whether it is mobile, etc., and last but not \nleast, physical access to every Interpol office. All that \ntechnology resides on this little card--this is a real one--\nthat those 6,000 agents use around the world today as they \nfollow crime, hopping jurisdictions that have three different \nstandards, three different use cases, that allows them to do \ntheir job. Why is it important? Because it is what he or she \nhas to use every day. To the extent it is not something you use \nevery day, it will not be useful at the time of need in some \nevent.\n    Mr. Bilbray. So basically you are saying we are at place in \ncyber crime where we were in the 1930s with the bad guys \nrunning around with Thompson submachine guns and the cops \ncarrying .38 revolvers.\n    Mr. Conner. Well, and worse than that, we are isolated. We \nare isolated here in the United States with, as my colleague \nsaid, the most at risk and no ability to interwork on a global \ncapability with the good guys to defend that.\n    Mr. Bilbray. It is interesting you bring that up because I \nthink that most of us here will remember after 9/11 this issue \nof the technology, security, the biometrics, the high-tech \nstuff was one of the top priorities of the 9/11 Commission. We \npassed a thing called the REAL ID bill and now everybody has \nfound excuses to keep dragging it on, dragging it on. In fact, \nI think we are even giving grants to States for homeland \nsecurity and States are refusing to implement the 9/11 \nrecommendations, so we are giving them money and they basically \nsay that we want to spend it on other things rather than the \nfirst priorities. Do you think we may want to revisit that \nwhole situation rather than just ignoring the fact that----\n    Mr. Conner. Absolutely. I spoke the morning after Bush \naddressed both the House and Senate. That morning after, I was \nwith Mr. Bennett and other legislators that were leading this \neffort and spoke at NATO after 9/11 on, we have learned to \ndefend air, land and sea, the next frontier is cyber. \nUnfortunately, in those 10 years, we made a lot of progress but \nthe bad guys have made more progress and they can jump across \njurisdictions with no legislative legal barrier.\n    Mr. Bilbray. Mr. Chairman, I have to say that this is one \nthing that I think that our committee always referred over to \nHomeland Security but here is a point where we may want to \ntalk. This is a place that both sides of the aisle should be \nable to cooperate on. We have got a consensus there. And \nfrankly, the bad guys in here, the obstructionists are on both \nsides of the aisle too. So maybe this committee can take a look \nat, you know, how we can go back and revisit that and address \nthat issue.\n    And I appreciate the fact that you draw the line about--I \nam concerned and I will ask the doctor to jump in here because \nthe two at the end brought up two interesting things, that when \nwe develop strategies, how to address this. We don\'t want to \ncreate a box that gets people to litigate the private sector \nbut we also don\'t want to create a box that allows the bad guys \nto know how far they have to move outside to avoid it, and I \nwould solicit both comments. Let us start with the doctor and \nthen I will go back of how, you know, can you elaborate again \nhow that us creating arbitrary boxes may be utilized by the bad \nguys.\n    Ms. Schneck. I think it was said earlier, and even by \nRanking Member Eshoo, this issue is so vast, this is science, \nthat if you start saying you will implement these five things, \nthe adversary is always looking at how to get around that. They \nknow their target. They know what they want. They spend many \nmonths and people on finding exactly the intellectual property \nthey want. They find the person and the company. They know what \nthe person will respond to and they get it.\n    It is quite clear that if we say we are going to seal up \nthese gateways and these ways, these are the best practices \nthat we must follow when it is a regulation, that is where the \nmoney will go, and after that, the money won\'t go to anything \nnew and different and therefore the adversary then always goes \noutside that and says well, I can get in this way. It is like \nthe point to the industrial control system. They say they are \ndisconnected but true story after true story finds a little \nmodem out the back so the person can watch the game while they \ndo the monitoring. There is always a way out in science, and \nwhat we want to do is instead incentivize. You have a classic \nproblem. We are not incentivized to do what is good for the \ngreater good. We are incentivized towards our shareholders. So \ninstead, if you put that money and that incentive toward \ninnovation, we will end up building stronger and better \ntechnology at many times the speed that the legislation could \neven get through do to the, quote, protection.\n    Mr. Conner. Congressman, I think that is a great question. \nI am frankly less concerned about what we say we are doing. Say \nanything you want, by the time you say it, they have already \nfigured that out. They are not waiting for us to legislate and \nregulate and figure out the next hole. I think the model is \nvery clear. It is joint forces and it is in DOD. We still have \nstrong Army, Air Force, Marines, Colonel Garlick, and they act \non their own. They are highly integrated with their suppliers. \nThere is what is publicly available. I served on the Joint \nForces Advisory Board as a private sector person. There is what \nyou do in that that is public and there is what you do that is \nnot public, and I think that is how cybersecurity has to be \ntreated. There was 10 percent of the money set aside to deal \nwith cybersecurity, and no Army, Air Force department could do. \nThey had to get their best and brightest in on it and they had \nto share what is public is public and what is not public is \nequally or maybe more important.\n    Mr. Bilbray. Thank you, Mr. Chairman.\n    Mr. Chairman, they referred to Australia. Being the son of \nan Australian war bride, it reminds me of the story of a \nnotorious Australian bushman, a robber named Ned Kelly. Ned \nKelly was notorious for putting so much armor on so that nobody \ncould shoot him, and his armor slowed him down so much that \nthey shot him in the back where he wasn\'t armored, and I think \nthat may be very symbolic of the Ned Kelly syndrome, that we \nput on so much armor thinking we are defending and what we do \nis create an opportunity for the bad guys to get around it.\n    Thank you. I yield back.\n    Mr. Walden. I thank the gentleman and I thank all our \ncommittee members for letting us have a more freewheeling \nhearing than sometimes we have, but the value of the content we \ngot from you all is just unparalleled, and I think my \ncolleague, Ms. Eshoo, and I will be reaching out to each of you \nto say come back to us with what really would work. We got a \nlot of that today and our staff has got that. We are going to \nmove forward on this. I think there is an opportunity to look \nat device manufacturers, perhaps the phone side, the router \nside, there is an issue on the education side, and so we really \nappreciate what you are doing out there in this fight and your \ninput to us so we can try to get it right and solve this \nproblem.\n    With that----\n    Ms. Eshoo. I would say bravo and thank you very much. Every \nmember really drew so much from your testimony and the answers \nto our questions have been most, most helpful. Thank you.\n    Thank you, Mr. Chairman.\n    Mr. Walden. Thank you, and with that, the committee will \nstand adjourned.\n    [Whereupon, at 11:56 a.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T2628.066\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.067\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.068\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.069\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.070\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.071\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.072\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.073\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.074\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.075\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.076\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.077\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.078\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.079\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.080\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.081\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.082\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.083\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.084\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.085\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.086\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.087\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.088\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.089\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.090\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.091\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.092\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.093\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.094\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.095\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.096\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.097\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.098\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.099\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.100\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.101\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.102\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.103\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.104\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.105\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.106\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.107\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.108\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.109\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.110\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.111\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.112\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.113\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.114\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.115\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.116\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.117\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.118\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.119\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.120\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.121\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.122\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.123\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.124\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.125\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.126\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.127\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.128\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.129\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.130\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.131\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.132\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.133\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.134\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.135\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.136\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.137\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.138\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.139\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.140\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.141\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.142\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.143\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.144\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.145\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.146\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.147\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.148\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.149\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.150\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.151\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.152\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.153\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.154\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.155\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.156\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.157\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.158\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.159\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.160\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.161\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.162\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.163\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.164\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.165\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.166\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.167\n    \n    [GRAPHIC] [TIFF OMITTED] T2628.168\n    \n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'