[Senate Hearing 112-221]
[From the U.S. Government Publishing Office]
S. Hrg. 112-221
PROTECTING CYBERSPACE: ASSESSING THE WHITE HOUSE PROPOSAL
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
MAY 23, 2011
__________
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
_____
U.S. GOVERNMENT PRINTING OFFICE
67-638 PDF WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware SCOTT P. BROWN, Massachusetts
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
MARK BEGICH, Alaska JERRY MORAN, Kansas
Michael L. Alexander, Staff Director
Jeffrey E. Greene, Senior Counsel
Matthew R. Grote, Professional Staff Member
Nicholas A. Rossi, Minority Staff Director
Brendan P. Shields, Minority Director of Homeland Security Policy
Denise E. Zheng, Minority Professional Staff Member
Trina Driessnack Tyrer, Chief Clerk
Patricia R. Hogan, Publications Clerk and GPO Detailee
Laura W. Kilbride, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Lieberman............................................ 1
Senator Collins.............................................. 4
Senator Carper............................................... 6
Prepared statements:
Senator Lieberman............................................ 35
Senator Collins.............................................. 38
WITNESSES
Monday, May 23, 2011
Philip R. Reitinger, Deputy Under Secretary, National Protection
and Programs Directorate, U.S. Department of Homeland Security. 8
Robert J. Butler, Deputy Assistant Secretary for Cyber Policy,
U.S. Department of Defense..................................... 10
Ari Schwatz, Senior Internet Policy Advisor, National Institute
of Standards and Technology, U.S. Department of Commerce....... 11
Jason C. Chipman, Senior Counsel to the Deputy Attorney General,
U.S. Department of Justice..................................... 13
Alphabetical List of Witnesses
Butler, Robert J.:
Testimony.................................................... 10
Joint prepared statement..................................... 40
Chipman, Jason C.:
Testimony.................................................... 13
Joint prepared statement..................................... 40
Reitinger, Philip R.:
Testimony.................................................... 8
Joint prepared statement..................................... 40
Schwartz, Ari:
Testimony.................................................... 11
Joint prepared statement..................................... 40
APPENDIX
Responses to post-hearing questions for the Record from:
Mr. Reitinger, Mr. Butler, Mr. Schwartz, and Mr. Chipman..... 46
PROTECTING CYBERSPACE: ASSESSING THE WHITE HOUSE PROPOSAL
----------
MONDAY, MAY 23, 2011
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10:33 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Joseph I.
Lieberman, Chairman of the Committee, presiding.
Present: Senators Lieberman, Carper, and Collins.
OPENING STATEMENT OF CHAIRMAN LIEBERMAN
Chairman Lieberman. Good morning. The hearing will come to
order. Thanks to everyone for being here. Thanks particularly
to the representatives of the Administration who are before us
as witnesses.
If there is anyone who does not believe that we urgently
need to pass strong cybersecurity legislation, which is the
topic of our hearing today, I would tell them to look at some
of the high-profile computer attacks that have happened in the
past several months, that is, the ones that we know about.
Let us just take the Sony Corporation as an example. In two
separate attacks, hackers stole the personal and billing
information, including reportedly some of the credit card
numbers, of 100 million people. And when the Sony site finally
reopened last Thursday, the company found that they had not
actually been able to close all the vulnerabilities that had
been opened up in the wake of the first two attacks and that
hackers could still use the information to hijack users'
accounts.
If that does not convince skeptics we have a real
cybersecurity problem in America, then consider the breaches
that have occurred in the cyber systems of organizations that
specialize in cybersecurity. Take our own Oak Ridge National
Laboratory, which has a very important role in fulfilling the
Department of Energy's responsibility to secure our electric
grid from cyber attack, whether by enemy nations or cyber
terrorists. Oak Ridge National Laboratory was itself
successfully cyber attacked just last month.
Or one that has been widely described in the media, RSA, a
company whose SecurID program is used by about 40 million
entities, users, really, at 30,000 companies, including parts
of the Federal Government. And those parts include the Social
Security Administration, the Department of Defense (DOD), and
the U.S. Senate. RSA had valuable security information stolen
from its computers that could compromise these systems and
actually be used in future attacks.
So, bottom line--and these are just a few examples, and
again, these are examples that are on the public record--if we
do not do something soon, the Internet is going to become a
digital Dodge City. Cyberspace is just too important to modern
life for us to sit back and allow that to happen. This is a
place that really cries out for law. It is time to say, if I
may continue the Dodge City metaphor, that there is a new
sheriff in town and we are going to have some law and order
around here, and we could do that, of course, without
compromising, in effect, alongside elevating liberty and
privacy.
The recent release of the White House's proposed
cybersecurity legislation is a very important step in that
direction. I think it represents a turning point in our efforts
to pass the strong measures we need to protect consumers,
businesses, critical infrastructure, and our national security
from cyber attack by terrorists, spies, or crooks.
I am pleased not just by the appearance of the
Administration's cybersecurity legislation, but by its
substance. The President's proposal is similar in many ways to
legislation this Committee reported out earlier in this session
of Congress, and where there are differences, I think we can
work together to find agreement. So I am, in this regard, very
grateful to the witnesses for appearing before us today. This
is the first public testimony that the Administration has given
on its cybersecurity proposal since it was released.
One important area of agreement is the recognition that the
Department of Homeland Security must be given the job of
protecting the ``dot-gov'' and ``dot-com'' domains. In other
words, the Department of Homeland Security (DHS) will be the
new sheriff in cyber-town that we need. A crucial part of this
job will be for DHS to identify critical cyber infrastructure,
the systems or assets that control things like power plants,
electric grids, and pipelines that, if commandeered by our
enemies, could lead to havoc and, of course, death and
destruction. DHS needs that authority and also the ability to
evaluate the risks to those systems.
Once the systems and risks have been identified, their
owners and operators, under the proposal that we have made,
will be required to develop plans to safeguard their systems.
Those plans will be reviewed to ensure they will actually
improve security, reviewed in our proposal by the Department of
Homeland Security, in the White House proposal by government-
accredited third-party evaluators.
Just last week, if I may say, in our role as oversight
Committee of the Department of Homeland Security, that we saw
an example of why this kind of planning is so necessary and why
the Department of Homeland Security has raised itself to a
quality of performance that it deserves to have the job. A
private researcher apparently discovered a major security flaw
in a widely-used industrial control system and planned to
present this research at a conference. When personnel at the
Department of Homeland Security discovered this and explained
to the researcher how dangerous it would be to have this
information out in public before the security flaws had been
patched, he voluntarily canceled his talk. This is very
important because another cybersecurity expert said of this
particular vulnerability, ``This is different from simply
stealing money out of someone's bank account. Things could
explode.''
Besides securing critical infrastructure, our bill and the
White House bill would direct the Department of Homeland
Security to work cooperatively and on a voluntary basis with
the private sector and State and local governments to share
cybersecurity risk and best practice information.
The White House proposal also clears the way for industry
to share cybersecurity information without having to worry
about running afoul of various privacy statutes that impede
information sharing now. The business and government
communities would be free to use this advice as best suits
their needs. There would be no one-size-fits-all mandates or
dictates.
Both the White House bill and our Committee bill also
contain robust privacy oversight to ensure that our broader
cybersecurity efforts do not impact individual privacy or civil
liberties.
And finally, both our proposals would also reform and
update the Federal Information Security Management Act (FISMA)
to require continuous monitoring and protection of our Federal
computer networks and to do away with the current paper-based
reporting system.
Now, one key difference between our bill and the White
House proposal is that our legislation creates a White House
Office of Cyberspace Policy with a Senate-confirmed leader. We
believe that the stakes are so high when it comes to
cybersecurity for our country that whoever holds that position
should be confirmed by the Senate and, therefore, accountable
to Congress.
Our Committee's bill would also clarify the President's
authority to act in the event of a true cyber emergency while
at the same time ensuring that the President cannot take any
action that would limit free speech or shut down the Internet.
In its original version, this section was, in our opinion,
misconstrued, and we have tried in the language that was
reported out of Committee to reassure everybody about the
limitations, the very limited circumstances under which the
President could act and the limited range of his actions.
The Administration, on the other hand, and I will be
interested in discussing this, believes that additional
statutory authority in this regard is unnecessary because the
President has the authority that we give him in this proposal
already in existing law.
Bottom line, the Internet is a thrilling new frontier of
our age, with a plugged-in population of almost two billion
now, and that number is growing every day. The Internet has
created a revolution in commerce, communications,
entertainment, finance, and government, really, just about
every aspect of our lives. But what we are saying is that it
must not be a lawless frontier. I believe that with the
proposals we have in front of us, we can bring about the needed
change this year to make the Internet safer and more secure.
The Majority Leader, Senator Harry Reid, has taken a very
active interest in this legislation. It remains a priority of
his for this session. I have said to him that I believe it is
the most important piece of legislation coming out of our
Homeland Security Committee in this session. He is working, I
am pleased to say, with the Republican leader, Senator Mitch
McConnell, as Senator Collins and I, of course, have worked
together here. There are five or six different committees of
the Senate that claim some part of the jurisdiction over this
subject matter, and I believe it is the intention of the
bipartisan leadership of the Senate to establish a process by
which all those Committees can, as quickly as possible,
negotiate any remaining differences in the bills that have come
out of committee so that we can bring it to the Senate floor as
quickly as possible.
We have had a very successful round of negotiations with
the Commerce Committee, which is the other committee claiming
major jurisdiction here, and we have resolved just about all of
the differences, not every one, but just about every one that
we had between us.
Now, before I yield to Senator Collins, I want to just take
a moment to thank Phil Reitinger, who, as Deputy Under
Secretary of the National Protection and Programs Directorate
has done a great job in a relatively short period of time,
really elevating the quality of the cybersecurity operations at
DHS and has been a real leader in crafting this White House
proposal, including working very productively and cooperatively
with our Committee. So we thank you for that, Mr. Reitinger.
With the bill finalized, as I suppose most people in the
room know, Mr. Reitinger has decided to move on to the next
great chapter of his life. I am not going to put him under oath
to have him declare exactly what that will be yet, but whatever
it is, we wish you well and thank you for your public service,
which has made a real difference to our country.
Senator Collins.
OPENING STATEMENT OF SENATOR COLLINS
Senator Collins. Thank you, Mr. Chairman.
Let me begin by saying that I am very pleased that the
Administration is now fully engaged on the imperative issue of
drafting and passing cybersecurity legislation. Experts tell me
that the cyber arena is where the biggest gap exists between
the threat level and vulnerabilities and our level of
preparedness.
Virtually every week, we learn of another massive cyber
breach. The company that authenticates users seeking to access
Senate networks was hacked. As the Chairman has indicated,
Sony's online gaming network was breached. This morning, we
read in our newspapers that the repressive government of Syria
attacked the social media sites of dissidents and protesters.
The truth is that the number and sophistication of cyber
attacks continue to grow each and every day. The Federal Bureau
of Investigations (FBI) reports that small and medium-sized
businesses in our country lost more than $11 million over the
past year in online scams in which stolen banking credentials
were used for fraudulent buyer transfers to Chinese companies.
Worldwide, the annual cost of cyber crime has climbed to more
than $1 trillion. And according to the alarming testimony last
year from the office of the Senate Sergeant at Arms, on
average, each month, 1.8 billion cyber attacks target the
computer systems of Congress and the Executive Branch.
Unfortunately, the government's overall approach to
cybersecurity has been disjointed and uncoordinated to date.
The threat is simply too great to allow this to continue. The
need for Congress to pass comprehensive cybersecurity
legislation is more urgent than ever.
So I am pleased that the White House has now joined the
efforts that this Committee has undertaken over the past few
years to develop a bill to help safeguard the American people
from a cyber September 11, 2001. I am also encouraged that the
Administration's approach is similar in many respects to our
framework. Both bills call for a strong public-private
partnership to improve cybersecurity. Our bill would bolster
sharing within the private sector and across government of
actionable threat intelligence that would help protect the
private sector from advanced cyber threats. It would also
direct the Department of Homeland Security to collaborate with
the private sector to develop and promote cybersecurity best
practices.
Like our bill, the White House proposal recognizes that the
Department of Homeland Security should be the appropriate
agency to lead the Federal effort to secure Federal civilian
agencies, the dot-gov domain, as well as the critical
infrastructure in the private sector and public sector against
cyber threats.
I believe that cybersecurity at DHS must be led by a strong
and empowered director who can close the coordination gaps that
now exist. This leader should report directly to the Secretary
of Homeland Security and also serve as the principal adviser to
the President on cybersecurity. To me, the best construct,
which is not included in the White House proposal, is modeled
on the National Counterterrorism Center and would apply a
multi-agency approach to this issue that would be within DHS,
and I look forward to exploring that issue with our witnesses
this morning.
On a positive note, the Administration's approach to
securing our Nation's most critical infrastructure is very
similar to the risk-based approach in our bill. Our bill
differs, however, in providing liability protection as an
incentive for companies to maintain continuous compliance with
risk-based performance requirements.
We should also detail the extent of the President's
authority to deal with cyber emergencies. As the Chairman has
pointed out, our bill has explicit provisions preventing the
President from shutting down the Internet. It also places
limits on the length of any emergency actions, requires
reporting to Congress, ensures remedial actions are the least
disruptive steps feasible, and includes privacy protections. By
contrast, and I must say this baffles me, the Administration
appears to be relying on outmoded yet potentially sweeping
authorities granted in the Communications Act of 1934. I want
to emphasize that date to point out just how outmoded those
authorities are.
Our bill explicitly calls for the development of a supply
chain strategy to leverage the Federal Government's buying
power to drive improvements in cybersecurity. This would have
beneficial ripple effects in the larger commercial market. As a
very large customer, the Federal Government can contract with
companies to innovate and improve the security of their
information technology (IT) services and products. These
innovations could lead to new security baseline for services
and products offered to the private sector and the general
public without mandating specific market outcomes.
In addition, our bill would give DHS the authority to hire
and retain highly qualified cybersecurity professionals.
I look forward to discussing these important issues with
our witnesses today, but most of all, to working together to
finally secure the passage of comprehensive cybersecurity
legislation.
Thank you, Mr. Chairman.
Chairman Lieberman. Thanks, Senator Collins. Thank you very
much.
Senator Carper has been a cosponsor with Senator Collins
and me of the legislation originally introduced, particularly
with interest over the longer haul in the FISMA part of the
bill, but overall, and I would welcome an opening statement
from you at this time.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thanks, Mr. Chairman. I am delighted to
give one. As the clock was ticking down into this weekend and
we were approaching the end of the world----
Chairman Lieberman. Yes. [Laughter.]
Senator Carper [continuing]. I was thinking, we worked so
hard to try to develop consensus on this Committee----
Chairman Lieberman. Right.
Senator Carper [continuing]. With the Commerce Committee,
and with the Administration. It would really be a shame if it
all ended before we got this done.
Chairman Lieberman. It could be that is why it did not end.
Senator Carper. The good news is we are all still here. The
bad news is, so are the hackers that are trying to get into our
bank accounts and steal our secrets, whether military secrets
or all kinds of trade secrets, innovation secrets. I guess if
you had to choose between one outcome or the other, this is
probably the better outcome, and I am pleased that we have some
consensus that is building. I really want to thank both of you
for helping to spearhead that.
I am delighted that we are moving swiftly to hold this
hearing on the Administration's proposal to improve our
Nation's ability to defend against cyber attacks, and I ran
into a couple of these fellows earlier this morning coming into
the Dirksen Building. One of them actually had his father in
tow, and we especially welcome him and thank him for sharing
his son with us.
It has now been nearly 10 years since September 11, 2001,
and over that period of time, our country has done a tremendous
amount of work to defend against the kinds of attacks that we
saw that day. We started with our airports, launching pad of
the destruction the September 11, 2001 terrorists inflicted
upon us, and under your leadership, Mr. Chairman, and the
leadership of Senator Collins, we then dramatically reorganized
our government to better prevent attacks and prepare for the
consequences of both natural and manmade disasters. We have
also worked to better secure our ports, our mass transit
systems, our chemical facilities, and other key pieces of our
infrastructure.
Today, the architect of September 11, 2001, is dead. And
while we still face many threats, I think we can say that our
country is, in a number of ways, safer, I think maybe much
safer, than it was on September 10, 2001. That does not mean we
sit back and take it easy. We are not going to do that. But we
do face a new threat today that I do not think was even on our
radar screen 10 years ago. More and more Americans live their
lives and conduct their businesses online, and this has created
an attractive target for hackers and criminals looking to steal
information or money or just to cause mischief.
At the same time, we have an increased reliance on
sophisticated technology to keep the lights on, keep our water
clean, run our factories, and even to fight wars and defend our
country. Terrorists with the ability to compromise and damage
or destroy the technology we depend on every day could cause
serious damage, potentially even on the scale of a cyber
September 11, 2001.
In past congresses, I have introduced legislation that
would begin the process of addressing our cyber vulnerabilities
by improving the way in which Federal agencies secure their
networks. Over the course of a series of hearings, the
Subcommittee on Federal Financial Management, Government
Information, Federal Services, and International Security,
which I chair, learned that agencies were relying on an
outdated, expensive, paperwork-heavy systems to secure the
technology they rely on to serve the public and protect the
important data they are entrusted with. Nobody could say for
sure that the system worked and that our agencies were safe
from cyber attack. My legislation aimed to hold agencies
accountable for continuously monitoring their networks to
ensure that they are as secure as possible at all times.
Last year, Mr. Chairman, I was pleased to join with you and
Senator Collins in developing comprehensive cybersecurity
legislation that would have better secured agency networks
while also beginning the process of working with the private
sector to secure the critical systems that they own. We
introduced what I think as an improved version of our bill
again this year.
As my colleagues are aware, it has proven difficult so far
this year to find bipartisan consensus on many issues here in
the Senate. I have a feeling, though, that it might just be
possible in this instance to work across the aisle, like we did
after September 11, 2001, to address the serious security
challenges that we face as a country. It is my hope, however,
that we can act this time before the damage is done.
Thank you. It is great to be here with both of you and we
look forward to hearing from our witnesses.
Chairman Lieberman. Thanks, Senator Carper.
Let me just stress something you said. A while back,
Senator Reid and Senator McConnell called in the chairs of the
six committees with jurisdiction over some aspect of
cybersecurity and the Ranking Republican members. It is a sad
fact of life around here that I cannot remember the last time
that happened. But it also, in this regard, shows how seriously
the bipartisan leadership of the Senate takes the cybersecurity
challenge. And though there are differences that may, in at
least one case, fall on partisan lines, this is not a partisan
debate. It is a national security debate. And it is an economic
growth and security debate. I am confident we are going to go
at it with national interests first and partisan interests way
behind.
Mr. Reitinger, welcome. This could be the last time you
come before us as a witness, so we are probably going to be
especially brutal in our cross examination. But, truthfully,
thanks for all you have done and we welcome your testimony now.
TESTIMONY OF PHILIP R. REITINGER,\1\ DEPUTY UNDER SECRETARY,
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT
OF HOMELAND SECURITY
Mr. Reitinger. Thank you very much, Chairman Lieberman,
Ranking Member Collins, and Senator Carper, for your leadership
on this issue.
---------------------------------------------------------------------------
\1\ The joint prepared statement of Mr. Reitinger, Mr. Butler, Mr.
Schwatz, and Mr. Chipman appears in the Appendix on page 40.
---------------------------------------------------------------------------
The bipartisan approach and the leadership this Committee
has shown on this issue has been inspiring to me and the many
people I work with, and I would like to thank you, as you
thanked me for my efforts, for your efforts to keep this issue
on the front burner and to move forward.
Clearly, where you stand depends on where you sit, and I
sit in cybersecurity. I would agree with all three of you that
there is no more important issue that we need to address in the
immediate future than that of cybersecurity. Clearly, the
threats are real and they are growing. The hackers are getting
better and better and better day to day, and we are depending
more and more on the infrastructure which they are attacking
every day. This makes our risk profile more and more
significant.
It is an issue of intellectual property. Our intellectual
property is being stolen. It is an issue of identity theft and
our personal information being stolen. But it is much more than
that. It is a national security issue. Can we deploy our assets
to defend our country? It is a homeland security issue. When
you call 911, do people show up? And it is an issue of critical
infrastructure protection, not just, again, are our assets
taken, but is the power on? Are the phone systems working? Do
we have the services we need to operate as a country? No other
issue, to my mind, ties together the need for economic success,
for economic security, for national security, and homeland
security like this issue.
This is a place where we must move forward and we must
focus on outcomes. How do we ensure that government has the
authorities and the processes and the private sector is moving
forward in the right way to jointly advance this issue?
So given the leadership that this Committee has shown,
including the work that was done by it in the past Congress,
the Administration worked long and hard to put together a
legislative proposal which we transmitted to Congress a couple
of weeks ago. Certainly, it is a broad issue, but one that does
not cover all of the subjects that had been under discussion on
the Hill, and we recognize that. So it is the Administration's
input into the discussion and not a bill that we expect the
Congress to pass without discussion. We look forward strongly
to the discussions that we will have with the Members of this
Committee and with the Senate and the House, generally, to make
sure that we all move forward in a bipartisan way.
And I cannot emphasize, as a number of the Senators did,
the importance of approaching this in a bipartisan way going
forward. Cybersecurity cuts across these issues. The
Administration's approach over time has not been to say the
work of the past Administration was wrong. Therefore, we are
going to go in a different direction. Instead, we have tried to
take the Comprehensive National Cybersecurity Initiative, which
began in the Bush Administration, and continue to advance its
efforts and enhance them so that we could move forward as a
Nation.
So this proposal does a number of things. It is divided
into three main categories: Protecting the American people,
protecting government systems, and protecting critical
infrastructure. I am going to talk about some of the proposals
in those last two categories rather briefly and then I am happy
to explore them in the question and answer session.
Within the protecting of the critical infrastructure, one
of the things that the bill does, as the Senator indicated, is
it gives DHS much clearer authority and responsibility to work
in a voluntary way with the private sector. The government does
not have all of the answers, but it has some of the answers and
it can help the private sector. And so it gives DHS the mission
and authorities to help the private sector.
It, as the Chairman indicated, speeds information sharing
so that we can get much better data much more rapidly from the
private sector so we can have real situational awareness, a
real national common operating picture of what the threats look
like.
And it, as was discussed in the opening statements of the
Senators, creates a framework very similar in many ways to that
which the Committee included in its bill that would bring
private sector efforts to bear, provide benefits to the private
sector companies that identify a set of risks, cybersecurity
risks to be identified by DHS, as in the Lieberman-Collins-
Carper proposal that came up in the last Congress, with some
differences, but a very similar approach.
With regard to protecting the government, the bill does a
number of things. It takes a number of the proposals, that
Senator Carper has been in the lead in advancing, in
modernizing FISMA, taking the ongoing work that has been moving
forward to move policy, operational, and oversight mechanisms
from the Office of Management and Budget (OMB) to the
Department of Homeland Security so we could unite all of those
things and then have the capability to observe in real time by
continuously monitoring agency networks, as it has been called
for, focus on outcomes, and when problems arise, respond to
them in real time. Change policy, change oversight, change
mechanisms, creating that center of gravity that the Chairman
referred to, to much more aggressively protect Federal networks
under the Federal Information Security Management Act.
It strengthens DHS's role to deploy more rapidly intrusion
protection, intrusion prevention, and other mechanisms for the
Federal Government, for example, resolving some of the legal
questions that have slowed the deployment of EINSTEIN 2 and
EINSTEIN 3 systems. We are continuing to move forward
aggressively to deploy them, but the more rapidly we can do
that, the better. And it gives DHS, recognizing our similar
role to the Department of Defense with regard to Federal
civilian networks, similar authorities with regard to
personnel, so we could hire people and bring them on board as
rapidly as they can in the Department of Defense.
In conclusion, I would simply like to say, in reference to
your comments, Chairman, I wanted to offer my thanks to this
Committee. I have been with the Department a little over 2
years and it has been one of the best experiences of my life.
It has been a real opportunity to serve my country. As I said
at the start, I have found the work of this Committee and the
focus that you have brought to the issue inspiring to me and
inspiring to the entire team I have, including a number of
people who are seated behind me, such as Assistant Secretary
Greg Schaffer, who will be the Acting Deputy Under Secretary
when I depart.
Thank you very much for your leadership of this issue. I
look forward to continuing to work with you in whatever new
role comes to me. Thank you.
Chairman Lieberman. Thank you very much.
We will go now to Robert Butler, Deputy Assistant Secretary
of Defense for Cyber Policy. Thanks for being here.
TESTIMONY OF ROBERT J. BUTLER,\1\ DEPUTY ASSISTANT SECRETARY
FOR CYBER POLICY, U.S. DEPARTMENT OF DEFENSE
Mr. Butler. Thank you, Chairman Lieberman, Senator Collins,
and Senator Carper. It truly is a distinct honor and privilege
to be before you today. From the Department of Defense's
perspective, as has been discussed, we focus first and
initially on the threat, a threat that continues to grow
against our critical information systems that comes from nation
states, terrorists, criminal organizations, and malicious
hackers.
---------------------------------------------------------------------------
\1\ The joint prepared statement of Mr. Reitinger, Mr. Butler, Mr.
Schwatz, and Mr. Chipman appears in the Appendix on page 40.
---------------------------------------------------------------------------
DOD is reliant, as you know, on the Nation's critical
infrastructure, whether we are talking about deployment or
employment of forces. We are critically dependent on power
generation, all modes of the transportation sector,
telecommunications, of course, and the defense industrial base
to perform the missions that we have been assigned as well as
are expected to do overseas.
Just as our reliance on critical infrastructure has grown,
so, too, have the threats that we are facing today. Probably
the most perplexing concern is the asymmetric threats, the
threats that continue to advance in sophistication and in
persistence. And so it is not just about intellectual property
theft today, but the real possibility of a large-scale attack
on any segment of America's critical infrastructure that would
be disruptive to our way of life.
I believe that fact has been recognized and encouraged
discussion on the matter of what we are about to deal with
today. And, in fact, as the President has stated, the status
quo is really no longer acceptable, not when there is so much
at stake and we can and must do better.
The most important aspect from DOD's perspective as we look
at the Nation's critical infrastructure and what to do about it
is really that it is not dependent upon any particular entity
or party. It really requires a whole of government and really a
whole of America approach, necessitating many different Federal
agencies, State governments, and the private sector to work
together.
This proposed legislation is an important step in that
direction. It breaks down the barriers to information sharing
so that stakeholders can really communicate effectively. It
updates the criminal statutes, such as the Racketeering,
Influenced, and Corrupt Organizations Act, to deter criminal
activity. It engages the private sector as valuable
stakeholders and really strengthens the ability of the
Department of Homeland Security to lead the Executive Branch in
defending the Nation against this threat. As Mr. Reitinger has
explained, it really advances us not only in FISMA, but in
other provisions, especially in growing the next generation
workforce and hiring practices and exchange of personnel.
Importantly, this legislation accomplishes all of this while
respecting the values of freedom and ensuring the protection of
privacy and civil liberties that we cherish so deeply in our
country.
The Department of Defense has an important role, as you
know, in protecting the military networks and the national
security systems while providing support and technical
capabilities to help protect other critical infrastructure. DOD
has and will continue to work hand-in-hand with the departments
alongside of us here at this table as well as the other
Departments within the Executive Branch and with the private
sector, in countering cyber threats and protecting our national
critical infrastructure. We really look forward to the
leadership that this Committee has taken and working with
Congress to make sure the Executive Branch has the appropriate
authorities for cybersecurity and improving the overall
security and safety of our Nation. Thank you.
Chairman Lieberman. Thank you, Mr. Butler. I appreciate
that you are here.
Next, we will go to a familiar face at the Committee, Ari
Schwartz, who is here before us today as the Senior Internet
Policy Advisor at the National Institute of Standards and
Technology (NIST) at the Department of Commerce. Thank you for
being here.
TESTIMONY OF ARI SCHWARTZ,\1\ SENIOR INTERNET POLICY ADVISOR,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, U.S. DEPARTMENT
OF COMMERCE
Mr. Schwartz. Thank you, Mr. Chairman. It is good to be
back. Ranking Member Collins, Senator Carper, and Mr. Chairman,
it is a pleasure to be here and thank you for inviting me to
testify on behalf of the Department of Commerce and the
National Institute of Standards and Technology on the
Administration's cybersecurity legislative proposal.
---------------------------------------------------------------------------
\1\ The joint prepared statement of Mr. Reitinger, Mr. Butler, Mr.
Schwatz, and Mr. Chipman appears in the Appendix on page 40.
---------------------------------------------------------------------------
The main goal of the proposal is really to maximize the
country's effectiveness in protecting the security of key
critical infrastructure networks and systems that rely on the
Internet, while also minimizing the regulatory burden on the
entities that it covers and protecting the privacy and civil
liberties of the public--quite a tall order.
I will be addressing five important pieces of the proposal.
The first is creating the security plans, as Senator Collins
discussed in detail. Second is promoting secure data centers.
Third is protecting Federal systems. Fourth, data breach
reporting. And fifth, privacy protections.
An important theme of the proposal is accountability
through disclosure. In requiring creation of security plans,
the Administration is promoting the use of private sector
expertise and innovation over top-down regulation. Importantly,
the proposal only covers the core critical infrastructure as it
relates to cybersecurity. DHS would define these sectors
through an open public rulemaking process. The critical
infrastructure entities will take the lead in developing
frameworks of performance standards for mitigating identified
cybersecurity risks and could ask the National Institute of
Standards and Technology to work with them to help create
cybersecurity frameworks.
There will be strong incentive for both industry to build
effective frameworks and for DHS to approve those created by
industry. The entities involved will want the certainty of
knowing that their approach has been approved, and DHS will
benefit from knowing that it will not need to invest the
resource-intensive approach of developing a government-mandated
framework unless industry really fails to act. Covered critical
infrastructure firms and their executives will have to sign off
on the cybersecurity plans, subject them to performance
evaluation, and disclose them in their annual reports.
Rather than substituting the government's judgment for
private firms, the plan holds the covered entities accountable
to consumers in the market. This encourages innovation in
mitigation strategies as well as improving adherence to best
practice by facilitating greater transparency, understanding,
and collaboration. The main goal is to create an institutional
culture in which cybersecurity is part of everyday practice
without creating a slow-moving regulatory structure.
In that same spirit, the Administration also seeks to
promote cloud services that can provide more efficient services
and better security to government agencies and a wide range of
businesses, particularly small business. To do so, the draft
legislation proposes to prevent States from requiring companies
to build data centers in that State, except where expressly
authorized by Federal law.
The proposal also clarifies roles and responsibilities for
setting Federal information security standards. Importantly,
the Secretary of Commerce will maintain the responsibility for
promulgating standards and guidelines, which will continue to
be developed by NIST. DHS will use these standards as a basis
for the binding directive and memoranda issued to Federal
agencies. A working partnership between Commerce, NIST, and DHS
will be essential to ensure that agencies receive information
security requirements that are developed with the appropriate
technical, operational, and policy expertise.
On data breach reporting, as my colleague from the
Department of Justice (DOJ) will detail, the Administration has
learned a good deal from the States, selecting and augmenting
those strategies and practices we felt most effective to
protect both security and privacy. The legislation will help
build certainty and trust in the marketplace by making it
easier for consumers to understand the breach notices that they
receive and why they are receiving them. As a result, they will
better be able to take appropriate action.
As Secretary Gary Locke and others at the Commerce
Department have heard from many companies in different
industries, including in response to our Notice of Inquiry on
the topic last year, a nationwide standard for data breach
notification will make compliance much easier for the wide
range of companies that must follow 47 different legal
standards today.
Finally, I would like to point out that many of the new and
augmented authorities in this package are governed by a new
privacy framework for government that we believe would enhance
privacy protection for information collected and shared with
government for cybersecurity purposes. This framework would be
created by DHS in consultation with privacy and civil liberty
experts and the Attorney General, subject to regular reports by
the Justice Privacy Office, and overseen by the independent
Privacy and Civil Liberties Oversight Board. Government
violations of this framework will be subject to both criminal
and financial penalties.
Thank you again for holding this important hearing, and
thank you for your leadership on this issue. I look forward to
your questions.
Chairman Lieberman. Thanks, Mr. Schwartz. As I bid farewell
to Mr. Reitinger, I should have formally welcome you to
government service.
Mr. Schwartz. Thank you.
Chairman Lieberman. You appeared before us many times in
your independent advocacy role.
The final expert on the panel will be Jason Chipman, Senior
Counsel to the Deputy Attorney General, Department of Justice.
We now look forward to your testimony.
TESTIMONY OF JASON C. CHIPMAN,\1\ SENIOR COUNSEL TO THE DEPUTY
ATTORNEY GENERAL, U.S. DEPARTMENT OF JUSTICE
Mr. Chipman. Thank you, Chairman Lieberman, Ranking Member
Collins, and Senator Carper. It is a real pleasure to be here
and I appreciate the opportunity to testify on behalf of the
Department of Justice about the Administration's cyber
legislative proposal.
---------------------------------------------------------------------------
\1\ The joint prepared statement of Mr. Reitinger, Mr. Butler, Mr.
Schwatz, and Mr. Chipman appears in the Appendix on page 40.
---------------------------------------------------------------------------
This Committee knows well that the United States confronts
a serious and complex cybersecurity threat. The critical
infrastructure of our Nation is vulnerable to cyber intrusions
that could damage vital national resources and put lives at
risk. Indeed, intruders have stolen confidential information,
intellectual property, and substantial amounts of money.
At the Department of Justice, we see cyber crime on the
rise, with criminal syndicates operating around the globe with
increasing sophistication to steal from innocent Americans.
Even more alarming, these intrusions might be creating future
access points through which criminal actors and other
adversaries can compromise critical systems during a crisis or
for other nefarious purposes.
President Obama has stated publicly that cyber threats
represent one of the great challenges to the economic and
national security of our country. Indeed, given the scope of
the problem, as you have heard and as you know, the President
has made this a significant priority for the Administration.
Over the past few years, all of the agencies before you
have made great progress in confronting these threats. At the
Justice Department, our criminal and national security
investigators and prosecutors and attorneys have been working
hard establishing new units, like the National Cyber
Investigative Joint Task Force, to pull together the resources
of many different agencies to investigate and address
cybersecurity threats.
With that said and despite good work in this area, the
problem is far from resolved. It is clear that new legislation
can help tremendously to improve cybersecurity in a number of
critical respects.
From the Justice Department's perspective, I would like to
take a moment to highlight two parts of the Administration's
cyber legislative package aimed at confronting identity theft
and at improving the tools that we use to fight computer
crimes.
First, the Administration's proposal includes a new
national data breach reporting requirement. Data breaches
frequently involve the compromise of sensitive personal
information that subject individual consumers and citizens to
identity theft or to other crimes. Right now, as Mr. Schwartz
mentioned, there are 47 different State laws that apply in
different situations and require reporting through different
mechanisms. The Administration's data breach proposal would
replace those 47 State laws with a single national standard
applicable to companies and institutions that meet a minimum
threshold set forward in the draft bill. If enacted into law,
this proposal would ensure that companies notify consumers when
sensitive personal information is stolen or compromised, and it
would require that they give them information about what they
can do in response to the theft or the compromise of their
information.
The proposal would empower the Federal Trade Commission to
enforce the reporting requirements and it would establish new
requirements for what must be reported to law enforcement
agencies when there is a significant intrusion so that
institutions like the FBI and the U.S. Secret Service can
quickly work to try to identify the culprits and protect others
from being victimized. We believe that the national standard
would also make compliance easier for industry, which currently
has the burden of operating under a patchwork of different
rules.
Second, the Administration's proposal includes a handful of
changes to the criminal laws aimed at ensuring that computer
crimes and cyber intrusions can be investigated and punished to
the same extent as other similar criminal activity. Of
particular note, the Administration's proposal would clearly
make it unlawful to damage or shut down a computer system that
manages or controls critical infrastructure, and it would
establish minimum sentence requirements for such activities. We
believe this narrow, focused proposal will provide strong
deterrence to this class of serious and sometimes potentially
life-threatening crimes.
Moreover, because cyber crime has become a big business for
organized crime groups, the Administration proposal would make
it clear that the Racketeering, Influenced, and Corrupt
Organizations Act (RICO), applies to computer crimes.
Also the proposal would harmonize the sentences and
penalties for violations of the Computer Fraud and Abuse Act.
For example, acts of wire fraud in the United States carry a
maximum penalty of 20 years in prison, but similar violations
of the Criminal Fraud and Abuse Act very frequently carry a
maximum of 5 years in prison. That is a discrepancy we think
should be corrected.
Mr. Chairman and Members of the Committee, this is an
important topic. The country is at risk. There is a lot of work
to be done to protect the critical infrastructure of our
country and to stop computer crimes from victimizing and
threatening Americans. I look forward to answering your
questions. Thank you very much.
Chairman Lieberman. Thanks, Mr. Chipman.
You know, the testimony of the four of you makes clear how
comprehensive the President's proposal is, of course, as is the
Committee's proposal. I think both are necessarily
comprehensive administrative reorganizations to better deal
with the security threat, both also involve questions of how we
protect civil liberties, privacy, and then what the role of the
law is here. Are there not certain kinds of behavior in
cyberspace that ought to be officially designated as illegal,
adjusting existing legal framework. So the testimony has been
very helpful.
We will do a first round of 7 minutes each.
Mr. Butler, let me begin with you because in the discussion
of cybersecurity, both inside Congress and outside, and various
times, people have said, look, the expertise in this area and
in our government is in the Department of Defense and the
National Security Agency (NSA). Maybe DHS is not the right
place to be given enhanced authorities, but I take it from your
testimony and the process that was going on within the
Administration that a decision has been made which is supported
by the Department of Defense that when it comes to the dot-gov,
that is, the non-Defense dot-gov and dot-com networks, that it
is the Department of Homeland Security that should have primary
responsibility. Is that right?
Mr. Butler. That is correct, Mr. Chairman. If you have
watched the Department of Defense and the Department of
Homeland Security dialogue over the last couple of years, it
really has grown in the areas of collaboration. Probably one of
the hallmark events was last year's signing of a Memorandum of
Agreement (MOA) between Secretary Janet Napolitano and
Secretary Robert Gates which laid out a foundation for new ways
of collaborating as we move forward in operational planning as
well as in capability development.
So the sharing of technical expertise from the National
Security Agency, being an element of that, the formation of a
joint coordination element up at Fort Meade led by a DHS senior
as part of that, the sharing of personnel between the two
departments in different ways that allows a better
understanding of not only capabilities but how to best satisfy
information requirements, while at the same time ensuring
strong oversight of privacy and civil liberties by having DHS
very much engaged with the Department of Defense on looking at
those issues.
So over the last year, especially, I think we have seen new
ways of doing business together, certainly from Secretary
Gates' perspective and the Department's perspective, and the
recognition that DHS is the leader with regards to cyber
protection for our Nation. We are now working towards a
unifying vision for how we will protect and help enable the
protection of not just dot-gov and dot-com, but working to
learn from what we have experienced on the dot-mil side, as
well.
Chairman Lieberman. So thank you. You actually answered my
second question before I asked it, which was what are we doing
to make sure that the Department of Homeland Security in some
sense leverages on the expertise that DOD and NSA have rather
than recreating them within the Department of Homeland
Security.
Mr. Butler. So a key element of that was an agreement
between the two Secretaries that we would, one, share
personnel. Two is to actually develop a set of activities
underneath the joint coordination element to really help us
understand how we could better leverage what is in the
Department of Defense today. I think a good example of that is
the work being done to help with the National Cyber Incident
Response Plan. And then going beyond that, looking at other
efforts where we can share both in capability expertise as well
as in technology what we are doing with intrusion detection and
intrusion prevention systems as we move forward in time, so the
EINSTEIN 3 efforts can move forward.
Chairman Lieberman. Mr. Reitinger, from a DHS perspective,
how would you evaluate the relationship between your Department
and DOD? Obviously, part of what you have wanted to do is build
up your own expertise within DHS, but also, as I said, to
leverage on what already exists in DOD and NSA.
Mr. Reitinger. Thank you, Chairman. That is exactly
correct. I think we each bring unique things to the table.
Certainly, DOD has unparalleled technical expertise and
cybersecurity expertise build up over the course of years. In
the Department of Homeland Security, we have built up our own
expertise, particularly around things like control systems, how
to work broadly across a broad distributed interagency and deal
with the multiple barriers that one faces in that space.
As a result, I think over the course of the last year, as
Mr. Butler indicated--we are very good friends--we have built
up a much stronger partnership, not only having the MOA, which
along with that joint coordination element works to make sure
that we can stay fully operationally synced with DOD on a very
tight basis. We will be developing people that will be deployed
in the NSA Technology and Acquisitions Directorate so that as
it develops technology, it meets Homeland Security needs, as
well. We will be deploying people in the Threat Operations
Center at NSA so we have full knowledge of what they are seeing
from a threat perspective. And similarly, both Cyber Command
and the National Security Agency will deploy elements to the
National Cybersecurity Communications and Integration Center to
support our operations under the National Cyber Incident
Response Plan. So from Cyber Command, there will be a cyber
support element, a team of people at our offices on Glebe Road,
and a cryptologic support group from NSA, to similarly support
what we do.
But separate and apart from the MOA, we continue to work
together. We literally meet regularly with DOD at the deputies'
level to make sure that we can stay fully synced at a
leadership level, and Mr. Butler and I personally participate
in a weekly secure video teleconference with individuals from
NSA and other people from DOD and DHS so that we do not allow
any delta to occur in terms of what our operational activity is
so we can move together most effectively.
Chairman Lieberman. That is great to hear. That is exactly
the opposite of the kind of stovepiping that we always worry
about, and obviously it is critically necessary.
Mr. Butler, did you want to add anything?
Mr. Butler. Just one additional element. Building beyond
the National Security Agency, we have found ways to better
collaborate with the Defense Cyber Crimes Center. So as was
mentioned, cyber crime is a big issue. We are working with DHS
now, looking at how we can leverage forensics expertise to help
not only with the defense industrial base, but helping in other
parts of the critical infrastructure that we are trying to
protect.
Chairman Lieberman. Mr. Schwartz, just building a little
bit on your previous existence as an advocate for privacy, is
it correct to assume, just to build on the record here, that if
the Committee and the Administration came in with a proposal
that put responsibility for the dot-com and dot-gov,
particularly dot-com cyberspace into the Department of Defense
and NSA, there would be real concerns in the privacy community?
Mr. Schwartz. I think that if you were to take the core
critical infrastructure and put that regulatory authority
primarily at the Defense Department, there would be major
concerns from privacy and civil liberties groups.
Chairman Lieberman. Thank you. Mr. Reitinger, this
Committee in its broad homeland security responsibility often
interacts with the private sector, and when we come to a
question of how we protect infrastructure, we have become
accustomed to saying that 85 percent of the infrastructure of
the United States is owned and operated by the private sector.
What would you say that percentage is for cyberspace, if you
can hazard a guess, and I am not going to hold you to this.
Mr. Reitinger. Sir, I have heard everything from 75 to 95.
Chairman Lieberman. Yes.
Mr. Reitinger. I will freely admit to you, I have never
seen a rigorous analysis of this.
Chairman Lieberman. Right.
Mr. Reitinger. I think it varies from country to country.
Certainly, in the United States, it is the vast majority, and
even when you talk about government critical infrastructure, in
many cases, it is the State and local government critical
infrastructure that is often more important on a real-time
basis than the Federal critical infrastructure. So we
absolutely need to work closely with our critical
infrastructure partners, our State, local, tribal, and
territorial partners, and our Federal Government partners to
secure critical infrastructure.
Chairman Lieberman. So, bottom line, whatever the exact
percentage, it is clear from what you said that there is a
consensus that most of cyberspace is owned or operated by the
private sector, and that makes the parts of this legislation
that create and authorize new ways for the Department of
Homeland Security to interact with the private cyberspace
infrastructure, particularly with regard to the dot-com
networks, critically important.
My time is up on this round, but I will come back to that
after my colleagues have the next round. Senator Collins.
Senator Collins. Thank you, Mr. Chairman.
Mr. Reitinger, about a year ago, you testified before our
Committee that Section 706 of the 1934 Communications Act
already provided emergency authority to the President. That
prompted me to actually go read Section 706 of the 1934
Communications Act, and I am not going to read all of it out
loud today, but let me just read parts of it, because I think
that it will emphasize two points. One, that the President's
authority under this law is enormously broad, and second, that
the language shows that it was written for another era.
The section says that when the President finds that there
is war or a threat of war or a state of public peril or a
disaster or any other national emergency, that the President
may cause the closing of any station for radio communication.
The President may remove all the equipment and apparatus from
the station. He may authorize the use and the control of the
station by any department of government. In other words, under
this section of the law, the President is allowed to have the
government actually take over any radio station in the United
States, or close it down completely, or remove the equipment
from it.
Nowadays, if that were proposed, it would create a
tremendous uproar and free speech concerns. This authority is
far broader than the authority in our bill, since this
authority does allow a government takeover of transmission
equipment, and it is clearly outdated since it is tied to
traditional communication facilities and it does not reach
interconnected critical infrastructure entities that are not
covered by the Communications Act.
We spent a lot of time, and indeed, most recently revised
our bill to carefully constrain and define exactly what
authority the President would have. We made it very clear that
the President could not shut down the Internet, that government
could not take over the Internet. There was a lot of theories
in the Internet world that perhaps we wanted that. We did not,
but we made it explicit in our new bill. We carefully
constrained the President's authority with reporting to
Congress, with time limits, with privacy limitations, by saying
it has to be the least intrusive means possible.
So I am very curious why the Administration, in your
approach, does not update the 1934 Communications Act, which
clearly speaks to a different era, and carefully define exactly
what the President's authority would be. And Mr. Chipman, just
to put you on notice, since you are from the Justice
Department, I am going to ask you that question, as well.
Mr. Reitinger. So, thank you, ma'am. I will do my best. You
are clearly correct. Let me agree with you that the statutory
authorities that exist in this space were written long ago, as
you said, in 1934, and were not designed with the current
environment that we have in mind. There are authorities there.
That said, the Administration's bill does not include any
additional emergency authorities for the President. Instead, as
you point out, neither the Committee nor the Administration has
sought or seeks any form of Internet kill switch. This is,
however, a critical issue. Clearly, if something significant
were to happen, the American people would expect us to be able
to respond, and respond appropriately.
To that end, we would, if something significant happens,
use the authorities that we bring to bear in the right way, not
to restrict Internet freedom, but to preserve Internet freedom
while protecting the country, and we would do so using the
authorities that we currently have and the processes that we
have developed, such as the National Cyber Incident Response
Plan, which details the roles and responsibilities and how we
would move forward to respond to an event.
I can say, as you pointed out, Ranking Member Collins, this
is a critical issue. This is an area where I think different
people have different views about how the government ought to
be empowered and what the constraints on the government
exercise of authorities ought to be. And this is a key area
where I would hope there would be further discussions between
the Administration and the Congress to figure out the right set
of mechanisms, if any, that were necessary to move forward in
this space.
Senator Collins. Mr. Chipman, you represent the Justice
Department. Why did the Justice Department not recommend
amendments to the 1934 Communications Act, which is clearly
outmoded, and also a carefully constrained limitation,
carefully defined, on what the President could and could not do
if there was a cyber emergency?
Mr. Chipman. Thank you. Senator, I think I would echo Mr.
Reitinger's comments and say that, clearly, this is an
important topic, and clearly, it is an issue that merits
discussion, and I think it is fair to say the Administration
wants to engage in that discussion with you and your
colleagues.
In my experience, the issue of what emergency powers are
needed tends to be very context-driven, and so the answer to
that question, I think, becomes fairly nuanced depending on
what type of emergency the government is facing. I think, no
doubt, Mr. Reitinger is quite right. The American people expect
the government to be able to respond, and I think that the work
DHS has done within the interagency to create a National Cyber
Incident Response Plan is quite key. But beyond that, in terms
of the specifics of this particular Act, I think it merits
discussion, but it is not in the Administration's proposal
right now.
Senator Collins. But that perplexes me. This is an area
where we should be thinking ahead about exactly what
authorities we want the President to have rather than leaving
it ambiguous, rather than relying on a 1934 law that allows the
President to take over control of radio stations. This just
does not make sense to me and I hope you will work further with
us to carefully define what the authorities are and to update
the law.
Let me just make one other quick comment, since my time has
expired. I cannot help but be struck by the irony that we have
four different departments represented here today, and that is
a very good thing because it shows that the Administration is
working across departments. But it is ironic, because unlike
our bill, the Administration chose not to include in its bill
an entity similar to the National Counterterrorism Center which
would bring together within DHS representatives of all of your
agencies as well as the Director of National Intelligence and
other agencies so we would institutionalize the kind of
coordination and cooperation that you have described is
occurring informally. So it is ironic that the Administration
has four departments represented here, yet has rejected the
construct that we have in our bill of institutionalizing that
interagency cooperation.
Thank you, Mr. Chairman.
Chairman Lieberman. Thanks, Senator Collins.
For the record, I share Senator Collins' sense of irony
about this, truly. Also, for the record, I do think the country
would be better off if we did create some new law regarding the
authority of the President to act in these emergencies. As
Senator Collins and I know, this can be a very controversial
area because people can quite easily misunderstand. There is an
admirably ferocious interest among inhabitants of cyberspace in
their privacy and liberty. You know, God bless them, I agree,
and so we want to hear that voice. But in the case of a really
catastrophic emergency, I think we want to be clear that the
President has authority to act, and frankly, in a way that the
1934 law does not make clear, that there are limits to what we
want the President to do and that does require new statutes. So
I pick you up, Mr. Reitinger, on your suggestion that this is
an area where we should, in the best Biblical sense, reason
together.
Senator Carper.
Senator Carper. Thanks very much.
Mr. Reitinger, as you prepare to depart, any final words of
advice? Let me just ask, first, what do you feel especially
good about that has been accomplished during your watch, and
what are some of the areas that you think we have some serious
work still to do?
Mr. Reitinger. Well, thank you, sir. It is rare to have the
opportunity to say something like that, so let me just say a
couple of things. I feel most happy about two things. One, the
fact, as was just remarked by the Chairman and the Ranking
Member, that we have four departments and agencies up here all
speaking from the same voice. The fact that we have a cross-
government approach, and indeed, an approach with many people
in the private sector, as well, that says, here is how we think
we need to move forward as a Nation. One can agree or disagree
with what that approach says, but that we are collaborating
effectively under the leadership of Howard Schmidt at the White
House and broadly across agencies, I think, is a very positive
thing.
The other thing I would say I am most happy about is the
team that we have built at DHS. The fact that, going back into
the prior Administration--at one point about 3 years ago, DHS
had about 40 people working in cybersecurity. We are up to
about 260 now and we will be growing towards 400 by the end of
fiscal year 2012. So we have built a significant team with
significant capabilities that brings a lot to the table, some
significant expertise, and can leverage other sources of
expertise in government, including DOD, the Department of
Commerce, and the Department of Justice. So the people piece
that we have built, both across government and with the private
sector and within DHS, is the thing that I am most proud of
because I believe that organizations and entities succeed or
fail based on the people, and so that is what is most important
to me, sir.
Senator Carper. And maybe in the category of incomplete,
what are some major to do's that are still out there for
whoever succeeds you and the rest of us?
Mr. Reitinger. Sir, there are innumerable to do's. It is an
old saying, but a true one, to say cybersecurity is a journey
and not a destination. As we get better and better, so will the
bad guys. I can say that as a former prosecutor. They continue
to share information, to develop new techniques, and so this is
not a game that we are going to win. This is a game we are
going to do better at and win more often, but it is not going
to end.
So the major thing to do that unites all of those things
together is the need to keep focus on this issue, to make sure
that it stays on the front burner, and to make sure that
Congress and the Administration and the private sector work
together to pass cybersecurity legislation as rapidly as
possible.
Before and after that legislation is passed, we need to
make sure that we are doing the right things, both in
implementation of measures, in development of strategy, and in
hiring of people broadly across the public and private sectors
that ensure that cybersecurity retains the level of importance
that we have given it very broadly across the homeland security
enterprise and the national security enterprise.
One of the things that I like to point out is that a little
over a year ago, on February 1 of last year, the Department of
Defense and the Department of Homeland Security released their
Quadrennial Strategies, on the same day, and in the Quadrennial
Defense Review, cybersecurity received a new and increased
level of importance for the Department of Defense.
Similarly, in the first ever Quadrennial Homeland Security
Review, cybersecurity rose to one of the top five mission areas
of the entire homeland security enterprise, and that is not
just DHS. That includes the private sector and multiple
government agencies.
So we have got the right focus on the issue. We have the
right importance. It has to stay there.
Senator Carper. Well, my guess is the media will help us
with that, because every time there is one of these
disclosures, we hear a lot about it, and that is probably not a
bad thing.
Just to follow up on the question I have asked you, how
have things improved in recent months under the reforms that
have been put in place under current law, and maybe give us
some other ideas about how this proposal would further improve
things.
Mr. Reitinger. Certainly, sir. So we have been staffing up,
as your question indicates, over the past year-plus a lot of
the things that are described in the Federal Information
Security Management Act reforms. We have been taking
significant steps to implement under administrative processes.
So in two memoranda, I believe M-10-15 and M-10-28--it is sad
that I might remember this----
Senator Carper. That is sad.
Mr. Reitinger. It is, sir. [Laughter.]
Senator Carper. But I am glad at least someone is
remembering that.
Mr. Reitinger. I am working on this. I will work to forget
them by mid-summer.
Senator Carper. The next time I see you, I will say, what
were those numbers? [Laughter.]
Mr. Reitinger. OMB, sir, has been working, one, to move
more and more towards continuous monitoring, and two, to
transfer a lot of the operational responsibilities for FISMA to
DHS. So we have been building up the capabilities. We have been
working with the Department of Justice, in particular, to
expand and roll out CyberScope, which is an online continuous
monitoring tool that will be used to work more directly with
the agencies, for example, holding deeper dives on agency
security. It is what we call the CyberStat process, with the
collaboration and work with OMB.
So we have been working to roll out that greater focus, and
again, in full partnership with the Department of Commerce, who
has the lead on the development of standards for the Federal
Information Security Management Act, to work together to deploy
a focus on continuous monitoring, on real-time metrics, and we
are going to continue that process, which will, in fact,
accelerate if an appropriate FISMA reform act is passed.
Senator Carper. All right. Thanks. Mr. Reitinger spoke
proudly of the Department's ability to attract and put together
a good team and still attract more, hopefully well-qualified
people. But the question I have of the panel, in order to have
effective cybersecurity both in government and in the private
sector, we are going to need to attract a significant number of
additional qualified people with the same skills as those who
are seeking to do us harm. Let me just ask, what kind of job do
you think we have done to date in finding those people, not
just in the Department, but outside of the Department, and not
just in government, but outside of government? Do we need to
give agencies more tools to hire the right people and retain
them once they are here? Mr. Butler.
Mr. Butler. Thank you, Senator Carper.
I will speak from a DOD perspective as well as from being
in this business for a while, both on the private sector and
public sector side of the house. Importantly for the Department
of Defense, it is not only about today, but it is about
tomorrow and the next generation workforce. And so Secretary
Gates has made it a big priority.
As we work through a variety of what I would call pilot
initiatives--Cyber Patriot at the high school level, State
competitions, National Defense Cyber Competition, I mentioned
the Defense Cyber Crimes Center and its National Digital
Forensics Competition--we are building not only competitions,
but mentoring and coaching programs. Those mentoring and
coaching programs really become, I think, the heart and soul of
what we need to recruit from both a national security base and
a homeland security base. Whether those individuals go into the
private or public sector, we are seeing both an aptitude and an
attitude about cybersecurity.
I spoke for the Deputy Secretary of Defense at the Cyber
Patriot Competition, which was held about a month ago, the
national competition, and we are now not just pulling from
military institutions and high schools and colleges, but really
now creating a base that is allowing us to go across the
country into the inner cities to inspire kids for the next
level.
We are working through, I think, with limited funding,
different ways to incentivize that and to continue those
programs. But to me, those are the important elements that we
need to----
Senator Carper. Good. That is very helpful. I am out of
time. Mr. Schwartz, just very briefly, and then Mr. Chipman, if
we could do that.
Chairman Lieberman. Yes.
Senator Carper. Go ahead.
Mr. Schwartz. I will say I have been in the government for
9 months at NIST and I have been really impressed with the
folks that we have in NIST. I think part of that is the great
environment, but it is also that hiring authority that was
mentioned. At NIST, we do have direct hire authority, and we
have the flexible hiring. That has given us the ability to hire
and compete with others that need those cybersecurity aims. So
I completely understand where this Committee has come down in
terms of DHS getting similar authorities and that is in the
Administration's proposal, as well.
Senator Carper. All right. Thank you. Mr. Chipman.
Mr. Chipman. Thank you. I would add that I know that this
is an important aspect of the Administration's focus on
cybersecurity, indeed, the Comprehensive National Cybersecurity
Initiative that Mr. Reitinger mentioned included cyber
education as a very important topic, and I know that work has
continued.
At the DOJ, it is certainly an important topic that is
getting a lot of attention, especially at the FBI. I know the
FBI in recent years has created a 5- to 7-year training program
for agents to make sure that they are equipped to confront the
sorts of cyber threats that we have been talking about.
Senator Carper. All right. Thanks, Mr. Chairman.
Chairman Lieberman. Thank you, Senator Carper.
Mr. Reitinger, let me come back to the topic I raised at
the end of my first round of questions and pose it in this
general sense and ask you to answer it in that way, which is
since we agree that most of cyberspace is in the hands of the
private sector--appropriately, rightly--and we also understand
that attacks on privately owned cyberspace can have very
serious effects on our economy and our national security--
obviously, we know that some of these are going on right now.
So the question is, what is the approach in the White House
proposal for making sure, to the best of our ability, that the
private sector is taking steps to defend itself, particularly
the most critical parts of it, and in that sense to defend our
country, because an attack on our privately-owned
infrastructure in cyberspace, electric grid, transportation
systems, or finance systems could have, in many ways, as
devastating an effect as a conventional military attack? So
give us an overview of what the approach is in the White House
legislation to the private sector.
Mr. Reitinger. Thank you, Mr. Chairman. The approach is
actually, I think, as I said before, very similar to that that
was in the bill that this Committee developed last year. There
are a couple of concerns here. One is that, clearly, cyberspace
is not an area that is amenable to extensive top-down
prescriptive regulation. The technology moves too quickly.
There are innumerable differences between entities. So one
needs to find the right way to bring the expertise of the
private sector to bear, to continue to rely on innovation to
address the problem, and then also to ensure that you have the
right mechanisms to ensure that homeland and national security
requirements are met.
And it is that last space that, I think on occasion, we
have not seen as much progress as we all believe that we should
have. We need to find the right way to set requirements in a
way that actually reward private sector companies that are
doing the right thing, that give a benefit, and make sure that
without unduly restricting innovation in any way, that we do
make sure that the power stays on, that the most critical of
critical infrastructure can continue to operate.
The approach that the Administration took is similar to the
one that the Committee developed.
Chairman Lieberman. Right.
Mr. Reitinger. In essence, the Department of Homeland
Security, in collaboration with the partners that you see at
this table and the private sector, would develop a set of
criteria for determining, again, what is the most critical of
critical infrastructure. So the notion is that this would not
be every part of current critical infrastructure, but
absolutely the most important pieces.
Chairman Lieberman. So we start with priorities.
Mr. Reitinger. Yes, sir. We prioritize what has been
referred to in the bill as covered critical infrastructure.
Chairman Lieberman. Right.
Mr. Reitinger. And for those entities, DHS would identify--
I am going to say this a bunch--again in collaboration with the
government agencies you see and in the private sector, a set of
risks that would need to be mitigated. So this would not be a,
``Thou shalt not use this technology,'' but here is a risk and
you need to have a mechanism to identify it.
And then under the Administration's approach, DHS would not
then say, here is a set of choices you have. You have to do one
of them. Instead, industry, the private sector, would be
responsible for putting forward frameworks of essentially
performance standards and/or performance measurements that
would focus not just on particular steps that you need to do,
but on actual effectiveness, on measurements that would
indicate how effective the measurements were, and then industry
would develop a plan. So any covered entity would need to
develop a plan that aligned with that framework and was
evaluated under that framework for addressing the risk that DHS
identified.
Then, industry would also be responsible for having itself
evaluated by a set of effectively certified evaluators.
Chairman Lieberman. Right.
Mr. Reitinger. So it would not be DHS doing the direct
evaluation, but there would be entities that were chosen to do
evaluations. Industry would receive those evaluations and then
would publish--so the biggest lever would be transparency.
Industry would publish the high-level description of its plan
and a high-level description of the evaluation results. And
then we would use that transparency to drive market activity
that would enhance security in covered critical infrastructure
and as a standard of care is developed more broadly throughout
critical infrastructure.
In addition, and as an additional incentive, there could be
procurement advantages or disadvantages based on how one did in
the process----
Chairman Lieberman. Explain that a little bit more. So that
is the next point. I think that your description is excellent.
You are right. The White House and Committee bills have a
generally similar proposal, although as you know, we give DHS
the authority to evaluate the plans as opposed to third-party.
But is there a reward and punishment here? In other words, do
industries that follow their plans get rewarded and ones that
do not get, in some sense, punished?
Mr. Reitinger. So, yes, sir. There are a number of
different levers, or levels, and I might ask Mr. Schwartz to
supplement this, because he has a particular taxonomy that I
happen to like. But in essence, one, your evaluation results
will be published, so there is a direct ability of the market,
your key partners and customers to take that into account.
Second, the activity, the process of developing these
frameworks and plans is going to start to create a standard of
care that entities will need to step to over time, perhaps for
insurance purposes, perhaps for other purposes.
Last, DHS is directed to work with the Federal Acquisition
Council so that the results of these evaluations can
appropriately be taken into account in Federal procurements,
which will provide an additional incentive to private sector
players.
It is very much intended to be a light-touch approach, but
one that we believe, over time, will move the private sector
and critical infrastructure in the right way, will reward the
companies that are doing a very good job, and will get us to a
more secure state in the future.
With your permission, sir, I would like to ask Mr. Schwartz
to supplement that.
Chairman Lieberman. The resident taxonomist.
Mr. Schwartz. Getting to this balance of the right levers
and incentives is really the key to answer these questions for
covered critical infrastructure as we see it in the plan, and
there are a number of incentives that you have identified in
your bill that we have put forward here; most of them are
similar. The question is getting at the right particular
balance between them.
The taxonomy that Mr. Reitinger is referring to breaks down
to four different areas that are somewhat related. One is the
effects of public disclosure for cybersecurity performance.
Chairman Lieberman. So a kind of public incentive or shame?
Mr. Schwartz. Well, the second, I would say, is reputation
and risk----
Chairman Lieberman. Right.
Mr. Schwartz. It is more that they know that markets may
act on it. Where the second is, really, if they do things
completely wrong, then you are going to have brand impact,
potentially, where markets really exist in that space.
Chairman Lieberman. OK.
Mr. Schwartz. And the third is access to government
procurement, so questions about procurement, and our bill links
it to the Federal Acquisition Regulation (FAR) and----
Chairman Lieberman. In other words, you can make some more
money. You will have preference in selling, or offering
services to the government.
Mr. Schwartz. Correct. And the fourth is perceived
litigation risk that shareholders or others may come forward
with, and that would have to work out over time, as well.
But we are open, and we do not claim to have everything in
perfect alignment or balance in terms of these levers. No one
can know exactly what will happen in terms of getting this
right, but we can work together with you to try and come up
with what we think is the best solution. So we are completely
open to having this discussion about what are the best
incentives moving forward.
Chairman Lieberman. Good. No, that is very helpful, because
our bill, as you know, has a provision for limited liability
protection as another incentive, consistent with the
Administration approach to the private sector to take
preventive, defensive action so that, in one case, if they did,
they would be protected, for instance, from punitive damages
and liability.
In the extreme case of a President taking action in a
catastrophic case, whether under the old law or under our
proposal, to protect really the national interests, there would
probably be claims, significant ones, against some elements of
the cyberspace community, and the question there that we raise
is whether they ought to be protected from liability overall
because they were acting pursuant to an order of the President
of the United States.
Do either of you want to comment on the general subject of
offering some liability protection to the private sector as an
additional incentive beyond what the White House proposes to
the private sector to cooperate?
Mr. Reitinger. I think I would simply say two things, Mr.
Chairman. One, as Mr. Schwartz indicated, and maybe I will call
that the Schwartz taxonomy--the balance--there's different ways
to tweak it, and I think we would be happy to continue to
discuss that with you.
Second, there is some liability protections, not under this
particular provision dealing with the overall incentives regime
for the private sector, but to the extent that the private
sector shares information with government or is assisting
government with protecting dot-gov, there is both an immunity
and a good faith immunity that is written into that section of
the statute.
Chairman Lieberman. Do you want to add anything, Mr.
Schwartz?
Mr. Schwartz. I will just say, it is similar to my comments
about being open to the levers----
Chairman Lieberman. Yes.
Mr. Schwartz [continuing]. That we are definitely
interested in having this discussion with you to further figure
out how we can come up with the right balance here, and this
fits into that discussion.
Chairman Lieberman. This could, unfortunately, end up as a
real obstacle to the passage of the bill, the failure to do
something about liability, and I think it would be good if we
worked together to try to find a common ground. Thank you.
Senator Collins.
Senator Collins. Thank you. Let me first endorse the
Chairman's comments on liability and encourage you to take
another look at our bill.
I want to follow up on the issue of how you handle critical
infrastructure. In the statement, it says that the White House
proposal emphasizes transparency to help market forces ensure
that critical infrastructure operators are accountable for
cybersecurity, and it goes on to say there would be new
requirements for reporting to the Securities and Exchange
Commission, that there would be publication of a summary of the
evaluation results, and I must say, these provisions surprise
me, and the reason that they surprise me is the list of
critical infrastructure is now classified. Now, granted, I am
sure that many Americans and many of those who would do us harm
could obviously figure out what a lot of the critical
infrastructure sites and capabilities are, but the fact is, the
list is classified. So are you planning to change the
classification and make the list public?
Mr. Reitinger. Thank you, Ranking Member Collins. This
would actually be a different list and one that is of somewhat
lower sensitivity. The list that you are referring to
references or includes classified or tiered systems and assets.
Senator Collins. Yes.
Mr. Reitinger. This would actually be a list of entities as
opposed to specific assets. So instead of, for example, this
generation facility, it would be this company that owns a
number of different generation facilities, and I think that is
of a lower level of sensitivity, and, in fact, is much more
broadly known to the public.
Second, if one is going to bring public transparency
disclosure levers to bear, one needs to have that information
open. So in this case, we drew the conclusion that the list of
entities, of critical infrastructure entities, would need to be
public in order to move forward in this way.
Senator Collins. But you also go on to say that there would
be a summary of the security plan and the evaluation of that
plan would be publicly accessible. My concern is, we do not
want to give those who would do us harm a roadmap to how to
attack our critical infrastructure. If, in fact, you publicize,
even at a broader level, what the critical infrastructure is
and then require publication of a summary of the security plan,
and this part is the most troubling part to me--the publication
of the evaluation of that plan, are you not providing very
valuable information to not only cyber criminals, but perhaps
terrorist groups or nation-states that are constantly trying to
probe our systems? I am really surprised that you want that to
be public.
Mr. Reitinger. Yes, ma'am. I understand. If you will note
the section, it specifically requires that only a high-level
description of the plan and only a high-level description of
results would be published, and specifically requires that in
the regulations to be developed by the Secretary that
information not be reported to such a detail that it would
impair the security of that entity.
In point of fact, critical infrastructure entities are
tested and probed all the time. That is simply the nature. I do
not believe that on the level of reporting we would intend to
require in going forward that we will increase the level of
risk of those entities. In fact, if the publication of the
results causes such entities to say, well, we need to do a much
better job, then the regime is going to be having the effect we
intend in that they will rapidly move to enhance their own
security.
Senator Collins. But that is a name and shame approach,
essentially, that you are hoping that there will be public
criticism or press scrutiny that will essentially embarrass
these entities into doing a better job. To me, if they are not
doing a good job, then DHS goes in and applies sanctions or
requires a better security plan. I do not think the answer is
to make the weakness public. And the fact is that even if, in
your scenario, it encourages that entity to do a better job, it
is also telling very sophisticated computer hackers that this
is an entity that they should focus on and that has some
security lapses.
I really hope you will take another look at that. I
understand what you are trying to do, but I think that you are
also giving information to the enemy.
Mr. Reitinger. Just a couple of comments, ma'am, and I
appreciate that. I understand your level of concern, which is
appropriate. What I would say is, briefly, it is not just that
the entity would receive shame, but that the market would
actually take that into account, that if you are a more secure
entity as opposed to a less secure entity, then business
partners and not just government may want to do work with the
more secure entity because it gives them a higher level of
assurance. So it is not just the name and shame. It is actually
to drive market effects.
The second thing is we would intend that any publication of
results be at such a high level that it would not increase the
level of security, or the level of threat that an entity would
face, but instead would merely make the public aware of the
overall level of security.
Senator Collins. But if it is sufficient to cause a
business to no longer do business with that entity, it is
sufficient to wave a red flag at those who would do us harm.
That is my point. I do not think you can have it both ways. If
the vulnerability that is revealed or the poor evaluation that
is published is sufficient to cause other commercial entities
to refrain from doing business with this section of the
critical infrastructure, then surely it is going to be
sufficient to prompt a computer hacker or terrorist group or
Russia or China to redouble its efforts. I just think we need
to think about that issue.
Let me just quickly switch to another issue, since my time
is expiring rapidly. Mr. Schwartz, because of your background
on privacy, and you have always been such a help to our
Committee as we have wrestled with those issues, I want to talk
to you about the idea of the national law for data breach
reporting. My first reaction is that that is a good idea, that
there should be more uniformity. I think it would be easier for
consumers as well as for businesses to not have to figure out
what an individual law in one of those 47 states that has them
means in their particular case.
Are you talking about just a uniform nationwide reporting
of breaches, or are you also talking about having uniform
remedies for what a company has to do when there is a breach? I
ask this not looking for any particular answer, but just to
better understand what you are proposing.
Mr. Schwartz. The focus is really on the reporting and
making sure that consumers get the same information as the law
enforcement and others that work on these issues receieve.
Also, the focus is to make sure that they are getting the right
information about the cases so that we can go after the bad
guys when a breach has happened and is tied to something more
than simply a lost laptop or something like that.
But, we need to try to figure out how to best get to that
kind of level where consumers get the same information, and it
is actionable. We think that what we have come up with moves us
forward in that regard. We have had a lot of experimentation in
the States. We have learned a lot from that. We think that it
has been a useful avenue and that those laws have been
successful. It is time to move forward and make sure that we
can capitalize on that at this point.
Senator Collins. Thank you.
Chairman Lieberman. Thanks, Senator Collins. Senator
Carper.
Senator Carper. Just to follow up on the last question that
Senator Collins was pursuing, and Mr. Chipman, feel free to
jump in on this, as well. Former Senator Robert Bennett of Utah
and I had worked on disclosure legislation in at least the last
Congress, maybe the last two Congresses. We were on the Banking
Committee, and this was an area where other committees had
jurisdiction.
Do either of you know in the Administration's proposal what
legislation you drew from in order to prepare and present the
Administration's proposal in this regard?
Mr. Chipman. I am not sure if we drew from that particular
proposal. I think a number of different bills and ideas in this
area were looked at.
Senator Carper. We could never move the legislation forward
because we were on the Banking Committee. We had some
jurisdiction. The Commerce Committee had some jurisdiction. The
Judiciary Committee, had some jurisdiction. Because of
jurisdictional grounds, we could never move anything forward.
How have you acted this way to help us thread the needle here?
Mr. Schwartz. Well, I think, again, coming back to this
partnership between the different agencies involved, we had all
of our equities lined up and tried to work together to develop
this in a way that worked for all of the different
jurisdictions that you would have to have issues with, where we
could have this kind of conversation to move past some of those
concerns.
Senator Carper. I want to go back to another point that
Senator Collins was making and talking a little bit about the
name and shame. We got into a little discussion of how do we
harness market forces to help drive good public policy
behavior. We can have all the laws on the books, we can have
regulations on the books, and we can have prosecutors out there
trying to capture the bad guys and put them in jail, but to the
extent that we can harness market forces to help us solve this
problem or address these challenges, that is a very good thing.
Does anybody want to talk a little bit more about that for us,
please? Anybody at all?
Mr. Schwartz. This comes back to how to get those
incentives right, and we agree with the way that you framed it
that market forces are extremely important, especially because
we cannot expect the government to be able to go into all of
these different areas that we are going to consider to be
covered critical infrastructure in this space and have exact
knowledge of how to operate in each of those areas from the
beginning.
What we can do is to work in a public-private partnership,
especially on the Internet, where we have so many public-
private partnerships, and try and come up with solutions that
work for the market. We feel as though the security plans
process moves us much further down that line and that will help
us build innovation in the mitigation strategies in a way that
the government approach, the government coming in, cannot do.
Senator Carper. All right. Thanks.
Mr. Chipman, the Administration's testimony mentioned that
our critical cyber infrastructure is attacked repeatedly. We
all know that. In addition, sensitive, personal, government,
and business information is stolen online all the time. How
often are we able to actually catch and successfully prosecute
the individuals or the groups who commit these crimes? How will
the Administration's proposal help further with these efforts?
Mr. Chipman. Thank you. You are quite right. The amount of
cyber crime, the number of intrusions, is growing, and they are
challenging cases to bring, for sure. There is a level of
anonymity on the Internet at times that make these hard cases
to bring. Many times, there are actors outside of the United
States and it is simply hard to find out where they are or who
they are to bring cases against them, though we have had a fair
amount of success in recent years. In 2009, I believe, there
were over 150 cases brought. We have had a number of recent
successes bringing down large organized crime rings engaged in
mainly banking fraud and other types of computer intrusions to
steal money, credit card numbers, and things like that.
I think the proposals in the Administration's cyber package
will help in a number of ways. They will help harmonize laws
relative to penalties and will add a few tools to the tool box,
for example, making clear that computer crimes are a RICO
predicate. I think that will help and it will add to the tools
that we can bring to bear in these cases.
Senator Carper. All right. I am going to be leaving. I do
not know if you all are going to stay on for another round here
or not, but let me just ask you as we conclude here, or at
least as my participation concludes, would you all just take
maybe a minute apiece and reflect on what has been said here,
what you have said, what you have heard others say, the
questions that have been asked, and the answers given, and
maybe just give us some concluding thoughts, starting with you,
Mr. Chipman, then concluding with Mr. Reitinger.
Mr. Chipman. Sure. Thank you very much. I think I am struck
here by how collaborative, as Mr. Reitinger and others have
mentioned, this process has been within the Executive Branch in
terms of trying to, as Mr. Schwartz said, trying to get the
balance right.
Senator Carper. It reflects this Committee, does it not?
Mr. Chipman. That is what I was about to say. And I am
struck by what I hope is the start here of a very collaborative
process with all of you and others, and I think I can fairly
speak for the Administration in that regard.
Senator Carper. All right. A closing thought, Mr. Schwartz?
And I understand your father is here, is that right?
Mr. Schwartz. That is right.
Senator Carper. If we were to line all the men up here in
this room in a row, do you think we could pick him out?
Mr. Schwartz. He looks a lot like me. He is in town for a
conference, and this just happened to work out.
Senator Carper. There is no denying who your father is. We
welcome your dad and thank him and your mom for instilling some
really good values in you to get you to this place today.
Mr. Schwartz. Thank you, Senator. So, briefly, the one
thing I would say, it is on this point that you raised before
about public-private partnerships and getting the market moving
in the right area. Our work over the past year from the
Internet Policy Task Force that Secretary Locke helped put
together at the Commerce Department, we received a lot of
comments from the private sector on this and I think they
really are incentivized right now to try and move forward in
the right way, at least those that have been paying attention
to this space, and they want to move forward in the right way.
I think we can put together those best practices that can build
a framework for success in these different areas, and we should
use that to our advantage now while we have it.
Senator Carper. All right. Thank you.
Any closing thoughts, Mr. Butler?
Mr. Butler. Sure, Senator Carper. My sense is that it is
collaboration and not being complacent with where we are, to
continue to build on the collaboration. People have mentioned
partnerships. It is interagency. It is with the Congress. It is
certainly with industry and focusing on not just the easy
areas, but the hard areas that we need to work through. As the
Administration announced last week, there is an international
aspect that needs to be taken into account as we move forward
in time.
Senator Carper. All right. Thank you. Mr. Reitinger.
Mr. Reitinger. Thank you, Senator. Just briefly, I think it
is important to recognize that we do not have all the answers
in government. I do not think the private sector has all the
answers and I do not think all the answers exist on the Hill.
This is going to take all of us working together. This is not a
question of, for example, the government coming in and saying,
the private sector is not doing its job, it needs to do a
better job, and it is pounding the table, or them coming in and
saying the same thing. We need to find the right way to bring
the capabilities of government together with the capabilities
of the private sector, and we very much look forward to
continuing to work with the Members of this Committee and
Congress generally to make sure we get the balance right as
cybersecurity legislation moves forward.
Senator Carper. All right. Thanks. And as you prepare to
weigh anchor and head out into the other uncharted waters, an
old saying we have from my days in the Navy, is fair winds and
a following sea. We thank you for your service and wish you
Godspeed.
Mr. Reitinger. Thank you.
Chairman Lieberman. Thanks, Senator Carper.
Thanks to all of our witnesses. Since I now know your
father is here, Mr. Schwartz, I want to say in his presence,
Senator Collins and I were remarking that by your testimony
over the years, you have really built up a lot of credibility
with the Committee. You have been straight ahead and presented
your arguments well, never contentiously. Occasionally, we have
a contentious witness from an advocacy group here. It is a
pleasure to be able to share that private conversation in the
presence of your father.
I thank all of you for the testimony. I want to come back
and say that Senator Reid, I believe working with Senator
McConnell, is now talking about setting up different groups to
negotiate with the Administration on different parts of the
bill to try to expedite it forward.
Senator Collins, I am under the impression that one of the
things holding up the immediate initiation of those
negotiations is something that is another favorite of yours and
mine, and talk about irony, these folks are going to be
testifying before five more committees of Congress, in the next
week and a half, and therefore, their staffs are preoccupied
with that and not able to initiate the negotiations.
We have had a longstanding interest pursuant to a
recommendation of the 9/11 Commission to try to reduce the
number of committees that people have to testify before. We
have been pretty good at reforming the Executive Branch of
Government, less successful at reforming the Legislative
Branch.
Anyway, I thank you very much. We are really going to push
full steam ahead here, to continue the nautical metaphors of
Senator Carper, and hope to get this to the floor as soon as we
possibly can, hopefully with a good consensus approach. But
thank you for everything you have done, the considerable work
that was done. We were impatient, but when you produced the
Administration proposal, it was not an outline, it was
legislation. It was quite comprehensive. And, of course, we
like it because it is very much like what we proposed in our
Committee bill. So we look forward to taking it from here
together to enactment.
We are going to keep the record of the hearing open for 15
days for any additional questions or answers. I thank Senator
Collins, Senator Carper, and all of you.
And with that, the hearing is adjourned.
[Whereupon, at 12:23 p.m., the Committee was adjourned.]
A P P E N D I X
----------
�