[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]



 
 CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PRIVATE SECTOR 
                               RESPONSES

=======================================================================

                                HEARING

                               BEFORE THE

             SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                            FEBRUARY 8, 2012

                               __________

                           Serial No. 112-112



      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov



                  U.S. GOVERNMENT PRINTING OFFICE
82-628                    WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

JOE BARTON, Texas                    HENRY A. WAXMAN, California
  Chairman Emeritus                    Ranking Member
CLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York
MARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas
  Vice Chairman                      DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma              LOIS CAPPS, California
TIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California         JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia                MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana             JIM MATHESON, Utah
ROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin 
BILL CASSIDY, Louisiana              Islands
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia

                                 7_____

             Subcommittee on Communications and Technology

                          GREG WALDEN, Oregon
                                 Chairman
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
  Vice Chairman                        Ranking Member
CLIFF STEARNS, Florida               EDWARD J. MARKEY, Massachusetts
JOHN SHIMKUS, Illinois               MICHAEL F. DOYLE, Pennsylvania
MARY BONO MACK, California           DORIS O. MATSUI, California
MIKE ROGERS, Michigan                JOHN BARROW, Georgia
MARSHA BLACKBURN, Tennessee          DONNA M. CHRISTENSEN, Virgin 
BRIAN P. BILBRAY, California             Islands
CHARLES F. BASS, New Hampshire       EDOLPHUS TOWNS, New York
PHIL GINGREY, Georgia                FRANK PALLONE, Jr., New Jersey
STEVE SCALISE, Louisiana             BOBBY L. RUSH, Illinois
ROBERT E. LATTA, Ohio                DIANA DeGETTE, Colorado
BRETT GUTHRIE, Kentucky              JOHN D. DINGELL, Michigan (ex 
ADAM KINZINGER, Illinois                 officio)
JOE BARTON, Texas                    HENRY A. WAXMAN, California (ex 
FRED UPTON, Michigan (ex officio)        officio)

                                  (ii)


                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................     1
    Prepared statement...........................................     4
Hon. Anna G. Eshoo, a Representative in Congress from the State 
  of California, opening statement...............................     7
Hon. Edward J. Markey, a Representative in Congress from the 
  Commonwealth of Massachusetts, opening statement...............     8
Hon. Joe Barton, a Representative in Congress from the State of 
  Texas, opening statement.......................................     8
    Prepared statement...........................................    10
Hon. Lee Terry, a Representative in Congress from the State of 
  Nebraska, opening statement....................................    12
Hon. Mike Rogers, a Representative in Congress from the State of 
  Michigan, opening statement....................................    12
Hon. Doris O. Matsui, a Representative in Congress from the State 
  of California, opening statement...............................    13
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, prepared statement.................................   114
Hon. John D. Dingell, a Representative in Congress from the State 
  of Michigan, prepared statement................................   115

                               Witnesses

Bill Conner, President and Chief Executive Officer, Entrust......    14
    Prepared statement...........................................    17
    Answers to submitted questions...............................   119
Robert B. Dix, Jr., Vice President, Government Affairs and 
  Critical Infrastructure Protection, Juniper Networks...........    26
    Prepared statement...........................................    29
    Answers to submitted questions...............................   127
James A. Lewis, Director and Senior Fellow, Technology and Public 
  Policy Program, Center for Strategic and International Studies.    42
    Prepared statement...........................................    44
    Answers to submitted questions \1\
Larry Clinton, President and Chief Executive Officer, Internet 
  Security Alliance..............................................    51
    Prepared statement...........................................    53
    Answers to submitted questions \2\...........................   136
Phyllis Schneck, Vice President and Chief Technology Officer, 
  Public Sector, McAfee, Inc.....................................    73
    Prepared statement...........................................    76
    Answers to submitted questions...............................   210

                           Submitted Material

Majority memorandum..............................................   116

----------
\1\ Mr. Lewis did not answer submitted questions for the record 
  by the time of printing.
\2\ Additional information provided by Mr. Clinton and referenced 
  on page 141 is available at http://www.verizonbusiness.com/
  resources/reports/rp_data-breach-investigations-report-
  2011_en_xg.pdf.


 CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PRIVATE SECTOR 
                               RESPONSES

                              ----------                              


                      WEDNESDAY, FEBRUARY 8, 2012

                  House of Representatives,
     Subcommittee on Communications and Technology,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 9:39 a.m., in 
room 2322 of the Rayburn House Office Building, Hon. Greg 
Walden (chairman of the subcommittee) presiding.
    Members present: Representatives Walden, Terry, Stearns, 
Shimkus, Rogers, Blackburn, Bilbray, Bass, Gingrey, Scalise, 
Latta, Guthrie, Kinzinger, Barton, Eshoo, Markey, Doyle, 
Matsui, Barrow, Christensen, and Waxman (ex officio).
    Staff present: Carl Anderson, Counsel, Oversight; Gary 
Andres, Staff Director; Ray Baum, Senior Policy Advisor/
Director of Coalitions; Nicholas Degani, FCC Detailee; Neil 
Fried, Chief Counsel, Communications and Technology; Debbee 
Keller, Press Secretary; Katie Novaria, Legislative Clerk; 
David Redl, Counsel, Communications and Technology; Jeff Cohen, 
Democratic FCC Detailee; Kara Van Stralen, Democratic Special 
Assistant; Shawn Chang, Democratic Chief Counsel, 
Communications and Technology; and Roger Sherman, Democratic 
Chief Counsel, Energy and Commerce.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. I am going to call the order the Subcommittee 
on Communications and Technology. I want to welcome our members 
and our witnesses for today's hearing on cybersecurity threats 
to communications networks and private sector responses.
    Back in October, the House Republican Cybersecurity Task 
Force recommended that the committees of jurisdiction review 
cybersecurity issues. So this hearing continues our committee's 
review of cybersecurity issues with an examination of threats 
to communications networks and the responses of the private 
sector. Threats to communications networks have come a long way 
in a very short time and they are very, very real and serious.
    Before coming to Congress, I spent about 22 years as a 
radio broadcaster. And as a small businessman, I had to worry 
about securing our communications network, and back then, 20 
years ago, it was relatively straightforward. You had to have a 
fence around the tower and you couldn't let people get near the 
transmitter and a few things like that. And every once in a 
while somebody would come and shoot an insulator out or 
something and you kind of got grumpy and had to repair that, 
and every once in a while some idiot would try to cut the guy 
wires, and those usually spun around and got them. That never 
happened at my stations, but it does happen occasionally. But 
all of that was sort of security of that wireless age. Not 
anymore.
    While physical security remains important, cybersecurity 
has also become a pressing concern. Now a small business 
confronts a dizzying array of threats online from the Zeus 
Trojan horse to Stuxnet, from LulzSec to botnets. These threats 
are serious. Unless our cyber defenses hold, a bad actor could 
drain the bank account of a business, crash an online company's 
Web site, or launch a barrage of cyber attacks on a company's 
network. Those are serious consequences for any business, and 
especially for the small businesses that are at the heart of 
creating new jobs in this economy. And indeed, in our small 
business, I don't know, 10 years or so ago when we did create a 
computer network and put everything up on digital audio, our 
main server was hacked and taken over, and all of a sudden it 
started running slower and slower and slower and eventually we 
determined it had been overtaken.
    Every month, we learn more about these cyber threats, and 
what we have learned thus far is of great concern. I am 
concerned that our communications networks are under siege. I 
am worried that the devices consumers use to access those 
networks are vulnerable, and I am concerned that our process 
for looking at communications supply chain issues lacks 
coordination. I am also concerned that our cyber defenses are 
not keeping pace with the cyber threats.
    Now, in this hearing, we are lucky to have the voices of 
five private sector witnesses to guide us through the complex 
issue of cybersecurity. I am hoping that you will tell me that 
cyberspace is secure and we can all rest easy at night. 
Unfortunately, I have read your testimony and it is not so. So 
I expect that you will tell us that the threats to our 
communications networks are all too real, American businesses 
are losing dollars, jobs, intellectual property and much, much 
more because of cyber crime and cyber espionage, and that our 
national security is potentially at risk as well.
    I also expect that you will explain what the private sector 
is doing to fortify our cybersecurity defenses. The private 
sector owns most of the critical infrastructure--the wires, the 
servers, the towers and base stations--that make up our 
communications networks, and they are on the front lines of 
cybersecurity. So I want to know what cybersecurity services 
are being offered to consumers, what protections are being 
deployed in our communications networks, and what affirmative 
steps the private sector has taken to lock down the supply 
chain and to combat cyber crime.
    I also expect to hear what you think the appropriate--and 
underscore ``appropriate''--the Federal role is. Are Federal 
laws and regulations helping or interfering with information 
sharing? Are Federal regulations of cybersecurity practices 
appropriate, and if so, how? Should the Federal Government be 
providing incentives for Internet service providers and other 
members of the private sector to invest and innovate in the 
cybersecurity arena? And how should our country's fiscal state 
shape our discussion of the Federal role?
    These questions and others will form the basis for deciding 
what cybersecurity legislation, if any, is needed in the near 
term, and how we can best secure cyberspace in the long run. So 
I want to thank the panelists today for taking time out of your 
schedules to be here to help inform this important subcommittee 
and the Energy and Commerce Committee on what we should do and 
how we can be better informed in doing our job.
    [The prepared statement of Mr. Walden follows:]

    [GRAPHIC] [TIFF OMITTED] T2628.001
    
    [GRAPHIC] [TIFF OMITTED] T2628.002
    
    [GRAPHIC] [TIFF OMITTED] T2628.003
    
    Mr. Walden. With that, I would recognize the gentlelady 
from California, the ranking member of the subcommittee, Ms. 
Eshoo, for an opening statement.

 OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Eshoo. Thank you, Mr. Chairman, for convening this 
morning's important hearing, and I want to welcome the 
witnesses and I am especially pleased that Juniper Networks and 
McAfee, two outstanding Silicon Valley companies, are here to 
talk to us about tackling the challenges of cybersecurity this 
morning.
    We all recognize the serious threat to our Nation's 
communications networks. Since 2006, the number of Federal 
cybersecurity incidents reported to the Department of Homeland 
Security has increased by 659 percent. That is a whopping 
number. And the economic impact of these incidents is equally 
significant. A recent study by the Ponemon Institute estimated 
that the median annualized cost of cyber crime to a victim 
organization is $5.9 million per year, an increase of 56 
percent from 2010.
    The more we rely on the Internet to conduct our business, 
the more vulnerabilities we create for hackers to exploit. 
Having served as a member of the House Intelligence Committee 
for 8 years, I am very well aware of the threat, not just from 
criminal hackers but also obviously from other countries. But 
talking about the problem is not enough. We need to act, and 
that requires the help of both the private sector and the 
Federal Government. The private sector really represents 95 
percent of this, the Federal Government the other 5 percent.
    One of the first steps to tackling this growing threat is, 
I think, education and training. Whether at home or in the 
workplace, every American should understand what they can do to 
protect themselves against a cyber attack. Improved information 
sharing is also a key aspect of our Nation's response to 
cybersecurity. If we are going to ask industry to report 
cybersecurity incidents to the government, then we need to 
establish a clear process to do so.
    I am pleased to support our colleague Mike Rogers' effort, 
the Cyber Intelligence Sharing and Protection Act of 2011. That 
is one of three or four bills in the House. There are least 
three or four in the Senate as well.
    It is also important to recognize the timely alerts to 
consumers and businesses can be the difference between an 
isolated cybersecurity incident and one that impacts millions 
of users. A voluntary ISP code of conduct currently being 
developed by the FCC is one of the proposed ways to alert 
consumers when a botnet or other malware infection is 
discovered.
    Today's hearing is a very important opportunity for us to 
better understand our subcommittee's role in cybersecurity 
including what role the FCC and NTIA should play in protecting 
our Nation's communication networks and how the private sector 
and other Federal agencies should interact with them.
    So thank you to all of the witnesses, those that come from 
Silicon Valley to instruct us, and with what remaining time I 
have I would like to yield to Mr. Markey.

OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN 
        CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS

    Mr. Markey. I thank the gentlelady.
    Last week, FBI Director Robert Mueller testified that cyber 
threats will soon surpass terrorism as the number one threat 
facing the United States. We know from the Department of 
Homeland Security that there have already been threats to the 
utility sector. We also know that Russia and China have probed 
our electricity grid to find vulnerabilities.
    Our economy hinges on a reliable flow of power with losses 
that go into the billions of dollars with every major blackout. 
Our national security also depends upon it since 99 percent of 
the electricity used to power our military facilities including 
critical strategic command assets comes from the commercially 
operated grid.
    Last September, I asked all five commissioners from the 
Federal Energy Regulatory Commission under our jurisdiction to 
name the number one threat to electricity reliability. All five 
commissioners agreed, cyber threats are the number one threat 
to the grid.
    In 2009, the full Energy and Commerce Committee unanimously 
passed the GRID Act, which I authored along with Chairman 
Upton. That bill gave FERC the authority to quickly issue grid 
security orders or rules that vulnerabilities or threats have 
not been adequately addressed by the industry. It was killed in 
the Senate. All five FERC commissioners also agreed that giving 
FERC this authority would increase America's ability to secure 
our electric grid.
    With cyber threats growing by the day threatening our 
security and our economy, it is imperative that this committee 
pass the GRID Act so that we can move it forward and empower 
the FERC to move quickly to safeguard the electric grid from 
cyber threats that are not sufficiently addressed by industry. 
We should listen to FBI Director Mueller, to the FERC and to 
the warnings coming from Russia and China. We should pass the 
GRID Act soon.
    I yield back.
    Mr. Walden. I thank the gentleman for his comments, and we 
are now going to recognize the chairman emeritus of the 
committee, Mr. Barton.
    Before I do that, I just want to say how important it is to 
have members who have been so engaged on this, and especially 
we are blessed to have Anna here, who served on the 
Intelligence Committee, and Mike Rogers, who chairs it now, and 
Lee Terry and Mr. Latta and Mr. Murphy, who is not part of the 
subcommittee but were on the cybersecurity task force the 
Speaker appointed, so all of that is most helpful as we tackle 
both of these issues.
    I now recognize the gentleman from Texas, Mr. Barton.

   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Barton. Thank you, Chairman Walden. I thought Mr. 
Markey was going to say the experts said the biggest threat to 
our grid was the EPA, but he went a different way with that.
    Back in 2006, Subcommittee Chairman Upton held a hearing on 
this very same issue, and as full committee chairman, he and I 
sent a letter to the GAO asking them to take a look at this 
issue. The response that we received then is the response that 
we are receiving today and that is that it is quite possible 
that we could have a major attack, a cyber attack, in this 
country that would dramatically affect our country.
    According to the Norton cyber crime report for this last 
year, cyber crime is a $388 billion industry with 431 million 
adults experiencing at least one cyber crime in the last year. 
In another study, research has showed that the median 
annualized cost of cyber crime for companies is over $6 million 
a year with the range being between $1.5 million to $36 million 
per year. Now, these are real numbers, real statistics and that 
is for the year 2011.
    As we use the Internet more and more every day, it is 
absolutely imperative, Mr. Chairman and Ranking Member Eshoo, 
that we really take this seriously, and as you have pointed out 
and Anna has pointed out, it is good to have the chairman of 
the Select Committee on Intelligence on this subcommittee 
because he has access to information that could be useful if 
and when we decide to legislate.
    So thank you, Mr. Chairman, for holding the hearing. As you 
know, there is an EPA hearing downstairs in the energy 
subcommittee, so I will be shuttling back and forth.
    [The prepared statement of Mr. Barton follows:]

    [GRAPHIC] [TIFF OMITTED] T2628.004
    
    [GRAPHIC] [TIFF OMITTED] T2628.005
    
    Mr. Walden. Mr. Chairman, if you don't mind yielding to Mr. 
Terry?
    Mr. Barton. I will yield 2 minutes.

   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF NEBRASKA

    Mr. Terry. Thank you, Mr. Barton and Mr. Chairman.
    This is an extremely important hearing and that we have to 
elevate the level of discussion and potential solutions.
    There is only one silver bullet that exists to prevent 
cyber crimes. That is to completely disconnect your computer 
from any network. Use it as a paperweight. Maybe just play 
solitaire. That is it. If you are going to engage in any level 
of commerce using the Internet, you are at risk, and the only 
thing we can do is to try to minimize it. There is no silver 
bullet.
    Why these folks are here today is for us to understand what 
tools may be available. In the cyber task force, one of the 
things that we concluded is that the vast majority of everyday 
hacking can be maybe not prevented but go a long way which is 
basic security features offered by private sector today or the 
networks or ISPs. But we have to have people to actually 
purchase those or use those tools. In fact, there was one 
incident in Omaha with our entity that controls our facilities 
that never thought that it was important to have those type of 
securities, and guess what? They were hacked and all of their 
information was stolen.
    But then the next level is where it gets dicey. How do you 
protect people? How do they protect their data? We can't engage 
in setting the standards because frankly we set the standards. 
Before the ink is dry on the bill, the standards have changed.
    So you are here to help us understand what solutions may be 
available to minimize and help secure our infrastructure, and I 
want to thank you all for being here today. Does anybody else 
want 48 seconds?
    Mr. Walden. Mr. Rogers.

  OPENING STATEMENT OF HON. MIKE ROGERS, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Rogers. Thank you very much. In the short time that we 
have, I can't tell you a more important issue.
    There are a lot of things that can keep you up, as the 
chairman of the Intelligence Committee, and this one is one of 
the main ones. Eighty percent of the attacks that happen every 
day can be prevented by the operator. It is those other 20 
percent that are the devil in the details. Between criminal 
attacks, economic espionage, disruption or attacking, as we 
would call it, on cybersecurity, we have a very real and 
present danger when it comes to cyber threats to our networks.
    Nobody is more integrated than the United States, and 
therefore we are more at risk than other countries. I do 
believe it is unprecedented in history that such a massive and 
sustained intelligence effort by a government to blatantly 
steal commercial data and intellectual property to use against 
the United States is well underway. We don't talk about it a 
lot because companies are reluctant to talk about it. The real 
number we think is closer to somewhere between $300 billion and 
$1 trillion in lost intellectual property per year. Countries 
like China are leading that charge. Russia is not far behind. 
Iran's capabilities are getting better, and the most concerning 
are non-nation states who are developing cyber capability to 
conduct disruption and attack activities against targets like 
the United States. All are serious problems.
    I want to thank Anna Eshoo. We did a seminar out at 
Stanford University on this very issue. I think it was well 
received. Her support of this bill is incredibly important. I 
look forward to hearing from the witnesses, and I appreciate 
you being here so that we can get to that next step and 
actually do something that helps us have a fighting chance 
against these cyber threats.
    I yield back, Mr. Chairman.
    Mr. Walden. The chair recognizes the gentlelady from 
California, Ms. Matsui, who is going to control Mr. Waxman's 
time.

OPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Matsui. Thank you very much, Mr. Chairman, for holding 
today's hearing, and I would also like to welcome our witnesses 
here today and look forward to your testimony.
    There is no doubt that cyber attacks are real and continue 
to pose significant threats to several aspects of our economy. 
Communications networks are one of many areas that our Nation 
must protect and assure safety and soundness, particularly as 
we consider deploying an advanced nationwide broadband network 
for public safety. Advanced IP-based technologies and public 
safety communications heighten the concerns for cybersecurity. 
This new network, however, will share many of the same cyber 
concerns as any other network. This is something we have to 
take seriously and must protect.
    Moreover, our economy continues to experience ever-evolving 
ingenuity and innovation in the American technology industry. 
One of those technologies which will continue to play a 
prominent role in our economy, both in the public and private 
sector, is cloud computing. We are also seeing consumer cloud 
applications like the iCloud. As I see it, one of the key 
issues is the challenge of cybersecurity relating to the cloud.
    The challenge is to find the critical balance of continuing 
to foster American innovation and growth while combating cyber 
attacks. For the most part, the private sector will need to be 
up to the challenge of managing itself and its networks from 
potential cyber attacks. That said, I do believe that some 
balance may be appropriate where the government must work 
together in partnership with the private sector on enhancing 
our Nation's cybersecurity preparedness. Simply put, one cannot 
do it without the other.
    Small businesses, many of whom rely on the broadband 
economy, are also very susceptible to cyber attacks. In many 
instances, small businesses cannot fend off such attacks 
because they do not have a plan or lack the resources. Such an 
attack, though, would be very costly to their businesses. 
During this economic recovery, the last thing small business 
owners in my district and across the country need to worry 
about is a cyber attack that will hinder their business.
    I am pleased that the FCC recently launched a public-
private partnership, the Small Biz Cyber Planner, which is an 
online tool that will allow small businesses to create 
customized cybersecurity plans. It is important that we 
continue to educate small businesses and the public in general 
about the risks that cybersecurity poses to small businesses, 
the government and to our economy as a whole. I also believe a 
strong public-private partnership is critical to protect 
against cyber attacks. It is my hope that partnership continues 
to foster moving forward.
    I look forward to exploring appropriate jurisdiction of 
this committee, given the communications and technology 
relevance of cybersecurity. I look forward to hearing from the 
witnesses today and hope that we will have future hearings in 
this subcommittee so that we can also hear more about the 
government's efforts to combat cyber attacks.
    Again, I thank the chairman for holding today's hearings, 
and I would be happy to yield to anyone on our side if they 
would like to. OK. I yield back the balance of my time.
    Mr. Walden. The gentlelady yields back the balance of her 
time.
    We will now proceed to the witnesses. We have a very 
distinguished panel. We thank you again for being here today to 
share the information you have in your testimony, and we are 
going to start with Mr. Bill Conner, who is the President and 
Chief Executive Officer of Entrust. Mr. Conner, thanks for your 
testimony and we look forward to your comments.

   STATEMENTS OF BILL CONNER, PRESIDENT AND CHIEF EXECUTIVE 
     OFFICER, ENTRUST; ROBERT B. DIX, JR., VICE PRESIDENT, 
  GOVERNMENT AFFAIRS AND CRITICAL INFRASTRUCTURE PROTECTION, 
 JUNIPER NETWORKS; JAMES A. LEWIS, DIRECTOR AND SENIOR FELLOW, 
TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND 
   INTERNATIONAL STUDIES; LARRY CLINTON, PRESIDENT AND CHIEF 
  EXECUTIVE OFFICER, INTERNET SECURITY ALLIANCE; AND PHYLLIS 
 SCHNECK, VICE PRESIDENT AND CHIEF TECHNOLOGY OFFICER, PUBLIC 
                      SECTOR, MCAFEE, INC.

                    STATEMENT OF BILL CONNER

    Mr. Conner. Good morning, Mr. Chairman and distinguished 
members of the subcommittee. It is a privilege and honor to 
spend a morning here with you out of the cyber warfare game to 
discuss and educate what is happening below the screen.
    I would like to focus my early comments on the arms race on 
one particular vector of security, and it is called man in the 
browser. Now, that vector of security is probably the leading 
cyber stealer in the world today, and it has been around a 
while and certainly impacts the small and medium business and 
it is certainly impacting the change and nature of stealing IP 
and money both at a country state and at an organized-crime 
state.
    Specifically, it is known as Zeus. It is commonly now 
combined with SpyEye. For those of you don't know, Zeus was the 
original man in the browser software. It started out of the 
Ukraine and Russia. It went under its own merger and 
acquisition by its lead competitor in the underground world 
called SpyEye. Their tools and technology were next generation. 
They merged in the fall of 2010 behind the scenes. As law 
enforcement started to attack it, the guy took his money and 
ran, combined it. In February of last year, that new code is 
out on the market. You can buy it off the Internet and buy it 
with 24/7 support. So no longer do you have to be intelligent 
to write the code. You buy it, you pay for the support, and 
they will help you design your attack vector on which banks, 
which geographics you want to do.
    How does this technology work? It is real simple. It is 
very complicated. You cannot find it with the traditional 
software that you have on your desktop, whether it is an 
antivirus or the operating system looking for it. It is cloaked 
software that is really targeted at small and medium business 
because it is targeted for money. This is a for-money game for 
that. What it basically does, it targets a small or medium 
business that probably doesn't have the technology or banking 
understanding with its supplier to understand how to deal with 
it. How does it work? I am a treasurer at a small business. I 
go online to my financial institution. I say I want to move 
$1,000 or $10,000, let us say $10,000, to a supplier. I have an 
agreement with my local bank to have online bill pay. I type 
that in. The bank sees that but before the bank sees it, this 
software wakes up in the browser and changes the payees from 
one supplier to, let us say, six mules. It changes the dollar 
amount from $10,000 to $100,000, so what the bank sees is 
$100,000 going to six people. That bank says guess what, we've 
got good security, you had to use a password, it is on your IP 
address in your network and your location. I am going to send 
it back because I want a one-time passcode, 30-year-old 
technology that we are trying to apply to the digital world. It 
sends it back to the controller of your business and says 
please confirm by putting your passcode that is going to expire 
in 30 seconds that you authorized this transaction. That 
software wakes back up, converts that $100,000 back to $10,000, 
six payers back to one. You type in your passcode, hit enter to 
send it back, and guess what? That $100,000 is now gone from 
the bank. You lose it, the bank loses it. Six mules that are 
going to feed that money back into organized crime around the 
world are off and running.
    Unlike the personal side where I am protected by FDIC, my 
friends, you are protected as a small or medium business by 
nothing, the contract you have written, and if you look around 
this wonderful country of ours, there is no clear case law. 
There is case law on both sides of this because the banks said 
I did nothing. We have had cases overturned that even though a 
business had only done four transactions in the last year and 
20 transactions happened in six hours totaling $2 million when 
online was only $500,000, that is what is happening.
    The good thing is, the technology exists to deal with that 
today. The banks aren't doing it and small businesses don't 
know what to do. So our belief is very straightforward. Much 
like quality, there wasn't a lexicon. To deal with 
cybersecurity, we need a lexicon. Much like quality, it isn't a 
one time like year 2000. We need to do it over time. That is 
why education is critical.
    The second thing you must do is have public-private 
partnership. I co-chair the DHS piece. I can tell you, the 
legislative laws around this do not work for anybody, and I 
think you have got to break public-private at different levels 
from intelligence to the people like me that try to secure the 
U.S. government and others to energy grids where Department of 
Energy works with those types of organizations.
    And finally, we must take a unified effort in public and 
private to defend because it is an arms race and it is a pace 
as we mentioned earlier. Thank you.
    [The prepared statement of Mr. Conner follows:]

    [GRAPHIC] [TIFF OMITTED] T2628.006
    
    [GRAPHIC] [TIFF OMITTED] T2628.007
    
    [GRAPHIC] [TIFF OMITTED] T2628.008
    
    [GRAPHIC] [TIFF OMITTED] T2628.009
    
    [GRAPHIC] [TIFF OMITTED] T2628.010
    
    [GRAPHIC] [TIFF OMITTED] T2628.011
    
    [GRAPHIC] [TIFF OMITTED] T2628.012
    
    [GRAPHIC] [TIFF OMITTED] T2628.013
    
    [GRAPHIC] [TIFF OMITTED] T2628.014
    
    Mr. Walden. Mr. Connor, thank you. Excellent testimony. I 
think we are going to have to recess so we can all go deal with 
our own campaign accounts, and we will be back in about an 
hour. We really appreciate it, and we look forward to getting 
into questions with you and exploring it further.
    We are now going to go to Mr. Robert Dix, who is Vice 
President of Government Affairs and Critical Infrastructure 
Protection for Juniper Networks, which I believe is from your 
district.
    Mr. Dix. Proudly.
    Mr. Walden. We are delighted to have you here. Thanks for 
coming the distance to share your wisdom with us, and please 
proceed.

                   STATEMENT OF ROBERT B. DIX

    Mr. Dix. Thank you, Chairman Walden, Ranking Member Eshoo 
and members of the subcommittee. Good morning. Thank you very 
much for inviting me to testify about cybersecurity.
    Juniper Networks is a publicly held private corporation, 
hardware and software manufacturer, headquartered in Sunnyvale, 
California, with offices and operations around the world. 
Information technology and communications networks are embedded 
in all manner of the Nation's critical infrastructure including 
power plants and the electrical grid, water filtration systems, 
financial systems and transportation networks, just to name a 
few.
    While sectorwide risk assessments conducted or being 
conducted in the IT and communications sectors validate that 
networks are resilient, it is important to acknowledge that the 
risk continues to grow and change and our efforts to protect 
and prevent must be sustained and agile. In recognition of this 
reality, the private sector is working every day to protect 
against cyber threats through self-driven research and 
innovation, industry collaboration, and partnerships with 
government.
    Let me share just a few examples. In 2007, a group of 
private sector companies came together to address the issue of 
software assurance and improving the development process 
integrity of software and hardware products. SAFECode, the 
Software Assurance Forum for Excellence in Code, is a group of 
companies and subject-matter experts that has set aside their 
competitive interest to gather and share industry best 
practices through a series of written deliverables that are 
available not just to the participating companies but to the 
industry at large.
    Additionally, in 2008, a group of private sector companies 
came together to address the need for collaborative, global 
incident response by forming ICASI, the Internet Consortium for 
Advancement of Security on the Internet. Once again, the 
participating companies who compete vigorously in the 
marketplace routinely share information in an effort to 
mitigate anomalous and abnormal network activity globally 
because the cause is greater than any one company.
    Across the 18 critical infrastructure sectors, we have 
organizations such as ISACs, Information Sharing and Analysis 
Centers, since 1988 working on the operational issues. 
Additionally, we have sector coordinating councils that were 
derived as a result of the National Infrastructure Protection 
Plan in 2006.
    The Partnership for Critical Infrastructure Security is the 
cross-sector coordinating council representing all 18 critical 
infrastructure sectors and working with the Federal Senior 
Leadership Council under the NIPP partnership framework to 
advance the mission of critical infrastructure protection and 
cybersecurity. In fact, we are currently working with the 
administration on the implementation around Presidential Policy 
Directive #8 for national preparedness and the review and 
update of HSPD-7 regarding an all-hazards approach to critical 
infrastructure protection and cybersecurity.
    Mr. Chairman, the number of users connecting to the 
Internet and other networks will continue to grow. Global 
Internet traffic is increasing at a rate of 40 to 50 percent a 
year and is expected to grow to 4 billion users in 2013. The 
explosion in the use of smartphones and tablets and the advent 
and growth in the use of social media is rapidly changing the 
workplace and how we communicate--example, an average of 10,000 
tweets per second the last 3 minutes on the Super Bowl on 
Sunday evening--while introducing cyber risks in a way that few 
of us could have imagined only a short time ago. This is the 
essence of technology. It enables us to do what we never could 
have imagined, and that includes those with nefarious motives. 
The convenience of the technology has changed banking, 
purchasing, and sharing of personal financial information.
    So it is only reasonable to expect that the conversation 
about cybersecurity must include a discussion about economics 
but there are two sides to this coin. If we focus only on 
technology and technology development, we are likely to miss 
the opportunity to examine the challenges and impediments to 
technology and solution adoption. The market is delivering 
innovation at an unprecedented pace in history. However, the 
evidence would suggest that adoption of available solutions has 
not kept pace and should be a topic of further examination and 
discussion. Many low-cost and no-cost solutions are available 
to improve any users' protection profile. Accordingly, there 
are many things we can do together. It is reported by reliable 
sources that some 80 percent of the exploited vulnerabilities 
are the result of poor or no cyber hygiene. For me, this is 
basic blocking and tackling. If we can raise the bar of 
protection, it makes it more difficult and more costly for the 
bad guys to do harm.
    When our Nation was confronted a couple of years ago with 
the threat of the H1N1 virus, we mobilized as a Nation to warn 
and advise folks how to protect themselves from the risks of 
infection. We have the opportunity to use that same model for a 
sustained awareness program to help educate citizens, small 
business, students, nonprofits, and other stakeholders how to 
protect themselves from the risks of malware, phishing, and 
other forms of infection in cyberspace.
    Chairman Walden, Ranking Member Eshoo and members of the 
subcommittee, we must move beyond just thinking about the 
challenges of today to thinking about the risk profile of 
tomorrow. Today's cyber attacks are more complex and often 
difficult to detect and can target classes of users, even 
specific users, gaining access to valuable data and causing 
significant harm. With a commitment to working together in a 
collaborative manner, the United States will lead the effort to 
the protection, preparedness, and resilience of critical 
infrastructure and cybersecurity.
    On behalf of my colleagues across the industry and the 
proud employees of Juniper Networks, I thank you again for the 
opportunity to testify before you this morning. The threat is 
real, the vulnerabilities are extensive, and the time for 
action is now. The American people are counting on us to get 
this right and the private sector looks forward to continuing 
the collaborative relationship between Congress, the 
administration, and private industry on this important issue. 
Thank you.
    [The prepared statement of Mr. Dix follows:]

    [GRAPHIC] [TIFF OMITTED] T2628.015
    
    [GRAPHIC] [TIFF OMITTED] T2628.016
    
    [GRAPHIC] [TIFF OMITTED] T2628.017
    
    [GRAPHIC] [TIFF OMITTED] T2628.018
    
    [GRAPHIC] [TIFF OMITTED] T2628.019
    
    [GRAPHIC] [TIFF OMITTED] T2628.020
    
    [GRAPHIC] [TIFF OMITTED] T2628.021
    
    [GRAPHIC] [TIFF OMITTED] T2628.022
    
    [GRAPHIC] [TIFF OMITTED] T2628.023
    
    [GRAPHIC] [TIFF OMITTED] T2628.024
    
    [GRAPHIC] [TIFF OMITTED] T2628.025
    
    [GRAPHIC] [TIFF OMITTED] T2628.026
    
    [GRAPHIC] [TIFF OMITTED] T2628.027
    
    Mr. Walden. Mr. Dix, thank you very much for sharing those 
comments with us.
    We now go to Dr. James A. Lewis, Director and Senior 
Fellow, Technology and Public Policy Programs, Center for 
Strategic and International Studies. Dr. Lewis, thank you for 
being with us. We look forward to your testimony as well.

                  STATEMENT OF JAMES A. LEWIS

    Mr. Lewis. Thank you, Mr. Chairman, and I would like to 
thank the committee for this opportunity to testify.
    One thing that military and intelligence experts would 
agree on is that the cybersecurity problem is getting worse, 
not better. There is straightforward evidence that what we are 
doing now isn't working. Most of these experts also believe 
that we will not change our laws and policies until there is a 
crisis. I hope they are wrong.
    We all recognize the growing dependence of our economy on 
cyberspace and the risk this creates. Director of National 
Intelligence Clapper testified last week about how Iran, which 
is eagerly developing cyber attack capabilities, is losing its 
reluctance to attack the American homeland. FBI Director 
Mueller testified, as you heard, that the threat we face now 
comes from terrorism but in a few years the bigger threat will 
come from cyber attack.
    The ability to launch damaging attacks is spreading from a 
few advanced nations to many countries and many hostile groups. 
There is disagreement among when hackers will disrupt critical 
services in the United States, but most estimates put it at 
sometime in the next couple of years. Cyber crime and espionage 
are rampant now, costing American jobs and damaging American 
economic competitiveness and national security.
    This morning, I was trying to think of what I could say 
that would be a little different, and I remembered that I 
attended, as a back bencher for the Director of Central 
Intelligence, some of the first meetings in the Clinton 
administration on commercializing the Internet. Back then, we 
thought that it would be used for e-commerce, that it would be 
eBay and Amazon. We didn't expect a global network that would 
become the premier vehicle for espionage and a potential avenue 
for attack. We thought that if we made tools and information 
available, if we freed up encryption, companies and people 
would voluntarily secure the networks. I am a little 
embarrassed sometimes when I see a paper I wrote for the White 
House in 1996 that said that because I was wrong. We made the 
same mistakes in our approach to critical infrastructure 
protection.
    There were three big errors. The incentives for 
cybersecurity vary from company to company and sector to 
sector, and usually they are insufficient. There are legal 
obstacles that limit the ability of governments and companies 
to cooperate and to share information. And in any case, we need 
a coordinated defense, not a grab bag of individual actions. 
Finally, we did not expect to face world-class opponents, as 
you heard from some of the earlier testimony, even midrange 
opponents with access to world-class tools. We overestimated 
incentives and underestimated threats and legal obstacles, and 
I would like to point out that Congressman Rogers' bill would 
be very useful if we could get it passed in removing some of 
the legal obstacles that hamper our ability to provide an 
adequate cyber defense. A serious defense requires coordination 
and mandatory action. The big telecom companies are pretty good 
at securing themselves and don't need more regulation but the 
other sectors are in bad shape. Some people say regulation is 
burdensome, but if we do not hold critical infrastructure to 
mandatory standards, we guarantee a successful attack. Nor does 
regulation damage innovation. An unregulated Internet is not a 
substitute for a business-friendly environment that innovation 
really needs.
    Partnership and cooperation must become more than an 
exchange of slogans. Australia has a good model, we heard about 
that, where the government encouraged Internet service 
providers to develop a code of conduct to deal with malware. 
That appears to be working. We are considering in the United 
States similar options.
    Finding ways to expand the use of DNSSEC. DNSSEC is a good 
story. This is a fundamental rule set, the addressing framework 
for the Internet. We identified problems with it 20 years ago. 
We identified fixes for it 12 years ago. We have not 
implemented these fixes. This is one where finding some new 
approach to get people to move faster would be really crucial. 
The Defense Industrial-Based Initiative, which shares 
classified threat information, is another good example of how 
to do real cooperation.
    There are many opportunities to improve cybersecurity, but 
taking advantage of them will require a new approach. I think 
one thing I can say is everyone wants to make things better. We 
all realize the scope of the problem, and everyone wants to do 
stuff. Hearings like this provide an opportunity to find that 
new approach that will truly serve national security.
    I thank the committee for the opportunity and look forward 
to your questions.
    [The prepared statement of Mr. Lewis follows:]

    [GRAPHIC] [TIFF OMITTED] T2628.028
    
    [GRAPHIC] [TIFF OMITTED] T2628.029
    
    [GRAPHIC] [TIFF OMITTED] T2628.030
    
    [GRAPHIC] [TIFF OMITTED] T2628.031
    
    [GRAPHIC] [TIFF OMITTED] T2628.032
    
    [GRAPHIC] [TIFF OMITTED] T2628.033
    
    [GRAPHIC] [TIFF OMITTED] T2628.034
    
    Mr. Walden. Dr. Lewis, thank you. We appreciate your 
testimony, and we will have a few questions for you, especially 
on the Australia model.
    We are going to go now to Mr. Larry Clinton, President and 
Chief Executive Officer of Internet Security Alliance. Mr. 
Clinton, thank you for being here today. We look forward to 
your comments.

                   STATEMENT OF LARRY CLINTON

    Mr. Clinton. Good morning, Mr. Chairman, members of the 
committee.
    There has been a dramatic change in the cyber threat 
picture in the last 18 to 24 months. Our main concern is not 
hackers or kids in basements. The fact that a cyber system has 
been breached is no longer the metric which determines whether 
or not an attack has been successful. Cyber attacks have grown 
increasingly sophisticated using what is commonly referred to 
now as the advanced persistent threat, or the APT. APT 
attackers are pros. They are highly organized, well-funded, 
often state-supported, expert attacks who use coordinated sets 
of attacking methods both technical and personal. Perhaps most 
indicative of these attacks is if they target a system, they 
will almost invariably compromise or breach it. Unfortunately, 
conventional information security defenses don't work against 
the APT. Attackers are successfully evading all antivirus 
intrusion and traditional best practices, remaining inside the 
target's network while the target believes they have been 
eradicated.
    This doesn't mean that we have no defense. It means that we 
need to modernize our notion of what constitutes cyber defense. 
Traditional approaches including Federal regulation will not 
solve the problem because they are going to be largely reactive 
and will not stay ahead of the changing threat nature. Worse, 
bad regulation could be counterproductive, leading companies to 
expend their limited resources on building in-house efforts to 
meet regulatory demands rather than focusing on security.
    The fundamental of stopping the advanced threat is to 
understand our biggest problems are not technological, they are 
economic. Independent research has consistently shown that the 
single biggest barrier to combating the cyber threat is cost. 
President Obama's Cyberspace Policy Review said many technical 
and management solutions that would greatly enhance our 
security already exist in the marketplace but are not being 
used because of cost and complexity. Just last week, Bloomberg 
released an extensive study that found that to reach an 
acceptable, not ideal, acceptable level of security in critical 
infrastructure would require a 91 percent increase in spending.
    The private sector has been extremely responsive to 
combating the cyber threat. Average spending on cybersecurity 
in the telecommunications industry is $67 million a year with 
governance, by the way, including regulatory compliance, being 
the single biggest thought.
    Despite the fact that our critical infrastructure is under 
constant attack, we have never had an instance of serious 
breakdown, mass deaths, evacuations, economic catastrophe, 
similar to what we have seen in the environmental area. This 
success is due in large part to the flexibility generated by 
the current system, which relies on voluntary partnerships 
where an industry understands and can manage the systems best 
and use their intimate knowledge to respond rapidly to emerging 
threats in a fashion they believe can best protect the system 
rather than being driven by a preset government directive. 
Nevertheless, there is a great deal that Congress can do and 
the Commerce Committee can do to improve our cybersecurity 
right now.
    First of all, we need to get the government's house in 
order. The National Academy of Sciences, the GAO, and just last 
week the DOE Inspector General have all documented systemic 
problems in managing government cyberspace. These need to be 
addressed immediately.
    Second, we need to provide the right mix of incentives and 
regulation. For industries where the economies of the industry 
are tied directly to a regulatory format such as electric 
utilities, water, transportation, etc., the current regulatory 
structure can be used to motivate and fund needed cyber 
advancements. For industries where the economics are not 
inherent to a regulatory structure, adding a new regulatory 
structure will impede innovation and investment, making us less 
secure. In these sectors, we need to motivate by providing 
appropriate market incentives to spur greater security and 
investment. An excellent example of this approach is Mr. 
Rogers' bill, which passed the Intelligence Committee a couple 
of weeks ago, which uses liability reforms to stimulate 
additional information sharing. However, liability reform is 
only one of many incentives that need to be unleashed to help 
us secure our cyber networks. Other incentives include better 
use of government procurement, streamlining regulation in 
return for demonstrated security improvements, greater use of 
private insurance, and streamlined permitting and licensing. 
This incentive-based approach was spelled out in some detail in 
the ISA cybersecurity social contract in 2008 and was also 
endorsed by President Obama in the Cyberspace Policy Review in 
2009, the multi-trade Association and Civil Liberties Coalition 
white paper on cybersecurity in 2010, and the House Task Force 
report in 2011.
    A great deal of work needs to be done to fill out how these 
incentive models can be used in the various sectors. In the 
meantime, Congress ought to enact FISMA reform or to do the 
Rogers information sharing bill and should do a good deal to 
better coordinate amongst themselves. Passing that package of 
cybersecurity reforms would be a historic and politically 
achievable goal.
    Ladies and gentlemen of the Commerce Committee, you are 
dealing with the invention of gunpowder. Mandating thicker 
armor is not going to work any more than building deeper moats 
was going to stop the horders and the invaders who invented 
catapults or the Maginot Line was able to stop the Germans in 
World War II. We need a different approach. We need a 
contemporary and creative approach that engages the private 
sector with government, not having the government control what 
the private sector does.
    We really look forward to continuing to work with you.
    [The prepared statement of Mr. Clinton follows:]

    [GRAPHIC] [TIFF OMITTED] T2628.035
    
    [GRAPHIC] [TIFF OMITTED] T2628.036
    
    [GRAPHIC] [TIFF OMITTED] T2628.037
    
    [GRAPHIC] [TIFF OMITTED] T2628.038
    
    [GRAPHIC] [TIFF OMITTED] T2628.039
    
    [GRAPHIC] [TIFF OMITTED] T2628.040
    
    [GRAPHIC] [TIFF OMITTED] T2628.041
    
    [GRAPHIC] [TIFF OMITTED] T2628.042
    
    [GRAPHIC] [TIFF OMITTED] T2628.043
    
    [GRAPHIC] [TIFF OMITTED] T2628.044
    
    [GRAPHIC] [TIFF OMITTED] T2628.045
    
    [GRAPHIC] [TIFF OMITTED] T2628.046
    
    [GRAPHIC] [TIFF OMITTED] T2628.047
    
    [GRAPHIC] [TIFF OMITTED] T2628.048
    
    [GRAPHIC] [TIFF OMITTED] T2628.049
    
    [GRAPHIC] [TIFF OMITTED] T2628.050
    
    [GRAPHIC] [TIFF OMITTED] T2628.051
    
    [GRAPHIC] [TIFF OMITTED] T2628.052
    
    [GRAPHIC] [TIFF OMITTED] T2628.053
    
    [GRAPHIC] [TIFF OMITTED] T2628.054
    
    Mr. Walden. Mr. Clinton, thank you very much for your 
testimony. We appreciate it.
    Our next and final witness today is Phyllis Schneck, who is 
Vice President and Chief Technology Officer of the Global 
Public Sector, McAfee Incorporated. Dr. Schneck, thank you for 
being here today. We look forward to your comments.

                  STATEMENT OF PHYLLIS SCHNECK

    Ms. Schneck. Good morning, Chairman Walden and Ranking 
Member Eshoo and other members of the subcommittee. Thank you 
very much for the opportunity to be here this morning, and 
thank you for your interest in cybersecurity as it applies to 
the telecom sector.
    My testimony will focus this morning on four areas: the 
threat landscape, the communications sector's unique role in 
cybersecurity, private sector technologies and policy 
recommendations to enable greater cross-sector cyber 
resilience.
    First, just a bit of background. My technical background is 
high-performance computing and cryptography. I was raised in 
this back to the days of the radio tower. My father was one of 
the first in supercomputing in this country and taught me to 
write code. I know how to exploit code, but I was taught the 
responsibility of that and the responsibility of the computing 
power that we have and I am confused on and passionate about 
protecting that and protecting good science. I am also focused 
on partnership. Outside of McAfee as a volunteer, I ran the 
private sector side of the FBI's InfraGard program, about which 
Director Mueller testified several times. I ran that for 8 
years and grew that program from 2,000 subject-matter experts 
across the critical infrastructure sectors to 33,000, and today 
chair the national board of directors for the National Cyber 
Forensics and Training Alliance, which brings together the top 
fraud analysts from the banking sector, telecom, 
pharmaceuticals, and others with the FBI under the same roof 
and other organizations and governments, do analytics that 
helped to arrest 400 cyber criminals worldwide in the past 2 
years.
    A little bit about McAfee. We are based in Santa Clara. We 
are the world's largest dedicated security company. We protect 
business, governments and consumers all over the world from the 
full spectrum of cybersecurity attacks. We are a trusted 
partner and adviser on cybersecurity throughout the world, and 
as a wholly owned subsidiary of the Intel Corporation enjoy 
driving that innovation that goes directly to the hardware. The 
buck stops at the hardware, so the adversaries can get in in 
several different ways, but when a piece of hardware knows not 
to execute a malicious instruction, that is when we have the 
enemy.
    As you have heard this morning, the cyber threat landscape 
has evolved. Obviously it is not a dorm-room activity anymore. 
It is more a mass espionage. There are two kinds of companies 
and agencies across the world, public sector and private, those 
who know they are owned and those who don't. We are looking at 
the mass movement of money markets and jobs between countries 
and companies and we are looking at the threat of destruction 
should they desire. This enemy is faster and smarter than we 
are at times. They are certainly faster. They have no 
intellectual property boundaries, no legal boundaries, no 
policy boundaries, and in many cases, they have plenty of 
money. They have absolutely no obstacles to execute on our 
infrastructure.
    Which leads us to the role of the Internet service 
providers. In the days when I sent my first packets between my 
sister's room and mine, there was nothing in that route except 
one address on the other. Now we have an unknown set of routes 
but we have an ability and a great infrastructure run by the 
ISPs that deliver our traffic and that of the adversary very 
reliably. So the enemy has now used our great cyber 
infrastructures that we built as the good guys over the world 
as a mass executive transport system for malware. They haul 
packets at high speed. They do a great job. They are fairly 
secure, as was mentioned earlier, but the current Internet 
architecture allows everything to get delivered to the grid, to 
the banks, to the rest of the critical infrastructure.
    ISPs can play a key role in better cybersecurity. They are 
already doing some of this but they have some challenges. One 
thing they can do is help detect this traffic in the network 
fabric and use some global threat intelligence to do that, and 
I will explain that in just a moment, but imagine if our 
network fabric was smart enough not to route the traffic of an 
adversary and only to route good traffic. Secondly, demand more 
secure technologies and equipment from the market. Demand that 
those technologies are armed with proactive technologies and 
not let a malicious instruction run. And third, ISPs can't 
carry the burden alone. As was said earlier, it is up to every 
system to be hardened, up to every company and user to harden 
their enterprise, and good cyber hygiene plays a role in that.
    What are the challenges that the ISPs face today? Just to 
name a couple, you have things such as Stored Communications 
Act of 1986, a little while ago. That was before I sent my 
first packet. It prevents sharing information outside of the 
telecoms, so imagine the difficulty in enabling the global 
threat picture that the enemies use. We can't make that rule 
because legally we can't combine our information together. 
Secondly, it costs a lot of money. Clean bandwidth costs money 
and users aren't willing to pay that difference, so we need 
some help leading to some policy recommendations and some 
proactive technologies.
    First and foremost, we can put threat intelligence together 
and map a global cyber radar map of where the enemy is at any 
time. At McAfee, across 160 million endpoints, we see a risk 
profile in every IP address on the Internet. Other companies do 
this. Telecoms do this. Governments can do this if we can share 
that information together and make a global threat picture and 
prevent those malicious instructions from running, whether it 
is application listing or working with the hardware, keep the 
enemy out.
    So for the policy recommendations, we support the 
recommendations in Representative Thornberry's work, certainly 
with information sharing, insurance reforms and tax credits, 
and certainly in the bill of Representative Rogers and 
Representative Ruppersberger enabling the government to finally 
facilitate the good information sharing, to put that 
information together to not only provide liability protections, 
protections for privacy and for civil liberties, but to balance 
out the advantage that the adversaries had over us until now. 
Let the government facilitate that collaboration so we can 
build that global threat picture, feed it back into the network 
fabric, and have it grow as a living, breathing system to feed 
us the information in return. ISPs play a central role in the 
global digital infrastructure. They can help us. We can help 
them. We have to work on this legal and policy framework for 
global information sharing.
    Thank you very much for requesting McAfee's views on these 
issues. I look forward to answering any questions.
    [The prepared statement of Ms. Schneck follows:]

    [GRAPHIC] [TIFF OMITTED] T2628.055
    
    [GRAPHIC] [TIFF OMITTED] T2628.056
    
    [GRAPHIC] [TIFF OMITTED] T2628.057
    
    [GRAPHIC] [TIFF OMITTED] T2628.058
    
    [GRAPHIC] [TIFF OMITTED] T2628.059
    
    [GRAPHIC] [TIFF OMITTED] T2628.060
    
    [GRAPHIC] [TIFF OMITTED] T2628.061
    
    [GRAPHIC] [TIFF OMITTED] T2628.062
    
    [GRAPHIC] [TIFF OMITTED] T2628.063
    
    [GRAPHIC] [TIFF OMITTED] T2628.064
    
    [GRAPHIC] [TIFF OMITTED] T2628.065
    
    Mr. Walden. Very impressive testimony. Thank you. Thanks 
for all the work you do to try to keep us secure.
    We will now go into our question phase, and I wonder, Mr. 
Clinton, you talked about incentives and were fairly specific. 
Can you dive down a little deeper in terms of what that means 
in terms of more specifics on the incentives that would make a 
difference here?
    Mr. Clinton. Certainly, sir. Thank you. We are supportive 
of the approach that was articulated in the House Task Force 
report which suggests that a menu of incentives needs to be 
developed because different industries are responsive to 
different things. The defense industrial base may be attracted 
by a procurement incentive, the banking industry maybe by an 
insurance incentive, the utilities perhaps by getting rid some 
of the outdated regulation that is based in an analog form 
rather than digitalized. So you need to have a set of 
incentives.
    On the other hand, you need to have some agreement as to 
what needs to be incentivized, and for that, what we have 
suggested and is in the multi-trade association paper that I 
spoke of before is that we need to have some independent entity 
which does not create the standards or practices but simply 
evaluates the standards and practices, an underwriters 
laboratory for cybersecurity, if you will, and then 
organizations would choose to elect a higher or lower level of 
adoption based on their business plan and their business plan 
would be improved because they would have access to lower 
liability costs, lower insurance, better chance to get a 
Federal contract, etc. So we are saying that we need a new 
system, not a government mandate system, but a system where 
there are government roles such as providing the incentives and 
there are independent roles, something like this underwriters 
laboratory, and then responsibility for the owners and 
operators.
    Now, in those sectors of the economy where the economics is 
already built into a regulatory model, then you can use that 
regulatory model. You don't need a new regulatory model. You 
can use it. For example, if you are dealing with the utilities, 
they have generally a fairly detailed regulatory structure. The 
problem that they are having is that they get mandates at one 
level and the funding comes at another level so there is going 
to have to be a correlation done on the government side. But 
basically we think you need an independent set of entities 
indicating what needs to be incentivized. That can be done on a 
continuing basis. Government needs to provide the incentives 
and industry needs to implement them.
    Mr. Walden. All right. Very helpful. Thank you.
    Dr. Schneck, so when you and your sister were trading 
packets when you should have been sleeping, obviously, doing 
your homework, turn out the lights, that was when this threat 
was really computer to computer. Now we understand it to be 
bigger than that, broader than that and whole networks that can 
be taken down. So can you describe what those threats look like 
and what should happen there?
    Ms. Schneck. Absolutely. We did that over a 1200-baud modem 
over a phone line.
    Mr. Walden. I remember a 300-baud modem where you put the 
phone in the little coupler.
    Ms. Schneck. Right. So the threat really looks at an 
instruction that executes off the site of memory, not the piece 
of memory in your computer that holds some word-processing 
program but it is where your computer grabs the next 
instruction, what do I do next. At the root of every exploit or 
attack, it is, I am controlling my will on your machine, 
whether I am telling your machine to send out a lot of traffic 
or adjust something that might change the settings on something 
that controls circuit relays on an industrial system. I am 
allowing--my will is being changed on your machine, I am 
executing on your machine. So as was pointed out earlier, you 
can buy these exploits on the Net. You can even unleash botnets 
together in a screen that looks like it came off of Quicken. It 
is a spreadsheet, and you can choose addresses to which to send 
it. You are simply relying on someone else's construction of a 
piece of code, and we see in McAfee labs 66,000 new variants of 
these pieces of code every day called malware that allow my 
will to be instructed on your machine.
    So the idea is, well, it is twofold. One is to catch the IP 
addresses that are spreading it across the Internet and that 
goes to that threat position, sharing that global threat 
picture. I can't forecast the weather without the weather from 
all the different States or countries, and that comes from 
enabling the information sharing, but also the ability to 
detect an instruction that is doing something it shouldn't do. 
Resilience means I can run even if the enemy gets in so the 
enemy will get in. The biological analogy is the disease is in 
your body but it will never hurt you. So we have to let many 
instructions get in because they will and simply be resilient 
to that, and that is the ability to work at the operating 
system level instead of having to judge every instruction, are 
you good or bad, because we have shown that is not effective, 
just know what is good and don't let anything else run. That is 
known as application white listing in the community. And then 
down at the hardware level, understand what an instruction 
should be accessing or shouldn't and just block it, and we can 
do that.
    Mr. Walden. I am glad you are on our side.
    Ms. Schneck. Thank you.
    Mr. Walden. Mr. Conner, you were talking about Zeus merging 
with SpyEye. Some of us wondered maybe that should have gone 
through like an FCC approval process for a merger and it would 
never have happened. All right. Now we will get serious.
    I am going to turn to my friend and colleague from 
California, who brings so much to this discussion and debate, 
Ms. Eshoo, for 5 minutes for questions.
    Ms. Eshoo. Well, I want to thank each one of you for your 
outstanding testimony. I think that this is one of the best 
panels that has been assembled on a given subject matter and it 
is highly instructive.
    I can't help but feel that this is like trying to get socks 
on an octopus, though. I mean, it is massive. And I think that 
we all have a pretty good sense of what the threat is. I don't 
think that we have a clear picture of really what to do with 
it. There are so many agencies. There was a mention of a 1986 
law that I want to hear more about. We have talked about 
public-private partnerships. We know that 95 percent of this is 
in the private sector, 5 percent in the government. Where do we 
begin with this? What are the legal roadblocks as any of you 
see them right now that are holding us back to do what my next 
question would be, what is the new paradigm? And if we have 
very good pieces in place right now, what do we keep, what 
should we get rid of? And to Dr. Schneck, do you agree with 
this notion of Mr. Clinton's of an underwriters lab? That 
sounds very interesting to me.
    So I don't know who wants to begin with what, maybe with 
legal roadblocks that you know of. I think it was Dr. Schneck, 
were you the one that mentioned the 1986 law? I am not familiar 
with that and what it is blocking.
    Ms. Schneck. So I am not a lawyer.
    Ms. Eshoo. Neither am I.
    Ms. Schneck. But the overall premise and the reason I 
mentioned that is because the adversary has the ability to act 
on us very quickly because they have no roadblocks. We have the 
ultimate weapon, and that is, we own the infrastructure that 
works at the speed of light, and if we can put the instructions 
together and the intelligence together to work as your body 
does, it attacks a virus that comes in because it knows it 
doesn't belong there, it doesn't need to have a meeting to do 
so. We need the Internet to work the same way so the routers 
and the machines that route our traffic, they need to 
understand that something is bad, and to do that, we have to 
replace the chemical and biology with the intelligence from 
data and that means getting data from all sides of the equation 
that we control from the private sector. We have to be able to 
combine that with data in the government sector, not even in 
the classified realm. That would help, but this is all un-
class. And then some of those laws actually prevent the ISPs 
from combining that data together. I don't have the answer 
legally on how to make that work while also preserving the 
civil liberties and privacy, which are crucial. But we have to 
find a way to put together at the indicator level this address, 
this location could hurt you and make that accessible to a 
router at several hundred gigabits per second.
    Ms. Eshoo. Now, what you just described, would that fit in 
with Mr. Clinton's idea of an underwriters lab, or not?
    Ms. Schneck. I think it is different.
    Ms. Eshoo. It is different. OK. Did anyone ever tell you 
that you look like David Gergen? I was looking at you and I 
thought, I know he reminds me of someone.
    Mr. Clinton. Well, I am pretty flattered. I hear David is 
upset when the comparison is made.
    I agree with Phyllis. I think that it is a--we are talking 
about kind of different things. First of all, with respect to 
the legal issues, after he got elected, President Obama 
appointed Melissa Hathaway to do a 60-day cyber review on the 
National Security Council staff and the largest portion of that 
is appendix A, which is a thick document going through all of 
the legal barriers that need to be reviewed, so that is a place 
to start.
    Essentially what we have here is, we have a whole bunch of 
laws that were written for an analog world and we are now in a 
digital world. I mean, we have still laws on the books dealing 
with how you manage your videotapes. I haven't had a videotape 
in quite a while. So there is a lot that can be done to work 
out that legal underbrush and modernize things. We have 
suggested some of those things are regulatory and could be 
offered as incentives, you know, to get away from some of these 
burdens. Some of them, for example, are duplicative auditing 
requirements. We are all for auditing but we should have one 
unified cybersecurity audit and you pass that audit and you 
don't have to do the rest of the audits but there are multiple 
State, local, Federal, different agencies that are involved in 
this, so organizations are spending a lot of their time and 
money doing redundant things. We should strip away a whole 
bunch of those sorts of things.
    The last thing on where you start, I would strongly suggest 
that Congress start by cleaning up the Federal Government's 
roles and responsibilities. That is a much more limited system. 
You can make a lot of progress really quickly while we are 
continuing to work with a public-private partnership model that 
we currently have.
    Ms. Eshoo. Thank you. I am out of time.
    Mr. Walden. I will yield to the gentleman from Nebraska, 
Mr. Terry. Before I do so, it strikes me, we ought to get this 
appendix A and maybe have a task force of this subcommittee 
that really gets into the weeds and that more deeply, and we 
have got people who have great experience here.
    Mr. Terry. So where do we start, Mr. Clinton?
    Mr. Clinton. Well, as I said, I would start first of all at 
the Federal level. We need to straighten out roles and 
responsibilities of the Federal Government and between 
governments at the Federal, local and State levels. So, for 
example, I mentioned the problem that we have in the utility 
sector where we have mandates that exist at one level, the 
funding comes at another level, and what we have to do is 
realize that solving some of the cybersecurity problem is going 
to cost us some money. Unfortunately, when you have State 
public utility commissioners, they are resistant to increasing 
the rate base, and this is understandable, but we have to find 
some way to get a pass-through on some of these things.
    So I think a good review and scrubbing of the governmental 
issues is one place to start. Simultaneously, we have a lot of 
activity already going through the public-private partnership 
that can use a number of these things. Mr. Rogers' bill is a 
good example. And then I think we need a really concentrated 
effort on working on these other incentive programs, exactly 
what do we need to do with the insurance industry to get them 
to be bigger players, exactly what----
    Mr. Terry. In what way?
    Mr. Clinton. Well, you know, private insurance is one of 
the most effective pro-social motivators we have. People drive 
better, they give up smoking, et cetera.
    Mr. Terry. So cyber insurance?
    Mr. Clinton. Cyber insurance, sure, so that if there is--
the problem that we have in insurance, there is a couple of 
problems. One of the problems is, we don't have enough 
actuarial data because the data is being held.
    Mr. Terry. Doesn't Google have all of that?
    Mr. Clinton. Pardon me?
    Mr. Terry. I am sorry.
    Mr. Clinton. A lot of the insurance guys would like----
    Mr. Terry. You guys were good at humor. I tried it.
    Mr. Clinton. A lot of the insurance guys would like to 
share data but this runs into antitrust problems, OK, because 
to be sharing data for rates, but actually if we could get them 
to share that, perhaps in a public-private partnership, we 
would get a more realistic view of what the threat is. Right 
now they set everything at maximum, but if we share data, we 
could get a more realistic view of what the threat is. We think 
this would bring down insurance rates. When you bring down 
insurance rates, more people will buy the insurance. When more 
people are buying the insurance, more insurance companies will 
get in, and we get a virtuous cycle going on and we can use 
insurance to motivate better cybersecurity investment.
    Mr. Terry. All right. Mr. Dix, one question for you, and 
you can add on wherever you want, but you mentioned that, you 
know, for everyday users, small businesses, it is a just a 
matter of cyber hygiene, so I say, OK, you pull out your soap 
and you wash. What does that really mean and what can you do? 
What can we do as small business people or whatever?
    Mr. Dix. So again, as I mentioned, I think we need a 
comprehensive and sustained national education and awareness 
campaign that tells the user constituencies how better to 
protect themselves from the infection in cyberspace. Leveraging 
the resources of the Federal Government such as the Small 
Business Administration, the Internal Revenue Service, the U.S. 
Postal Service, and other agencies that interact with citizens 
and businesses every day would be a place to help message that, 
creating and leveraging a model like we did with H1N1 where we 
have a sustained plan of public service announcements that 
drive people to a place where they can get information. It 
might even be nice if every Member of Congress had a link on 
their constituent Web page that directed folks to the National 
Cybersecurity Alliance or the Internet Security Alliance as a 
place to learn basic best practices, low-cost or no-cost things 
that they can do to protect themselves.
    If I might add, another piece of the fundamental blocking 
and tackling is to ensure an operational capability that 
presents something like a National Weather Service or a CDC 
capability where we have a picture into what is going on in the 
networks at all times in steady states and in points of 
escalation. I raise that because many of us work together 
through the National Security Telecommunications Advisory 
Committee and delivered a report to the President in May of 
2009 that recommended the creation of a joint coordination 
center, a joint public-private integrated 24/7 operational 
capability to improve detection, prevention and mitigation. We 
have got to get in front of this. Most of our time now is spent 
in response and recovery. Part of the problem we ran into, 
legal barriers. Once we got into trying to integrate, we 
developed a model in the private sector. Once we began to try 
and integrate that capability with the government, the lawyers 
told us they couldn't talk because they couldn't share this 
information. Hopefully Representative Rogers' bill will help 
break down some of those barriers, but we should have an 
operational capability that has a picture as to what is going 
on in the network at all times and we have those kinds of data 
feeds available. Organizing them and having a National Weather 
Service or CDC type of capability is long overdue.
    Mr. Terry. Thank you.
    Mr. Walden. The gentleman's time has expired.
    I believe Mr. Waxman is next for 5 minutes for questions.
    Mr. Waxman. Thank you very much, Mr. Chairman.
    Dr. Schneck, and anybody else who wants to respond to this 
question, what special considerations do the growing use of 
smartphones and tablets present?
    Ms. Schneck. Thank you. There are several. Smartphones and 
tablets are just small computers. They have the exact same 
vulnerabilities that all the other machines have that you are 
used to, and they have tens of thousands times of memory in 
them that the guidance systems do that took our first Apollo 
rockets to the moon. So when you think about the power that is 
in your hands, you now have the ability twofold. One is that it 
enables the enemy to, if it is not secured appropriately, it 
enables an adversary to use it as a platform to get into your 
enterprise network. In the interest of time, I am going to 
simplify this a lot, but people are wanting to use the home 
device at work, and what happens is, once the adversaries 
discover they can use that unprotected home device that happily 
houses Angry Birds and launch an attack into the enterprise 
network because companies are letting folks use the small 
devices.
    So there are technologies to lock that down. We do a lot of 
that. We manage that worldwide. But you are looking at a 
massive explosion of small devices. The lady mentioned the 
cloud. These devices leverage the cloud because they don't have 
as much processing power as the big machine. So most of your 
processing is done in the cloud. You have to pay extra 
attention to the security on that motion data at rest and 
shared resources where your data are when they are not on the 
phone. Your personal information most likely is all over that 
phone, pictures of your friends and family, locations. If you 
lose it, you want to make sure you have a remote capability to 
destroy that. It is a wonderful device, but it has access to, 
again, all the critical infrastructure. If you are working on 
one and it is talking to your network, it has access now to 
your personal information.
    So I think it brings a wonderful new--I spoke about this at 
the consumer electronics show. It brings a wonderful new sense 
of fun to computing and it also brings new dangers that we 
need, to quote my colleagues here, to get out in front of 
before this is yet another massive vector because mobility is 
multiplying.
    Mr. Lewis. Just real quickly, every once in a while I talk 
to hackers just to see what they are up to, and recently one of 
them told me that the price for a toolkit to hack an iPhone is 
about $200,000 on the black market, and he said for other 
phones it is only $10,000. So, you know, I don't know. What 
this is going to do, though, it is going to force us to pay 
more attention to the service providers, to the big telecos, to 
the ISPs to the cable companies. Responsibility is going to 
shift away from the edge, away from the consumer to the service 
provider.
    You don't patch your cell phone. You know, you don't 
program it. You depend on its computing becoming a service, and 
that will change the contours of security and change the 
requirements for regulation.
    Mr. Conner. With all due respect, I disagree with that. If 
you look at Metcalfe's law and if you look at just what 
happened with Apple and AT&T, the value has shifted. It shifted 
from the carriers to the endpoints, and this is about identity, 
and I will give you a good example. The threat I talked about 
going out of band or using a mobile network and a device is a 
surefire way to stop that kind of transaction today, and it is 
safe and it is protected. It uses digital signature through a 
wireless carrier network and on a mobile device with digital 
signature which is probably why to try to hack the device costs 
a heck of a lot more on an iPhone or iPad than a normal phone. 
And if you use that, the probability on that attack factor, you 
don't break it.
    So I think there are good pieces and I think my personal 
experience, the minute you think you are going to stop all this 
in the network, the ID and IP address is no longer the 
identity. The number one thing people fake is who you are, what 
you are, and the application of who are you, and that is the 
hardest thing to combat in terms of good guys versus bad guys. 
The threat I showed you is not the identity of the person that 
is doing it. He has faked your identity, and no perimeter 
technology, no network can deal with that until they deal with 
the endpoint itself.
    Mr. Lewis. I don't think we are disagreeing, though. I 
think that you are going to see that the authentication 
technologies you are talking about will depend ultimately on 
the service provider.
    Mr. Waxman. Well, let me ask one question, and I know I 
don't have much time, but many of you mentioned in your 
testimony how communications networks are central to most other 
critical infrastructure sectors. How does this then relate to 
the importance of this committee in addressing cybersecurity of 
communications networks? Anybody want to respond to that?
    Mr. Lewis. Well, I think that in the opening remarks, a few 
of you mentioned some of the things that are going on at NTIA 
and FCC that could reduce risk, right, and one of the examples 
we have heard about is of course this measure to get the 
Internet service providers to adopt a voluntary code of conduct 
for dealing with malware. It is a good thing to do. It is sort 
of basic-level stuff. The FCC has an effort to promote the use 
of DNS security, DNSSEC, and this is--not to get too 
complicated, but this is a growing vulnerability. It is 
relatively easy to fix. Other countries have moved faster than 
the United States. It is something that we can probably do on a 
collaborative basis.
    The third thing to look at is some of the responsibilities 
for other activities, other protocols. This is a place where 
you don't want the government creating technology, right. It is 
not for this kind of level of technology. But you do want it 
maybe coordinating a response, and so when you look at FCC, 
when you look at NTIA, the DNSSEC, the ISP efforts, some of the 
other measures, Commerce is doing similar things, this is where 
you can play a big role.
    Mr. Waxman. Thank you, Mr. Chairman.
    Mr. Walden. With the committee's indulgence, we were all 
going to ask you about the Australia model, and then we all 
forgot. Without objection, would you mind addressing the 
Australia model?
    Mr. Lewis. Well, Phyllis talked about this as well. Your 
ISP probably has a pretty good idea of what is going on on your 
computer at home, right, and right now they don't really do 
much about it, and I think Bob talked about this as well. You 
know, there is basic hygiene things that most people don't do. 
Your ISP has fairly good knowledge when you are running 
malware, when you are part of a botnet, not perfect knowledge 
but good knowledge. What actions can they take to stop that? 
And in Australia, Australia is not the only country that does 
this anymore, at one point they thought the attorney general 
will come in and tell the ISPs what to do, because the ISPs 
were not doing anything. This was a failure of incentives, 
right. And there was a tussle, a political tussle. At the end 
of the day, the ISPs--and Australia is a little easier because 
it is a smaller country. They said how about if we come up with 
a voluntary code of conduct that will let us deal with the 
malware threat, and with a little guidance and help and 
involvement from the attorney general and the Australian 
federal police, which is roughly equivalent to some of our 
Federal agencies, they came up with a pretty good system that 
works pretty well.
    This will not deal with the advanced threat but it will 
deal with--you know, quick, name a country in the world that is 
the biggest supplier of botnets used in cyber crime. It is the 
United States, and it is not because we are cyber criminals, it 
is because we are incompetent in our defenses. The Australian 
model changes that. We are number one, hey, great.
    There are some issues, and I will just do them quickly. 
Other countries that do this--Germany. Germans have a lighter 
approach. What happens in Germany is, you get a little popup on 
your screen that says basically we notice you are infected, 
call this number if you want help. Australians and some of the 
other countries that do this say click here and we will clean 
your computer for you. A few other places that don't go public, 
they just intervene without your knowledge. You have a privacy 
issue. You have to be careful about that. One of the things 
that comes up over and over again is, Should we isolate 
infected computers? Should we cut infected users off from the 
Internet. Some companies are beginning to do this. You are 
putting such a burden on me that I am just going to cut you 
off. A big issue. If you look at the places where we have data, 
there is an amazing drop in the rate of infection. So this 
works, and it would be useful if we followed the Australians, 
the Germans, the Japanese, the Turks, any number of countries.
    Mr. Conner. I will give you two other points on Australia 
that are, I think, relevant to this group. Australia is also 
looking at their energy grid, and granted, their energy grid is 
a little different architecture than the United States, more 
like Ireland and others, but in the process that we are working 
with them, they are starting with the infrastructure part and 
the actual production side, the energy creation, one, to lock 
down the authentication of the systems within the creation of 
the power and starting there, and then going to the export of 
that power through the grid as it extends through the different 
carriers all the way to the endpoint in terms of that. We are 
involved with other companies here in the United States helping 
them do that.
    The other piece is, as they look at health care, they think 
that is a critical area in terms of being able to have health 
care cards, a novel idea when you get to privacy concerns here, 
but as I say, you can't have privacy without security and 
policy.
    Mr. Walden. Thank you, and thanks for the indulgence of the 
committee. I am going to go to--oh, Dr. Schneck. I am sorry. Go 
ahead.
    Ms. Schneck. One point, if that is OK.
    Mr. Walden. Yes, sure.
    Ms. Schneck. So I think that the example in Australia is a 
beautiful example of this need for information sharing. I would 
challenge the wording a little bit from Dr. Lewis, and I don't 
think he meant it this way, but the ISPs don't know what is 
going on in your computer. They are not watching your banking. 
They are not watching you work. They see because they own that 
block of addresses. They see the behavior from that block of 
addresses as a footprint as it tries to send traffic, which the 
ISPs are able to track to protect you from malware. They see 
that footprint, just like McAfee sees it, reflect on things 
they own, and from that they can see where traffic has come in, 
for example, a ridiculously large volume in a short period of 
time from a certain set of machines and they can look at those 
machines and say these are infected with certain code, and they 
can then, in the Australian model, let you know, and so the 
question becomes, how do they let you know. I think it is a 
great example of the use of that intelligence picture. It shows 
how with Representative Rogers' work, we could actually get a 
larger intelligence picture. That is what makes for the humans 
that the pretty weather map picture that Mr. Dix recommends. 
But also, you have the ability now to look at who is infected 
where and start looking at these incentives. How do we 
incentivize the general public to do this hygiene? Most people 
with a computer don't know what it does all night when they are 
sleeping. If they knew, they would clean it up. It is not that 
hard. So I think this is a really neat exercise on the 
information sharing and the incentives.
    Mr. Walden. I appreciate that, and I appreciate the 
committee's indulgence in just trying to get some more 
information out there.
    Mr. Rogers, thank you.
    Mr. Rogers. Thank you very much. I know we are short on 
time.
    Mr. Conner, are you familiar with the company DigiNotar or 
what used to be the company DigiNotar?
    Mr. Conner. Very much so.
    Mr. Rogers. And signatures and attribution is very, very 
difficult, although I think we are getting better. It is pretty 
difficult. Can you briefly--I think it would be good for the 
committee to hear the story of DigiNotar and how a viable 
company went away in about a month after being hacked and what 
it does, quickly, and what happened and why this is important 
to move forward.
    Mr. Conner. So if you look at the Internet when it was 
created, the little yellow lock, everyone sees the little 
yellow lock on their browser and on their PC and they think 
they are safe. Very few people know what that little yellow 
lock means, and what it is supposed to mean is the 
communication path is secure between you and the Web site that 
you are communicating with and who is on each end of that. The 
problem is in the SSL world, which is kind of the security 
level of that, the identity on each side of that may or may not 
be who it is reported to be. We co-chaired along with Verisign 
a new standard on that extended validation because if you go to 
your Super Bowl last week, you will see people advertising, 
hosting and selling that little yellow lock for $19 for your 
business Web site. The only problem is, the verification of who 
on the end of that is, is pretty lax. And they just look at the 
server and go well, that must be you.
    So the issue was, this one company that provides the little 
yellow lock, in this case, predominantly in the Netherlands, 
was breached, and they were breached from Iran just as many 
other security vendors have been breached. We get a target 
every day from country states, our little 350-person company 
with no help to the U.S. government, thank you very much, to 
defend that. Well, this little company got attacked just like 
Comodo did, just like others did, and they breached that little 
yellow lock that said who they were and they began to take down 
the government security because that government used the little 
yellow lock for all its online capabilities, and the people in 
Iran, guess what, used that little yellow lock to say they were 
Google and other people. So anyone in Iran that was Googling 
content in that country was able to give up to the Iranian 
government whatever they were looking at, whatever they were 
doing, and one government was basically shut down for at least 
60 days, and unfortunately, to those of us in the security 
world, we found out about it through the browser forum and 
actually Entrust was a partner to that group, and it ended our 
relationship with them prior to that, and even we weren't 
notified. So that talks about to your question of the legal 
framework of what is going on here and the disclosure 
requirements.
    Mr. Rogers. Thank you. And I just think that was a great 
example of a nation-state using its intelligence services to 
co-opt something like that. And by the way, DigiNotar is no 
longer a company, so if you want----
    Mr. Conner. Yes, it is out of business.
    Mr. Rogers [continuing]. To talk about the cost, there is a 
hack that took this company and is now out of business, so----
    Mr. Conner. Well, be careful. It was a subsidiary of a 
public business that still exists that acts like it didn't 
happen.
    Mr. Rogers. But the contracts that it has in the 
Netherlands no longer exist?
    Mr. Conner. No, that is correct.
    Mr. Rogers. OK.
    Mr. Conner. That is exactly correct.
    Mr. Rogers. It is an American company that actually owned 
it?
    Mr. Conner. That is right. And I think the point that you 
are on, Congressman, is an important one. There are ways--we 
have been attempted to be hacked by the same group. We have 
watched them try that over the last 12 months. Two of the 
people that own the yellow locks in the United States and 
abroad have been taken down relative to Iran being able to 
break in and impersonate those pieces. So it is happening every 
day.
    Mr. Rogers. I thought it was important for the committee to 
hear that particular case because it shows how sophisticated 
and how dangerous it can be if somebody has a nefarious purpose 
other than criminal. Criminal is bad enough. This was other 
than criminal. And I see my time is almost up so I am going to 
ask two questions and close up.
    Mr. Lewis, I would like you to talk about, we have been 
through a long time. It has been very difficult to get to a 
place where we have a very narrow focus on how to move to the 
next step. Just talk about the challenges of why we think it 
has been difficult to even get a very narrow change in the law.
    And lastly, Dr. Schneck and maybe Mr. Dix can talk about 
this, you talked about hardware. There is much concern about 
hardware entering our system that may be malicious and very 
difficult for us to understand exactly what that hardware is 
doing in our systems, and I am hoping you can talk about that 
and what we might be able to do from a regulatory and/or 
cautionary position on behalf of the United States Government 
to make sure that those type of hardware systems don't enter 
our system and some of our hardware systems are not exposed 
when they leave this country to manipulation by foreign nation-
states.
    Mr. Lewis. Thank you, because those are hard questions. 
They are great questions but I am glad Phyllis got one of them. 
So, you know, the neutral answer is to say when you look at a 
new technology, it usually takes the United States somewhere 
between 20 and 50 years to figure out to get it in order. So 
you look at airplanes, steamboats, railroads, electricity, 
cars. We are in year 18 for the Internet. So we are not doing 
too bad, I guess. I mean, we have a couple years to sort this 
out.
    A little more pointed answer: We have so many old ideas. 
They have not gone away. If it was in PDD-63, which was the 
Clinton administration policy, and we are still trying it, it 
doesn't work. Give it up. And the second thing is, as you have 
heard, we have old laws that are real obstacles. You of course 
are trying to fix this but if it is the Electronic 
Communication Privacy Act designed for dial telephones, you 
have serious issues here. You have business issues, you have 
privacy issues. So it is a hard problem and it will take time 
to work out, but the prevalence of the old thinking and the 
difficult legal environment we have has really slowed us down 
and put us at risk.
    Mr. Rogers. Mr. Dix or Dr. Schneck?
    Mr. Dix. First of all, I would like the record to reflect 
that Mr. Lewis and I agree on that last point. Thank you. First 
of all, let me just touch on the hardware issue because the 
whole supply chain risk management issue, you know, it is 
interesting to me, the last count, there is 155 different 
supply chain risk management initiatives in the government 
today. We need to coordinate those issues. And quite frankly, 
organizations like ours, we invest heavily in what we call our 
brand integrity program because our reputation is how we grow 
our business. So we invest from concept to delivery in our 
products, in our hardware and software products.
    To make this short, one of the things that I think that 
this body could help with, as we sit here today and we deal 
with this supply chain risk management problem, the Federal 
Government still continues to buy from untrusted sources. There 
is a cultural cost to government of cost and schedule across 
the departments and agencies where in order to save 5 cents on 
a widget, we are buying from low cost, low bid. As a result of 
that, we end up in the gray market and then we wonder why we 
have counterfeit or malicious products in our government supply 
chain. We should be buying from trusted sources. If there is 
some reason why we are not going to buy from trusted sources, 
there should be a justification, it should be public, and the 
liability from that should accrue to whoever the acquirer is.
    Mr. Rogers. Dr. Schneck, can you just comment on that as 
well?
    Ms. Schneck. I do agree. I will also add that we look at 
supply chain again as an issue of your product integrity. We do 
rigorous testing, both the manufacturing and acquisition. We 
would also believe in leveraging some of the existing standards 
to really focus on a product integrity issue, because what you 
want to know is, did that widget that you bought, is it exactly 
what you think you bought. That is the heart of the issue. So 
it is rigorous testing and expanding some of the existing 
standards.
    Mr. Rogers. Just to clarify for the record, Mr. Chairman, 
so we are at risk if we integrate into the U.S. system non-
trusted sources of product? I want to make sure I am clear on 
that.
    Mr. Dix. I certainly think it increases the risk.
    Mr. Rogers. Thank you.
    Mr. Lewis. I used to do the supply chain stuff when I was 
in the government sort of on both sides of the table, and a 
couple points on that. First, right now it so easy to hack, you 
know, that you have to assume that our Chinese and Russian 
friends are taking the low-cost approach to espionage. Why 
should they not do it? The second one is, it is very hard to 
push this out to a global supply chain. We are not going to be 
able to get out of that. So this is an exceptionally difficult 
issue that will probably force us to think about how we are 
going to work with foreign suppliers. And there is not really a 
choice here. So what I do think will happen--I will just say 
this real quick--right now hacking is so easy, why bother. If 
we ever manage to improve our defenses, they will switch to 
supply chain.
    Mr. Walden. I appreciate that. Here is the problem. I am 5 
minutes over his time and I think members are----
    Mr. Rogers. But this is a Clinton we can all agree with 
right here.
    Mr. Walden. The gentleman's time has long ago expired, and 
I appreciate the patience of the committee members who haven't 
had a chance to ask a question yet, so we will try to get back 
on schedule. Mr. Doyle.
    Mr. Doyle. Thank you, Mr. Chairman. Thank you for putting 
this hearing together, and to the panelists, your testimony and 
your answers to the questions have been very informative.
    I want to follow up on a line of questioning that Mr. 
Waxman had to Dr. Schneck. Dr. Schneck, I know in your 
testimony, McAfee labs predicts an increase in attacks on 
smartphones and mobile devices in the future, and it is my 
understanding, your company had partnered with a research 
facility at Carnegie Mellon University sci lab, which is in 
Pittsburgh, the district I represent, about how businesses and 
employees handle mobile device security, and apparently this 
study showed that most of lost and stolen mobile devices create 
some of the biggest concern for businesses. About 40 percent of 
the organizations surveyed have had lost or stolen devices and 
half of those devices contained business-critical data. 
Further, about 50 percent of mobile users that were studied, we 
found out they store their passwords and their PIN numbers and 
credit card information on their mobile devices, which I am 
completely guilty of. I am going to erase them as soon as this 
hearing is over.
    It seems to me that one way to tackle this is to make sure 
that the devices that employees are using are secure in the 
first place so that if an employee uses them, that the data 
remains secure or you could remove that data from a remote 
source, and to follow up with what Mr. Waxman asked you, to 
your knowledge, could you elaborate on what is being done by 
device manufacturers and app developers to secure their 
products for commercial use?
    Ms. Schneck. So we look at protecting them once they are 
received so from what we have worked with, there are a couple 
of vectors on what they are doing before delivery. You know, 
one is--I will take the application side first. When people 
download an application, they rarely think about is this 
application secure. One of the biggest dangers we see is not 
did I catch a virus, it is did I go and purposely download 
something with a big smiley face on it and a great app that did 
something neat for me, but what it is actually is, it is a 
pretty picture and delivery of malcode. One of those 
instructions will get to be a platform to enter your network 
corporate or to start shipping back your personal information 
for sale in the Russian underground. So that is one risk. And 
the app developers, so some companies are very careful in the 
app markets and only approved or back to the trusted source 
point, the only approved apps are there for sale. Other 
companies are more open about it and it is up to the user to be 
very careful about what you download.
    Mr. Doyle. Mr. Conner, do you have some thoughts on that?
    Mr. Conner. Yes. We work with all of them, so from the 
Android operating system to iOS to the Microsoft, the first 
thing we are working with each of them on is, how do you 
identify the device itself securely and authenticate that back 
to your company, because if you don't know it is connected to 
your company, you have got your first issue and kind of the 
consumerization and the enterprise.
    The second theme becomes, how do you then work with the 
applications that go into that phone, and each one of those 
ecosystems do that differently. Some have sandboxing where they 
then can use our security or others to make sure they know who 
is coming in to put that there. They all three have very 
different testing mechanisms to test those apps in terms of 
that sandbox and how they communicate that back and forth. And 
then the third thing we are working with each of them on is how 
you secure email and content and communication, whether it is 
mobile, no different than we did with laptops and desktops 
before.
    Mr. Doyle. Mr. Dix?
    Mr. Dix. Yes, and good old U.S.-based innovation has 
delivered today. Available in the market today, a capability to 
lock, locate and wipe those devices on demand.
    Mr. Lewis. We are getting close to maybe having a solution 
to authentication. It has been the holy grail for about 20 
years.
    Just a quick story to help put this in perspective. There 
used to be just one government-approved private company in 
North Korea. Do you know what they made? They made mobile phone 
apps. I see a pattern.
    Mr. Doyle. And just another general question for the panel. 
Do you think the FCC has any role to increase mobile device 
security, and what should that be? Mr. Conner?
    Mr. Conner. Absolutely. In fact, you look at the FCC, the 
critical infrastructure there. I mean, I spent 10 years at AT&T 
and another 10 putting electronics and systems into those type 
of companies. It starts with that. I mean, I said you can look 
at the mobile networks as either good or bad. It can stop the 
crime I talked about today if used correctly with technology 
that cannot be broken today. So I think that if you think of 
one governing body trying to own each of these pieces, it is 
folly. I think DOE needs to work with the public partnership 
and private partnership for its domain. I think Commerce and 
Treasury needs to work it, and I think FCC needs to own that 
infrastructure around that ecosystem because to think that the 
attack vectors that the bad guys are taking against us are one 
size fits all is just ludicrous.
    Mr. Doyle. Very good. Mr. Chairman, thank you.
    Mr. Walden. Thank you, Mr. Doyle.
    We will now go, I think Mr. Gingrey is next in order.
    Mr. Gingrey. Mr. Chairman, thank you.
    This question is for the entire panel. Maybe we will start 
with Mr. Conner. Some have argued that before we enter the 
cybersecurity debate, we should heed the Hippocratic oath and 
make sure that in the first place we do no harm. If there were 
one caution that you could offer us before legislating, what 
would that be? Mr. Conner, why don't we start with you?
    Mr. Conner. Well, I think the way I would start as a 
government is the bully pulpit, frankly. I spend a lot of my 
personal time with this team and others, spend a lot of time 
educating, and I think quality is a great example that this 
government got right. They didn't need equality. They just got 
on the bully pulpit and said quality is important. And when I 
think of security, the lexicon was not here. It still isn't 
here the way it was. If someone started quality, saying I am 
going to get to six sigma, they wouldn't know what it meant 
when quality started before the book. You heard cost equality. 
I hear cost of security. We are focused on what cost. Are you 
focused on the total cost of security or just the cost to 
implement something? So I would start with education and your 
bully pulpit.
    The second thing I would start on is the inability of 
businesses to talk to governments or to themselves because of 
antitrust and the patchwork legislation in the States. I am 
tired of it being it a one-way communication street to 
intelligence and nothing in return, and I understand they 
legally can't do it, but as the company that is tasked with 
protecting our government and governments and enterprises and 
citizens, it is pretty folly to me. I can only give you 
information; you cannot give me any.
    Mr. Gingrey. Mr. Conner, thank you.
    We will go to Mr. Dix and move rapidly.
    Mr. Dix. Thank you very much. Two quick things. One is, 
continue to inspire and drive an environment that supports 
innovation and investment, and secondly, be cognizant of the 
fact that the bad guys move fast. We need to have speed, 
nimbleness and agility in our ability to respond. Attempting to 
comply with a compliance model that takes a long time to build 
and implement slows us down and imposes impediments to our 
ability to have speed, nimbleness and agility.
    Mr. Lewis. In 2007, we had an intelligence disaster----
    Mr. Walden. I don't believe your microphone is on.
    Mr. Lewis. In 2007, we had an intelligence disaster in this 
country. The details are still largely classified. In 2008, 
DOD's Supernet was hacked. We were unable to get the opponent 
off for about a week. In 2010, we saw Google and about 80 other 
companies get whacked, lose intellectual property. Most of them 
have not reported it but this will show up in Chinese products 
in about 5 years. Last year we saw Stuxnet, which was the 
ability to destroy physical infrastructure using cyber attack, 
and we have a list at CSIS of major cyber events, mainly 
because I got tired of people asking me when we would have a 
cyber Pearl Harbor. The list is up to 90.
    So I think what we need now is, we need to stop saying do 
no harm. We need to move out. We need to do a coordinated 
defense.
    Mr. Gingrey. Dr. Lewis, so you think we definitely need 
legislation?
    Mr. Lewis. I do, and I think there are things--one thing 
that we can say now that we couldn't have said 5 years ago, we 
now have a pretty good idea of how to do this between the 
experts up here, some of the other places. There are agencies 
that have done a particularly good job. We now have a good idea 
of how to reduce risk and we need to implement that.
    Mr. Gingrey. Mr. Clinton?
    Mr. Clinton. I agree that we do need legislation. The 
question is, what is the legislation that we need. I do 
subscribe to the ``do no harm'' theory. I think the one thing 
that I would tell the committee is to understand that this is 
not a technology issue. It is an enterprise-wide risk 
management issue. The problem we have is that in the 
cybersecurity world, all the incentives favor the bad guys. 
Attacks are cheap. They are easy. They are really profitable. 
It is a terrific business model. Defense is hard. We are 
following the attackers around. It is really hard to show 
return on investment to what you prevent, and criminal 
prosecution is virtually nonexistent. So I would go back to the 
last thing I said before I finished my oral statement: 
Understand that you are dealing with the invention of 
gunpowder. This is an entirely different thing. You can't just 
take 20th century models and plug it in here because you can 
pass legislation that will do harm, that will take away needed 
resources from where they need to be. We need a creative 21st 
century approach, and a lot of what we are seeing in the public 
policy world is not that.
    Mr. Gingrey. Mr. Clinton, thank you.
    In the last 12 seconds, last but not least, Dr. Schneck.
    Ms. Schneck. Let us take this is an opportunity, unleash 
the power of the private sector. We built this thing. We didn't 
build it with security. Now we understand this adversary. Let 
us take the information we have, the data we have, the ISPs see 
all the mobile phone activity. They can see that. They can 
protect that. Incentivize us so that we can still eat when we 
get done doing it but let us make sure that we build business 
models around building security in from the hardware up, and I 
think you will see this world change in a few worlds.
    Mr. Gingrey. I thank the panel for their excellent 
responses, and Mr. Chairman, I yield back.
    Mr. Walden. Thank you, Dr. Gingrey.
    Ms. Eshoo and I were talking about, we are going to lock 
the doors and not let you out until you give us all the ideas 
that we need to do here, and we will let you out today. But 
seriously, in terms of helping us understand how to get this 
right. You have a lot of them but in your testimony but if you 
could help us drill down very specifically, at least within the 
jurisdiction we have, we would really appreciate very specific 
suggestions back.
    We are going to go now to Ms. Matsui from California. Thank 
you for participating.
    Ms. Matsui. Thank you, Mr. Chairman, and I have to say, 
this is probably the most interesting and scary testimony I 
have ever heard. But I think that quite frankly, our country 
doesn't realize what risk we have, and I think the things we 
hear about over the news are things--talk about hacking but 
they are at a level, a personal level that people understand. 
This is far beyond that. It really affects every sector of our 
economy, our country, the way we live. So I truly believe that 
this education process is going to be very, very important. And 
I also believe that people like you have to step up to talk 
about it in ways that the public could understand. 
Cybersecurity, everybody sort of understands it but doesn't 
understand it. So I think with every advance in technology, we 
open ourselves up, and our daily lives can be impacted so much.
    I wanted to follow up a little bit more on the cloud-based 
services. Businesses and governments are now going into the 
cloud, and what are the unique challenges facing the cloud with 
respect to cybersecurity and are we prepared, are we thinking 
ahead, knowing what we know now about how we address these 
challenges, and why don't we just start over here with Mr. 
Conner?
    Mr. Conner. It is something that is getting a lot of 
attention from everybody, and I think a lot of people are 
running before they thought it through. I think it is very 
application and business sensitive, depending what you put in 
the cloud. Some stuff you put in the cloud, it is user name and 
password sensitive, that is fine, but if you are putting 
valuable financial information and intellectual property in the 
cloud, you have two issues. The security within the cloud is 
not what the security was within a mainframe data center today, 
and how do you authenticate to the cloud is still a matter of 
how you choose to implement that, and I think that is very 
naive.
    Ms. Matsui. So are we still at a place though where we 
could start looking at that and incorporate, you know, how we 
integrate some of these things into some of the information-
sharing activities. We are still OK right now, but right now 
you talk about the cloud as a very sexy thing so people are now 
jumping to it.
    I was curious also, Dr. Lewis, that you mentioned that 
government should find ways to incentivize companies, and Dr. 
Schneck was talking about the same thing. What types of 
incentives would be the most effective, in your opinion? And I 
would also like to hear from Dr. Schneck too.
    Mr. Lewis. There are basically four kinds of incentives. 
There is regulation, and we are going to need some of that, not 
too much, and it varies from sector to sector. There are tax 
breaks. I mentioned this to the Republican task force on 
cybersecurity. They thought this was not the best year to go 
after tax breaks. There are subsidies, right, and we might need 
subsidies for research and development, perhaps some other 
things. Finally, there is a coordinating effect, right? Someone 
has to lead, and you can find this--maybe a good story from the 
Australian example. If you pull industry together and point 
them in the right direction, they will come up with some really 
good stuff and we can find some examples in the Defense 
Department where that has worked pretty well. So regulation, 
tax breaks, subsidies, and that might include building 
something into the rate structure for some critical 
infrastructure, and then coordination.
    Ms. Matsui. Dr. Schneck, do you agree?
    Ms. Schneck. Not entirely. I think regulation draws a box 
around the technologies that you are forced to adapt. It puts 
all your money there. It takes it away from science innovation, 
and even worse, it shows the bad guy what we are not 
protecting. But I do favor the rest. I favor tax incentives. 
You know, we believe in insurance reform. Anything that allows 
a company to be creative, invest upfront in cybersecurity, 
because the upfront investment is a lot easier and a lot more 
fun than the cleanup, and it is a lot cheaper. I testified 
earlier a couple months ago about small businesses and 
incentives being needed when--we don't realize the small to 
medium businesses make up, you know, 99 percent in some cases 
in our business fabric, and if you think about where some of 
the newest technologies come from, not just cyber but maybe our 
jet engine comes out of a startup of a couple really bright 
guys out of college, they are not going to invest a whole lot 
in cybersecurity necessarily when they get that huge SBIR 
grant, but if built into that grant was some positive incentive 
or some extra money saying you will get this money from the 
government only if you promise to secure it, and we could be 
doing that for all levels of companies.
    Ms. Matsui. So government does have that type of role, 
though, and I think the part that I am looking at is, who 
convenes all this way? How do you do this so you all work 
together? Because I think you are absolutely right, the 
business sector can work together and have the solutions but 
how do we get to the next point?
    Mr. Conner. Well, I think the first thing you have got to 
do is relieve the legal obligation when we sit with CEOs. In my 
first public-private, all the CEOs agreed until they went and 
talked to their legal counsel, and guess what? Then it went 
completely dead because no one wants to go public. For one, you 
have got an antitrust issue of sharing, and second is, the 
minute you go public, you create a standard to be sued 
criminally as well as civilly, and that is the reality as a 
government person doesn't understand, but if you are a CEO, 
class actions mean something and suits mean something, and the 
minute I say something, I now put a different standard to me to 
be held to.
    Ms. Matsui. Well, thank you very much. I see my time has 
run out. This is very fascinating.
    Mr. Walden. Thank you.
    We now go to Mr. Latta from Ohio. We look forward to your 
comments as well.
    Mr. Latta. Well, thank you, Mr. Chairman. I appreciate it. 
And I thank the panel for being here. For someone who did serve 
on the cybersecurity task force, I can tell you, it is like you 
go home, go to your office, it is like, do I really want to 
turn that thing on now or not.
    And if I can go back first, Mr. Conner, you know, talking 
about the yellow lock that you engaged with Mr. Rogers in a 
discussion about. You know, a lot of times they tell you if the 
https comes up, you are safe. Are you going to tell me that is 
not true now?
    Mr. Conner. The only thing I would tell you is, unless that 
chrome goes green, I wouldn't assume that you are safe.
    Mr. Latta. OK. Because the reason I ask that, you know, we 
have to get this message out to our constituents and the 
American people, and I know that a lot of folks see that little 
yellow lock come up and say I am fine. I hate to say that my 
daughters were on some social networking and we had a problem 
for about four days before somebody could spend--I don't want 
to say how much money it took to get the thing fixed before we 
could get back on the computer. But, you know, I am really very 
cognizant of the fact now of watching for that https to come 
up, because again, it also goes to the whole point of, you 
know, again, let us say you do online banking or people do 
certain things, we need to be able to communicate that, so that 
is one thing.
    If I could ask Mr. Dix and Dr. Schneck this question. You 
both mentioned in your testimony the idea of creating trusted 
relationships online either through authenticated emails or 
through white lists. Could you elaborate on these ideas and 
explain how they differ from the previous cybersecurity 
measures like spam filters and blacklisting?
    Mr. Dix. Ladies first.
    Ms. Schneck. So our focus on trusted relationships are in 
the macro and a little bigger. I would say that we all need to 
work together, and we do. Organizations such as Bob mentioned, 
organizations such as the NCFT and the InfraGard show that 
government and private work together. I think we are dealing 
online today with a world much different than spam filter. I 
used to help build a spam appliance many companies ago, and 
what we looked at then was only the email vector. Now you have 
the web vector, the firewall vector, the mobile vector. Again, 
the enemy is faster. So when you start looking at trusted 
relationships online, we had at least 30 different parameters 
we looked at just at email. It wasn't just, ``Did I trust the 
sender?'' It was all kinds of things and indicators in that 
note. And now you multiply that. So you have, from our 
perspective in protecting against cybersecurity threats at all 
the different vectors, we have over 1,000 different parameters 
of trust that we look at, and it is not just an established 
relationship. It is what has your behavior been lately as in 
the last two milliseconds and the last 15 years.
    Mr. Dix. Continuing to advance the development and 
implementation of the national strategy for trusted identifies 
in cyberspace is a step in the right direction, and that is an 
example where industry and government working with NIST have 
come together to deal with this issue of identity. Every one of 
my colleagues here has mentioned the issue of identity as being 
a root issue in this entire trust discussion that we are having 
here today. So there is an effort underway. It is 
collaborative. It is producing results and moving to 
implementation for the in stick would be a step in the right 
direction.
    Mr. Latta. Mr. Conner?
    Mr. Conner. Just the last comment on that is, the irony of 
this is, you think of who are the most trusted identifiers we 
use. They are usually government issued. And I think this is 
one area our government needs to get out of the U.S. think and 
into the rest-of-the-world think.
    Mr. Latta. Let me kind of go on with this, because, you 
know, again, when you are looking at, you know, people trusting 
what they are doing on the Internet and banking, I don't care 
what it is, but when we were talking about trust, this is 
another discussion that was held a little bit earlier, you 
know, talking about not buying from the low cost, low bid and 
you need to buy from that trusted source, but how do you know? 
How do you know even if you buy from somebody that is trusted 
that that stuff is still good without going--I mean, how do you 
go through unless you are testing? Are you testing constantly? 
I will throw that out to all of you.
    Mr. Dix. So since I brought that up, I will take that 
first, with your permission, sir. So each of us that are 
manufacturers has a network of authorized resellers and 
distributors that we utilize in the distribution of our 
products into the marketplace. That is a place to start from, 
understanding who those authorized providers are. There is also 
a great deal of work that is going on right now through the 
Trusted Technology Forum and the Open Group to be able to 
create a certification and accreditation process for suppliers, 
working collaboratively with the government again in a 
standards-based approach to being able to address this issue. 
So there is some good work that is going on right now, but the 
fundamental piece of it in my mind is cultural. We are still 
evaluating people and departments and agencies on their ability 
to meet cost and schedule. That drives a certain behavior 
because it doesn't have security as a paramount foundation of 
that conduct.
    Mr. Latta. Mr. Chairman, I see my time is expired and I 
yield back.
    Mr. Walden. Thank you very much.
    Dr. Christensen, you are now recognized for questions.
    Mrs. Christensen. Thank you, Mr. Chairman, and thank you to 
all of the panelists.
    This is a general question. The FCC's Communication 
Security, Reliability and Interoperability Council has been 
formulating recommendations for best practices to ensure 
optimal security and reliability of communication systems, so 
how do you see this process contributing to improvements in 
cybersecurity, or said another way, what is FCC's role in the 
coordinated defense that we heard about?
    Mr. Lewis. I am really glad you said that because I have 
been sitting here trying to remember what CSRIC stood for. I 
had gotten all but two of the letters.
    We have all said, when you talk about cloud, when you talk 
about mobile, that we are moving to a world where the role of 
the service providers is going to be more important, and that 
is where FCC and NTIA are the lead agencies right now. There 
are others of course that are involved but FCC originally 
looked at this issue and they were afraid that if they took too 
active a role, as I understand it, they might be seen as trying 
to regulate the Internet, and they wanted to avoid that. So 
instead, they have taken on an approach that works more on 
coordination with private sector experts, with developing 
venues for these private sector experts to get together and 
encouraging them to come up with a voluntary approach, and one 
of the things I had said to FCC staff a while ago is, try the 
voluntary approach, and if it works, great. If it doesn't work, 
then we have to think about more mandatory measures. So far it 
looks like it is working, though. So I understand they have 
some measures they might roll out in the next few months. 
Commerce has some other things they are doing. This is where 
the service providers and their regulators will be one of the 
key elements of cybersecurity in the future.
    Mrs. Christensen. Anyone else?
    Mr. Dix. So they are in a position to serve in a key role 
in this education and awareness campaign that we talked about 
and coordinating that at the national and in a sustained manner 
to help deliver messages to constituent stakeholders whether 
they are home users all the way up to large enterprises, 
working with the carriers and the content providers to be able 
to help deliver that message. So I think there is a key role in 
that part of it in showing leadership around how we advise 
people how to protect themselves.
    Mrs. Christensen. Ms. Schneck?
    Ms. Schneck. Just one point in addition, having worked with 
them a bit over the past few months, they are setting a great 
example. Their house is in order from a cybersecurity 
perspective. They have some new leadership and they are really 
looking--they are reaching out to the private sector saying 
what are the best practices. They are reaching out, from what 
they tell us, to other CIOs and the government. So when you 
talk about the need to get the government's house in order, I 
think that is an exemplary piece. And in addition, they have a 
group of people really looking at these policies and really 
looking at these issues. We have never seen that before. So I 
think this is a good time for them to not only build on the 
awareness they launched, I believe it was last spring with the 
SBA to the hygiene program point, but then jump on that for the 
larger enterprises also as an example.
    Mrs. Christensen. Well, Mr. Conner, and this is probably 
what you are referring to at the SBA, but your testimony notes 
that according to the FCC, three out of every four small and 
mid-sized businesses report having been affected by cyber 
attacks. So what is the role of the FCC in preventing the 
attacks or aiding the small business community?
    Mr. Conner. Well, I think increasingly the networks 
underpin all those attacks so you have got the ISPs, you've got 
the carriers themselves and you got the devices attaching to 
it. I think one of the areas that we must remember is, is it 
not always outside where those attack vectors come from, and 
just like organized crime found its way inside organizations, I 
think increasingly we are going to have to look at that as an 
attack vector, and that should be something that the FCC takes 
into consideration as they look at how to deal with it in 
addition to the ISP filtering and the other pieces they use.
    But one thing I would caution, I hear a lot of rhetoric 
around building separate networks, and having lived in a world 
that I am old enough that we had separate networks, I think the 
reliability when things like 9/11 and tsunamis happen, the 
benefit of having multiple networks and the Internet outweigh 
the needs of a protected, isolated network because I don't 
believe in today's world that is a real answer.
    Mrs. Christensen. I don't have any other questions, Mr. 
Chairman. I will yield back the balance of my time.
    Mr. Walden. I thank the gentlelady for yielding.
    I believe Ms. Blackburn is next for questions. Then I will 
go to Mr. Shimkus next.
    Mrs. Blackburn. I will skip.
    Mr. Shimkus. Thank you, Ms. Blackburn, and thanks for the 
panel. Sorry, we have two competing panels, and I apologize for 
not hearing all the testimony.
    Let me go to Mr. Lewis. You mentioned in your written 
testimony the importance of domain-name system security, 
DNSSEC. Could you describe the problem with the current 
implementation of domain-name systems and why DNSSEC is 
important?
    Mr. Lewis. Well, I think what you have heard from all us is 
when the people who designed the Internet designed it as a DOD 
network and then they thought it would grow out a little bit. 
They didn't worry about trust. They didn't worry about 
authentication. Phyllis knew it was her sister at the other 
end, right? When we did this, we didn't have to worry about 
this and so the domain-name system, which is the addressing 
system, is vulnerable to spoofing. It can be manipulated and, I 
think as you have, redirect traffic. So you think as far as you 
can tell on your machine you are going to a legitimate site and 
it could instead be the government of Iran or a Russian cyber 
criminal. You can spoof it. And DNSSEC uses authentication 
technologies largely so that we reduce that ability, really 
almost eliminate it, to impersonate another site.
    Mr. Shimkus. Yes, and I think the challenge with this 
committee is, it is so high tech, so--you know, we are 
laypeople for the most part. It is just very tough for 
laypeople to understand. That is why we have experts like you 
come. A lot of us do understand domain, just the basics, why 
you have a domain. Now ICANN is exploding domain names, and 
with that, should we--and this is one for the whole panel--
should we be working with ICANN to roll out DNSSEC?
    Mr. Conner. I think everybody is already working that. I 
would tell you be aware of newfangled toys. DNSSEC has a 
promise but it also has liabilities today that are equal to the 
liabilities we have today. Will it be there in 5 to 10 years? 
We hope sooner, but it is not there, not even close. I think we 
have got to use the capabilities we have like EBSSL where the 
chrome turns green and you know you are safe, and when someone 
says your identity is who it is, it is, and I think that is 
where I put the focus instead of buying $19 authenticate 
technology to take a responsibility liability for your identity 
and who that is, and if it costs you 500, I mean, that is where 
a bully pulpit starts to make a difference in our technology.
    Mr. Shimkus. Mr. Dix, anyone else want to respond? Anyone 
else? That is fine, because I want to go to a couple other 
things. I also deal with democracy movements in former captive 
nations, eastern Europe, whatever you want to call them, and 
followed the cyber techs in Estonia years ago, the meddling by 
China and Russia and their neighbors and continue to be very 
concerned, although the new technological age is allowing 
democracy movements to get their word out, to communicate, and 
that keeps evolving. But you also see governments like the 
government of Belarus try to clamp down on that and which I 
have also been very concerned about. So that is just a 
statement. I mean, it just an evolving--it is like a 
competitive market. People want to get information but the bad 
guys want to get around and it moves too fast that we can 
really regulate. I have always said that about this 
subcommittee and the tech community, there has got to be a lot 
of self-interest that gets people to move before they get 
caught.
    Let me just segue real quickly into, I serve on the Energy 
Committee and we go to power plants all the time. I am a big 
proponent of nuclear power. And Mr. Terry's opening statement 
talked about, well, you could be secure if you just had a 
desktop alone and were no longer connected. Now, with WiFi and 
stuff, who knows what folks could end up doing. But the power 
utility system relies so much on data going to RTOs, really 
what they are producing is excitable electrons to get on the 
grid, which if that all we had to worry about and had a closed 
system, we would be fairly safe, but it is all the monitoring 
and calculation of the load. What is the solution to the 
utility industry? Does anyone have----
    Mr. Conner. Two thoughts. One is, as I testified earlier, 
that is why you have to start with DOE's elite. Electrical is 
very different than nuclear at the source. We believe you have 
got to start within the power production plant itself. We are 
working with large manufacturers in terms of how do you 
authenticate everything in that power production plant because 
you want to know what parts, whether they are original ones or 
the alternate parts coming in, who they are and where they are 
from. And frankly, that doesn't matter whether they come from 
good or bad sources, just know where they come from and that 
they are there.
    The second thing we then focus on is, who is accessing 
those systems and sharing that information so only the people 
with the right authorization or identity can see it. And then 
the third thing we are working with them is, how that data is 
shared because data, in and of its own, at one location will 
not solve a grid by definition.
    Mr. Lewis. Two other quick points. The idea of a secure 
network, a standalone secure network, just doesn't make any 
sense. People bring their iPhone to work and they plug it in to 
charge, and we have seen that happen twice with allegedly 
isolated air gap networks, so forget it.
    We need to think about securing the industrial control 
systems, the SCADA networks. This is an avenue of attack. It is 
a different kind of network technology. Right now, it is the 
typical thing. When you buy it, the password is ``password'' 
and the user name is ``admin'' and it doesn't take a lot of 
activity for foreign opponents to figure that out. People also 
need to look at how their critical infrastructure connects to 
the Internet. When you talk to nuclear companies, for example, 
they will usually tell you we are not connected. When you do 
the actual survey, what you find is, you know, sure, so we need 
to have some way to bring the industry--some companies do 
great. Others need some help and we need to figure out how to 
do that.
    Ms. Schneck. And one point on that, the good news is, a lot 
of these industrial control systems are the same across sectors 
so if you can get some best practices and some incentives in 
one sector, they will multiply across from the grid to even 
transportation and nuclear in some cases. Authentication is one 
vector. Another is what gets executed. It goes back to the 
instruction. It is a malicious instruction from someone you 
don't want going to execute on a system that talks to something 
that controls physical infrastructure, and that comes from 
working at the component level, making sure that you have 
technology in those components that looks at whatever operating 
system is on that and says only execute these things. This is 
actually pretty simple on these because they only do one job in 
life. They are a component on the SCADA system. It is not 
just--it is not like they are a big server so you can lock down 
what they do.
    Mr. Shimkus. Thank you, Mr. Chairman. Thank you.
    Mr. Walden. Thank you.
    We will now go to Ms. Blackburn for 5 minutes for 
questions.
    Mrs. Blackburn. Thank you, Mr. Chairman, and thank you all 
for being here and for your patience with us.
    I want to say just a couple of things. I think it is so 
important that the industry lead on this. Anything that we do, 
as different members have said today, is going to be passe 
before the ink is dry on whatever it is that we do. As we look 
at the security issues, I think that your guidance is there.
    Another thing. We have spent some time in this committee 
and also in CMT, Commerce, Manufacturing and Trade, looking at 
the issue of privacy and the data security issue, the breach 
notification issue, which is a component of what we have here, 
and quite frankly, I think that most people do not realize the 
vulnerability that exists in their home with the computer that 
is there, and believe you me, I hear about it a lot with my 
district in Tennessee with all the songwriters and entertainers 
and the individuals that are in logistics informatics or 
financial service informatics or health care informatics and 
auto engineers. So the problems are compounding for this every 
day. But as we look at the privacy issue and in my 
conversations with them, let me ask you about Federal 
preemption. And as we look at our standards on breach 
notification, data security, I wonder if you all have any 
thoughts on putting in Federal preemption language and making 
certain that we are working from one standard and the 
importance of that.
    Mr. Clinton. Ms. Blackburn, if I could, we are supportive 
of Federal preemptive notification requirement. I think we have 
47 different ones now. For a multi-state company, it is very, 
very difficult to work on the similar themes that I have been 
hammering on throughout today and generally is that we have to 
understand that it is not a technical problem, it involves 
cost. If we can find a way to reduce cost, we can have good 
standards but we don't have to have multiple good standards. So 
we can lower compliance costs, increase simplification, we will 
have better adherence, we will have better security, better 
privacy and at lower cost, and I think that that ability to cut 
through kind of the government falling all over itself at the 
various levels is critical to getting that done, so I am very 
supportive of that.
    Mrs. Blackburn. OK.
    Mr. Conner. I would second that. I would tell you the 
single largest legislation issue that has brought security from 
being in the Stone Age to today is probably California 1386. 
Why? Because it said if it happens, you have a carrot and a 
stick. If you tried to protect yourself with encryption, you 
are safe, and if you haven't, you are liable for a class-action 
suit. That is singly the shot that was heard around the world, 
at least in the United States. The problem being, as Larry 
said, we have got too many State legislations, a patchwork, so 
that needs to get dealt with because it is an inextricable link 
to cybersecurity in terms of that.
    The second piece I would tell you is the regulation that 
just was passed by the FCC about disclosure is going to have 
just as profound impact. The problem is, it is only public 
companies, and that disclosure is pretty nebulous in terms of 
being meaningful for you as a small business person in 
Knoxville or Nashville or Memphis in terms of what that means 
to you.
    Mrs. Blackburn. OK. Thank you. I will yield back.
    Mr. Walden. The gentlelady yields back, and now I think our 
final questioner is Mr. Bilbray from California. We welcome 
your comments. You are recognized for 5 minutes.
    Mr. Bilbray. Thank you, Mr. Chairman.
    Mr. Conner, do you believe that law enforcement has the 
tools they need to go after cyber criminals as described in 
your testimony?
    Mr. Conner. No, they do not. I have to tell you, if you 
look at the attempts that are being made with DHS and within 
Justice to have the criminal network geared up, I mean, part of 
the problem is, we look at it and there are one-time uses for 
critical events. Well, unless you use it every day, that system 
is never going to be ready. We partnered with Interpol to do 
just that. They have 6,000 agents worldwide, and their issue 
was--because I certainly didn't have the money--Interpol is 
treated like a country now under passport control. We were able 
to put their passport information so it has biometrics. 
Unfortunately, this country doesn't deal with that in its 
passport today. It is first generation digital. The second 
thing it has--and this is all on commercial chips--it has 
software to do logical access so those 6,000 agents if they go 
after a tsunami, they can go on any network, including an 
Internet cafe, and be secure in getting access to that 
information, whether it is mobile, etc., and last but not 
least, physical access to every Interpol office. All that 
technology resides on this little card--this is a real one--
that those 6,000 agents use around the world today as they 
follow crime, hopping jurisdictions that have three different 
standards, three different use cases, that allows them to do 
their job. Why is it important? Because it is what he or she 
has to use every day. To the extent it is not something you use 
every day, it will not be useful at the time of need in some 
event.
    Mr. Bilbray. So basically you are saying we are at place in 
cyber crime where we were in the 1930s with the bad guys 
running around with Thompson submachine guns and the cops 
carrying .38 revolvers.
    Mr. Conner. Well, and worse than that, we are isolated. We 
are isolated here in the United States with, as my colleague 
said, the most at risk and no ability to interwork on a global 
capability with the good guys to defend that.
    Mr. Bilbray. It is interesting you bring that up because I 
think that most of us here will remember after 9/11 this issue 
of the technology, security, the biometrics, the high-tech 
stuff was one of the top priorities of the 9/11 Commission. We 
passed a thing called the REAL ID bill and now everybody has 
found excuses to keep dragging it on, dragging it on. In fact, 
I think we are even giving grants to States for homeland 
security and States are refusing to implement the 9/11 
recommendations, so we are giving them money and they basically 
say that we want to spend it on other things rather than the 
first priorities. Do you think we may want to revisit that 
whole situation rather than just ignoring the fact that----
    Mr. Conner. Absolutely. I spoke the morning after Bush 
addressed both the House and Senate. That morning after, I was 
with Mr. Bennett and other legislators that were leading this 
effort and spoke at NATO after 9/11 on, we have learned to 
defend air, land and sea, the next frontier is cyber. 
Unfortunately, in those 10 years, we made a lot of progress but 
the bad guys have made more progress and they can jump across 
jurisdictions with no legislative legal barrier.
    Mr. Bilbray. Mr. Chairman, I have to say that this is one 
thing that I think that our committee always referred over to 
Homeland Security but here is a point where we may want to 
talk. This is a place that both sides of the aisle should be 
able to cooperate on. We have got a consensus there. And 
frankly, the bad guys in here, the obstructionists are on both 
sides of the aisle too. So maybe this committee can take a look 
at, you know, how we can go back and revisit that and address 
that issue.
    And I appreciate the fact that you draw the line about--I 
am concerned and I will ask the doctor to jump in here because 
the two at the end brought up two interesting things, that when 
we develop strategies, how to address this. We don't want to 
create a box that gets people to litigate the private sector 
but we also don't want to create a box that allows the bad guys 
to know how far they have to move outside to avoid it, and I 
would solicit both comments. Let us start with the doctor and 
then I will go back of how, you know, can you elaborate again 
how that us creating arbitrary boxes may be utilized by the bad 
guys.
    Ms. Schneck. I think it was said earlier, and even by 
Ranking Member Eshoo, this issue is so vast, this is science, 
that if you start saying you will implement these five things, 
the adversary is always looking at how to get around that. They 
know their target. They know what they want. They spend many 
months and people on finding exactly the intellectual property 
they want. They find the person and the company. They know what 
the person will respond to and they get it.
    It is quite clear that if we say we are going to seal up 
these gateways and these ways, these are the best practices 
that we must follow when it is a regulation, that is where the 
money will go, and after that, the money won't go to anything 
new and different and therefore the adversary then always goes 
outside that and says well, I can get in this way. It is like 
the point to the industrial control system. They say they are 
disconnected but true story after true story finds a little 
modem out the back so the person can watch the game while they 
do the monitoring. There is always a way out in science, and 
what we want to do is instead incentivize. You have a classic 
problem. We are not incentivized to do what is good for the 
greater good. We are incentivized towards our shareholders. So 
instead, if you put that money and that incentive toward 
innovation, we will end up building stronger and better 
technology at many times the speed that the legislation could 
even get through do to the, quote, protection.
    Mr. Conner. Congressman, I think that is a great question. 
I am frankly less concerned about what we say we are doing. Say 
anything you want, by the time you say it, they have already 
figured that out. They are not waiting for us to legislate and 
regulate and figure out the next hole. I think the model is 
very clear. It is joint forces and it is in DOD. We still have 
strong Army, Air Force, Marines, Colonel Garlick, and they act 
on their own. They are highly integrated with their suppliers. 
There is what is publicly available. I served on the Joint 
Forces Advisory Board as a private sector person. There is what 
you do in that that is public and there is what you do that is 
not public, and I think that is how cybersecurity has to be 
treated. There was 10 percent of the money set aside to deal 
with cybersecurity, and no Army, Air Force department could do. 
They had to get their best and brightest in on it and they had 
to share what is public is public and what is not public is 
equally or maybe more important.
    Mr. Bilbray. Thank you, Mr. Chairman.
    Mr. Chairman, they referred to Australia. Being the son of 
an Australian war bride, it reminds me of the story of a 
notorious Australian bushman, a robber named Ned Kelly. Ned 
Kelly was notorious for putting so much armor on so that nobody 
could shoot him, and his armor slowed him down so much that 
they shot him in the back where he wasn't armored, and I think 
that may be very symbolic of the Ned Kelly syndrome, that we 
put on so much armor thinking we are defending and what we do 
is create an opportunity for the bad guys to get around it.
    Thank you. I yield back.
    Mr. Walden. I thank the gentleman and I thank all our 
committee members for letting us have a more freewheeling 
hearing than sometimes we have, but the value of the content we 
got from you all is just unparalleled, and I think my 
colleague, Ms. Eshoo, and I will be reaching out to each of you 
to say come back to us with what really would work. We got a 
lot of that today and our staff has got that. We are going to 
move forward on this. I think there is an opportunity to look 
at device manufacturers, perhaps the phone side, the router 
side, there is an issue on the education side, and so we really 
appreciate what you are doing out there in this fight and your 
input to us so we can try to get it right and solve this 
problem.
    With that----
    Ms. Eshoo. I would say bravo and thank you very much. Every 
member really drew so much from your testimony and the answers 
to our questions have been most, most helpful. Thank you.
    Thank you, Mr. Chairman.
    Mr. Walden. Thank you, and with that, the committee will 
stand adjourned.
    [Whereupon, at 11:56 a.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

    [GRAPHIC] [TIFF OMITTED] T2628.066
    
    [GRAPHIC] [TIFF OMITTED] T2628.067
    
    [GRAPHIC] [TIFF OMITTED] T2628.068
    
    [GRAPHIC] [TIFF OMITTED] T2628.069
    
    [GRAPHIC] [TIFF OMITTED] T2628.070
    
    [GRAPHIC] [TIFF OMITTED] T2628.071
    
    [GRAPHIC] [TIFF OMITTED] T2628.072
    
    [GRAPHIC] [TIFF OMITTED] T2628.073
    
    [GRAPHIC] [TIFF OMITTED] T2628.074
    
    [GRAPHIC] [TIFF OMITTED] T2628.075
    
    [GRAPHIC] [TIFF OMITTED] T2628.076
    
    [GRAPHIC] [TIFF OMITTED] T2628.077
    
    [GRAPHIC] [TIFF OMITTED] T2628.078
    
    [GRAPHIC] [TIFF OMITTED] T2628.079
    
    [GRAPHIC] [TIFF OMITTED] T2628.080
    
    [GRAPHIC] [TIFF OMITTED] T2628.081
    
    [GRAPHIC] [TIFF OMITTED] T2628.082
    
    [GRAPHIC] [TIFF OMITTED] T2628.083
    
    [GRAPHIC] [TIFF OMITTED] T2628.084
    
    [GRAPHIC] [TIFF OMITTED] T2628.085
    
    [GRAPHIC] [TIFF OMITTED] T2628.086
    
    [GRAPHIC] [TIFF OMITTED] T2628.087
    
    [GRAPHIC] [TIFF OMITTED] T2628.088
    
    [GRAPHIC] [TIFF OMITTED] T2628.089
    
    [GRAPHIC] [TIFF OMITTED] T2628.090
    
    [GRAPHIC] [TIFF OMITTED] T2628.091
    
    [GRAPHIC] [TIFF OMITTED] T2628.092
    
    [GRAPHIC] [TIFF OMITTED] T2628.093
    
    [GRAPHIC] [TIFF OMITTED] T2628.094
    
    [GRAPHIC] [TIFF OMITTED] T2628.095
    
    [GRAPHIC] [TIFF OMITTED] T2628.096
    
    [GRAPHIC] [TIFF OMITTED] T2628.097
    
    [GRAPHIC] [TIFF OMITTED] T2628.098
    
    [GRAPHIC] [TIFF OMITTED] T2628.099
    
    [GRAPHIC] [TIFF OMITTED] T2628.100
    
    [GRAPHIC] [TIFF OMITTED] T2628.101
    
    [GRAPHIC] [TIFF OMITTED] T2628.102
    
    [GRAPHIC] [TIFF OMITTED] T2628.103
    
    [GRAPHIC] [TIFF OMITTED] T2628.104
    
    [GRAPHIC] [TIFF OMITTED] T2628.105
    
    [GRAPHIC] [TIFF OMITTED] T2628.106
    
    [GRAPHIC] [TIFF OMITTED] T2628.107
    
    [GRAPHIC] [TIFF OMITTED] T2628.108
    
    [GRAPHIC] [TIFF OMITTED] T2628.109
    
    [GRAPHIC] [TIFF OMITTED] T2628.110
    
    [GRAPHIC] [TIFF OMITTED] T2628.111
    
    [GRAPHIC] [TIFF OMITTED] T2628.112
    
    [GRAPHIC] [TIFF OMITTED] T2628.113
    
    [GRAPHIC] [TIFF OMITTED] T2628.114
    
    [GRAPHIC] [TIFF OMITTED] T2628.115
    
    [GRAPHIC] [TIFF OMITTED] T2628.116
    
    [GRAPHIC] [TIFF OMITTED] T2628.117
    
    [GRAPHIC] [TIFF OMITTED] T2628.118
    
    [GRAPHIC] [TIFF OMITTED] T2628.119
    
    [GRAPHIC] [TIFF OMITTED] T2628.120
    
    [GRAPHIC] [TIFF OMITTED] T2628.121
    
    [GRAPHIC] [TIFF OMITTED] T2628.122
    
    [GRAPHIC] [TIFF OMITTED] T2628.123
    
    [GRAPHIC] [TIFF OMITTED] T2628.124
    
    [GRAPHIC] [TIFF OMITTED] T2628.125
    
    [GRAPHIC] [TIFF OMITTED] T2628.126
    
    [GRAPHIC] [TIFF OMITTED] T2628.127
    
    [GRAPHIC] [TIFF OMITTED] T2628.128
    
    [GRAPHIC] [TIFF OMITTED] T2628.129
    
    [GRAPHIC] [TIFF OMITTED] T2628.130
    
    [GRAPHIC] [TIFF OMITTED] T2628.131
    
    [GRAPHIC] [TIFF OMITTED] T2628.132
    
    [GRAPHIC] [TIFF OMITTED] T2628.133
    
    [GRAPHIC] [TIFF OMITTED] T2628.134
    
    [GRAPHIC] [TIFF OMITTED] T2628.135
    
    [GRAPHIC] [TIFF OMITTED] T2628.136
    
    [GRAPHIC] [TIFF OMITTED] T2628.137
    
    [GRAPHIC] [TIFF OMITTED] T2628.138
    
    [GRAPHIC] [TIFF OMITTED] T2628.139
    
    [GRAPHIC] [TIFF OMITTED] T2628.140
    
    [GRAPHIC] [TIFF OMITTED] T2628.141
    
    [GRAPHIC] [TIFF OMITTED] T2628.142
    
    [GRAPHIC] [TIFF OMITTED] T2628.143
    
    [GRAPHIC] [TIFF OMITTED] T2628.144
    
    [GRAPHIC] [TIFF OMITTED] T2628.145
    
    [GRAPHIC] [TIFF OMITTED] T2628.146
    
    [GRAPHIC] [TIFF OMITTED] T2628.147
    
    [GRAPHIC] [TIFF OMITTED] T2628.148
    
    [GRAPHIC] [TIFF OMITTED] T2628.149
    
    [GRAPHIC] [TIFF OMITTED] T2628.150
    
    [GRAPHIC] [TIFF OMITTED] T2628.151
    
    [GRAPHIC] [TIFF OMITTED] T2628.152
    
    [GRAPHIC] [TIFF OMITTED] T2628.153
    
    [GRAPHIC] [TIFF OMITTED] T2628.154
    
    [GRAPHIC] [TIFF OMITTED] T2628.155
    
    [GRAPHIC] [TIFF OMITTED] T2628.156
    
    [GRAPHIC] [TIFF OMITTED] T2628.157
    
    [GRAPHIC] [TIFF OMITTED] T2628.158
    
    [GRAPHIC] [TIFF OMITTED] T2628.159
    
    [GRAPHIC] [TIFF OMITTED] T2628.160
    
    [GRAPHIC] [TIFF OMITTED] T2628.161
    
    [GRAPHIC] [TIFF OMITTED] T2628.162
    
    [GRAPHIC] [TIFF OMITTED] T2628.163
    
    [GRAPHIC] [TIFF OMITTED] T2628.164
    
    [GRAPHIC] [TIFF OMITTED] T2628.165
    
    [GRAPHIC] [TIFF OMITTED] T2628.166
    
    [GRAPHIC] [TIFF OMITTED] T2628.167
    
    [GRAPHIC] [TIFF OMITTED] T2628.168
    

                                 
