[Senate Hearing 112-167] [From the U.S. Government Publishing Office] S. Hrg. 112-167 CYBER SECURITY: RESPONDING TO THE THREAT OF CYBER CRIME AND TERRORISM ======================================================================= HEARING before the SUBCOMMITTEE ON CRIME AND TERRORISM of the COMMITTEE ON THE JUDICIARY UNITED STATES SENATE ONE HUNDRED TWELFTH CONGRESS FIRST SESSION __________ APRIL 12, 2011 __________ Serial No. J-112-16 __________ Printed for the use of the Committee on the Judiciary_____ U.S. GOVERNMENT PRINTING OFFICE 71-412 PDF WASHINGTON : 2011 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON THE JUDICIARY PATRICK J. LEAHY, Vermont, Chairman HERB KOHL, Wisconsin CHUCK GRASSLEY, Iowa DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah CHUCK SCHUMER, New York JON KYL, Arizona DICK DURBIN, Illinois JEFF SESSIONS, Alabama SHELDON WHITEHOUSE, Rhode Island LINDSEY GRAHAM, South Carolina AMY KLOBUCHAR, Minnesota JOHN CORNYN, Texas AL FRANKEN, Minnesota MICHAEL S. LEE, Utah CHRISTOPHER A. COONS, Delaware TOM COBURN, Oklahoma RICHARD BLUMENTHAL, Connecticut Bruce A. Cohen, Chief Counsel and Staff Director Kolan Davis, Republican Chief Counsel and Staff Director ------ Subcommittee on Crime and Terrorism SHELDON WHITEHOUSE, Rhode Island, Chairman HERB KOHL, Wisconsin JON KYL, Arizona DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah DICK DURBIN, Illinois JEFF SESSIONS, Alabama AMY KLOBUCHAR, Minnesota LINDSEY GRAHAM, South Carolina CHRISTOPHER A. COONS, Delaware Stephen Lilley, Democratic Chief Counsel Stephen Higgins, Republican Chief Counsel C O N T E N T S ---------- STATEMENTS OF COMMITTEE MEMBERS Page Kyl, Hon. Jon, a U.S. Senator from the State of Arizona.......... 3 Whitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode Island......................................................... 1 WITNESSES Baker, Stewart A., Partner, Steptoe & Johnson, LLP, Washington, DC............................................................. 29 Martinez, Pablo A., Deputy Special Agent In Charge, Criminal Investigation Division, U.S. Secret Service.................... 8 Savage, John E., Professor of Computer Science, Brown University, Providence, Rhode Island....................................... 27 Schneck, Phyllis, vice President and Chief Technology Officer, Global Public Sector, McAfee Inc., Reston, Virginia............ 24 Snow, Gordon M., Assistant Director, Cyber Division, Federal Bureau of Investigation........................................ 6 Weinstein, Jason, Deputy Assistant Attorney General, Criminal Division, U.S. Department of Justice........................... 4 QUESTIONS AND ANSWERS Responses of Stewart A. Baker to questions submitted by Senator Hatch.......................................................... 38 Responses of Pablo A. Martinez to questions submitted by Senators Whitehouse and Feinstein....................................... 39 Responses of Pablo A. Martinez and Gordon M. Snow to questions submitted by Senators Hatch and Klobuchar...................... 41 Responses of Gordon M. Snow to questions submitted by Senators Feinstein, Whitehouse, Klobuchar and Hatch..................... 46 Responses of John E. Savage to questions submitted by Senator Hatch.......................................................... 56 Responses of Phyllis Schneck to questions submitted by Senator Hatch.......................................................... 59 Responses of Jason Weinstein to questions submitted by Senators Hatch and Whitehouse........................................... 61 SUBMISSIONS FOR THE RECORD Baker, Stewart A., Partner, Steptoe & Johnson, LLP, Washington, DC............................................................. 63 Global Energy Cyberattacks: ``Night Dragon'', McAfee Foundstone, February 10, 2011, report...................................... 70 Martinez, Pablo A., Deputy Special Agent In Charge, Criminal Investigation Division, U.S. Secret Service.................... 89 Savage, John E., Professor of Computer Science, Brown University, Providence, Rhode Island....................................... 98 Schneck, Phyllis, Vice President and Chief Technology Officer, Global Public Sector, McAfee Inc., Reston, Virginia............ 106 Snow, Gordon M., Assistant Director, Cyber Division, Federal Bureau of Investigation........................................ 120 Weinstein, Jason, Deputy Assistant Attorney General, Criminal Division, U.S. Department of Justice........................... 130 CYBER SECURITY: RESPONDING TO THE THREAT OF CYBER CRIME AND TERRORISM ---------- TUESDAY, APRIL 12, 2011 U.S. Senate, Subcommittee on Crime and Terrorism, Committee on the Judiciary, Washington, DC. The Committee met, pursuant to notice, at 2:38 p.m. in room SD-226, Dirksen Senate Office Building, Hon. Sheldon Whitehouse, Chairman of the Subcommittee, presiding. Present: Senators Whitehouse, Feinstein, Klobuchar, Coons, Blumenthal, Kyl, and Hatch. OPENING STATEMENT OF HON. SHELDON WHITEHOUSE, A U.S. SENATOR FROM THE STATE OF RHODE ISLAND Chairman Whitehouse. Good afternoon, everyone. Thank you all for being here. Today's hearing takes on a topic of vital importance: Cyber Security: Responding to the Threat of Cyber Crime and Terrorism. We live in the most connected and technologically advanced country in the world. Our electrical engineers, computer scientists, and technology companies have changed the way that the world does business, made our daily lives safer and more enjoyable, empowered free speech in repressive states, and brought the world closer together. These remarkable innovations unfortunately also have given criminals, terrorists, and hostile states new opportunities to steal American property, disrupt our way of life, and compromise our National security. American consumers are now subject to endless swindles achieved by spear phishing e-mails, malware that turns their computers into unwitting bots sending out malicious spam, or the many varieties of identity theft cooked up by cyber crooks to steal hard-working Americans' privacy and money. Our country's businesses likewise are under assault by foreign agents who seek to steal American intellectual property, a crime that has reportedly led to the loss of over $1 trillion of value to date; and by criminal hackers who seek to empty out corporate accounts or to blackmail companies by threatening to release stolen trade secrets. These crimes hurt companies' bottom lines and they rob us of American jobs, shuttering small businesses by stealing their core intellectual property, making a new product line unprofitable by letting a foreign company reap the benefit of American research and development, or even preventing the next great American company from bringing the next great innovation to market. Key elements of our Nation's critical infrastructure such as our electrical grid, financial services system, and telecommunications networks have been probed by malicious actors and in some cases compromised, with the possibility that hostile state actors have buried latent attacks that they can trigger when it would hurt us most. Even our Government, civilian, and military networks are under constant and successful attack. We need to do more to defeat the massive and worsening cyber threat. I am not alone in this belief. The Majority Leader has recognized that the Senate should act on cyber security legislation. The Commerce, Homeland Security, Intelligence, and Armed Services Committees have been hard at work. This Committee, under Chairman Leahy's leadership, has reported data breach legislation and last week held a hearing that has considered reform of the Electronic Communications Privacy Act. And we hope and expect the administration to weigh in shortly with its proposals to improve our Nation's cyber security. The Senate has important work ahead. It may be hard and complicated work, but I believe that we can accomplish this task in a bipartisan and well-considered fashion. I particularly look forward to working on this vital national issue with the Ranking Member of this Committee, Senator Jon Kyl. I know that this is a topic of serious interest and prior work for you, Senator Kyl, and I believe we will make a lot of progress together. I am very happy, for example, to be working with you to improve public awareness of the cyber security threats facing our Nation on a bill that I hope we can file shortly, and to go on to work on legislation to provide a safe space for joint defense by our private industries to take place. Today's hearing will explore the nature, scale, source, and sophistication of cyber attacks against consumers, Government agencies, and businesses and industries and compare that to the resources that our Government currently brings to bear on these attacks, as well as investigative and prosecutorial successes and limitations. And it will consider the ways in which the private sector is able to collaborate with law enforcement to defend against and respond to cyber attacks. We are lucky to have two very strong panels of expert witnesses from inside and outside the administration, including a distinguished professor from Brown University in my home State of Rhode Island, which I am happy to note is already at the forefront of the cyber security field. I thank all of the witnesses for being here today. Before I turn to Senator Kyl, let me flag my serious concern that our prosecutorial and investigative resources are not appropriately scaled to the threat we face. Even in this time of budget cutting, given the enormous stakes, the cyber threat is simply too dangerous to leave underresourced. Again, I thank the witnesses for being here and now turn to the Ranking Member, Senator Kyl, for his opening statement. Senator Kyl. STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF ARIZONA Senator Kyl. Thank you, Mr. Chairman, not only for holding this hearing today but for the remarks that you just made. As one former member of the Intelligence Committee to another, I have been deeply impressed by your commitment to cyber security and your command of the associated issues and look forward to what will be the first of many hearings on this subject before this Subcommittee. I am also pleased to have been able to work with you to draft the forthcoming legislation that you mentioned regarding cyber security awareness. While this bill may be considered chiefly a place holder for things to come, I think it is an important step because of the multitude of topics that it covers, and that multitude speaks to a larger point and problem. I know of your frustration that Congress has waited for so long to get cyber security legislative proposals from the White House. This delay has complicated the Congress' task of passing comprehensive cyber security legislation. By my count, there are more than seven full committees on the Senate side alone, including the Judiciary Committee, that will be involved in drafting a comprehensive bill. This will take time, and we are long overdue for the President to share his proposals for cyber security legislation so that we can get started. I am eager to hear from our expert witnesses about how they think Congress should differentiate cyber crime and cyber warfare directed by a state or terrorist group, especially since, I would argue, it does not much matter if a crippling attack on our electric grid, banking system, or other critical infrastructure, or the wholesale theft of billions of dollars of U.S. intellectual property, defense related or purely commercial, is being directed by a cyber mafia or a cyber army. It is the responsibility of this Government to stop the attack either way. If we are just focusing on prosecuting these attacks of cyber crime, then I would say we have failed. So I look forward to the testimony of our witnesses, Mr. Chairman, and I hope there will be stimulating and informative rounds of questions thereafter. Thank you. Chairman Whitehouse. Thank you, Senator Kyl. If I could ask the witnesses to stand for the oath. Do you affirm that the testimony you are about to give before this Committee will be the truth, the whole truth, and nothing but the truth, so help you God? Mr. Weinstein. I do. Mr. Snow. I do. Mr. Martinez. I do. Chairman Whitehouse. Thank you very much. Please be seated. We will just go right across the table with the witnesses, beginning with Jason Weinstein. Jason Weinstein currently serves as Deputy Assistant Attorney General in the Department of Justice's Criminal Division where he oversees the Division's efforts to combat computer crime and intellectual property crime, as well as anti-gang and violent crime efforts and human rights and human-smuggling programs. Before joining the Criminal Division, Mr. Weinstein served as chief of the Violent Crimes Section of the U.S. Attorney's Office in Baltimore and before that as an Assistant United States Attorney in the U.S. Attorney's Office for the Southern District--the Sovereign District--of New York. We are delighted that he is here, and your full statement will be a matter of record, so if you could please make whatever statement you would like to make orally within the allotted time, I would appreciate that. STATEMENT OF JASON WEINSTEIN, DEPUTY ASSISTANT ATTORNEY GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE Mr. Weinstein. Thank you, Mr. Chairman. The Sovereign District of New York jokes got a lot funnier after I moved to Baltimore. Good afternoon, Chairman Whitehouse, Ranking Member Kyl, and other members of the Subcommittee, and I thank you for the opportunity to appear before you today. As we all know, the explosive growth of the Internet and other modern forms of communication has revolutionized nearly every aspect of our daily lives. But at the same time, it has also revolutionized crime, and increasingly the Internet has being exploited by criminals throughout the world to commit a staggering array of crimes. From around the corner or around the globe, skilled hackers work every single day, and many times every day, to access the computer systems of Government agencies, of universities, banks, merchants, and credit card companies to steal large volumes of personal information and to perpetrate large-scale data breaches that leave tens of millions of Americans at risk of identity theft. Our information infrastructure is under constant attack from these criminals as well as from terrorists and nation states that seek to exploit our dependency on information technology to threaten both our economic and our National security. So for these reasons, now more than ever cyber security has to be a national priority. This administration is committed to implementing a comprehensive framework that will allow us to bring all appropriate tools, criminal and otherwise, to bear against cyber criminals, terrorists, and other malicious actors. And the Department of Justice plays a critical role in that effort. The Justice Department works closely with our partners throughout the Government to support the Nation's efforts to support cyberspace, including by providing legal support and helping to ensure that we vigorously protect privacy and civil liberties. The Department also plays a leading role in counterintelligence and national security investigations that uncover threats to our computer networks from terrorists and state actors. But perhaps one of the Department's most important contributions to the Nation's overall cyber security is the investigation and prosecution of cyber criminals as we seek to incapacitate and punish the cyber criminals of today and to deter the cyber criminals of tomorrow. And in that important work, our prosecutors from the Criminal Division, from the National Security Division, and from the U.S. Attorney's Offices enjoy very strong relationships with our law enforcement agency partners, and in particular with the other two agencies represented on the panel with me today--the FBI and the Secret Service. Those strong relationships and the dedication and skill of our prosecutors and our agents have led to a number of major enforcement successes, including the following: In August of 2008, the Department, working with the Secret Service, announced one of the largest hacking and identity theft cases ever prosecuted, in which charges were brought by the U.S. Attorney's Offices in three different districts-- Massachusetts, Southern California, and Eastern New York-- against 11 members of an international ring responsible for the theft and sale of more than 40 million credit and debit card numbers that had been stolen from major retailers. The defendants were from all over the world--from the U.S., from Estonia, Ukraine, China, and Belarus--and they included one of the world's top hackers, Albert Gonzalez. Gonzalez pled guilty to the charges and was sentenced to 20 years in prison, which is one of the longest sentences ever imposed in a hacking case. In November 2009, following a year-long investigation led by the FBI, the Department announced the indictment in the Northern District of Georgia of a hacking ring responsible for executing a global fraud scheme involving defendants from Estonia, Russia, and Moldova. The defendants were charged with hacking into a network operated by the credit card processing company RBS WorldPay, compromising its data encryption and then providing a network of cashers throughout the world with counterfeit payroll debit cards. Those cashers used those cards to withdraw over $9 million from more than 2,100 ATM machines in at least 280 cities worldwide, and they conducted that coordinated global cashing operation in less than 12 hours. Those cases as well as the others referred to in my written testimony illustrate the scope of the Department's efforts to pursue cyber criminals. But, significantly, they also reveal the global nature and the global reach that cyber criminals can have. The criminals responsible for those and other large-scale intrusions often live in and operate from foreign jurisdictions. It is often literally impossible to identify, arrest, and prosecute the offenders or to obtain critical evidence that we need to prosecute the offenders without the assistance of foreign law enforcement. And for that reason, our work does not stop at our shores. Due to the transnational nature of most cyber security incidents, continued close coordination and cooperation with our foreign partners is critical to our success. And in that connection, we rely on the International Convention on Cyber Crime to provide a framework for efficient cooperation among nations involving electronic crime. The Department is proud of these cases and all of our cyber security efforts, but there should be no doubt, as the Chairman and the Ranking Member said, that the cyber threats to our Nation are growing and evolving, and we must remain vigilant and prepared to confront them, and we will continue to work with our Government and private sector partners and the Congress to meet that challenge. Thank you for the opportunity to be here today to discuss this issue with you, and I would be pleased to answer your questions. [The prepared statement of Mr. Weinstein appears as a submission for the record.] Chairman Whitehouse. Thank you very much. We are delighted to have you with us. We will go on next to Gordon Snow, who is the Assistant Director of the Cyber Division at the Federal Bureau of Investigation. He was named section chief of the Bureau's Cyber Division on January 2008 and now leads the Division's Cyber National Security Section and the National Cyber Investigative Joint Task Force. From January 2008 to January 2009, he was detailed to the Director of National Intelligence on the National Counterintelligence Executive. During that assignment, he led the effort in drafting the goverment-wide Cyber Counterintelligence Plan under the Comprehensive National Cyber Initiative. Prior to that, Mr. Snow's work with the FBI took him to Afghanistan as the FBI's on-scene commander for the Counterterrorism Division, to Silicon Valley working on the High Value Computer Crimes Task Force, and to Yemen and East Africa. Thank you, Mr. Snow. Glad to have you with us. STATEMENT OF GORDON M. SNOW, ASSISTANT DIRECTOR, CYBER DIVISION, FEDERAL BUREAU OF INVESTIGATION Mr. Snow. Good afternoon, Chairman Whitehouse, Ranking Member Kyl, and members of the Subcommittee. I am pleased to appear before you today to discuss the cyber threats facing our Nation and how the FBI and our partners are working together to respond to the threat of cyber crime and terrorism. As the Committee is aware, cyber attacks have increased over the past 5 years and are expected to grow. We have reached the point that, given enough time and motivation and funding, a determined adversary will likely be able to penetrate any system that is accessible directly from the Internet. The FBI has identified the most significant cyber threats to our Nation as those with high intent and high capability to inflict damage or death in the U.S., to illegally obtain sensitive or classified information, or to illicitly acquire assets. I would like to focus my remarks today on a few of the many threats facing the private sector, including threats against infrastructure, intellectual property, individual businesses, and our partnerships to address these threats. U.S. critical infrastructure faces a growing cyber threat due to the advancements in the availability and sophistication of malicious software tools. The recent security breach by unauthorized intruders into the parent company of NASDAQ is an example of the kind of breaches directed against important financial infrastructure. Industrial control systems, which operate the physical processes of the Nation's pipelines, railroads, and other critical infrastructures, are at great risk of cyber exploitation. Similarly, new ``smart grid'' and ``smart home'' products could also be exploited by cyber criminals, nation states, and terrorists. These systems need to be developed and implemented in ways that will provide protection from unauthorized use. Intellectual property rights violations, including theft of trade secrets, digital piracy, and trafficking in counterfeit goods, also represent high cyber criminal threats, resulting in losses of billions of dollars in profits annually. These threats pose significant risk to U.S. public health and safety via counterfeit pharmaceuticals, electrical components, aircraft parts, and automobile parts. Cyber criminals are forming private, trusted, and organized groups to conduct cyber crime. The adoption of specialized skill sets and professionalized business practices by these criminals is steadily increasing the complexity of cyber crime. One facet of this are botnets, or networks of compromised computers controlled remotely by an attacker. Criminals use botnets to facilitate online schemes that steal funds or data, to anonymize online activities, and to deny access by others to online resources. The botnets run by criminals could be used by cyber terrorists or nation states to steal sensitive data, raise funds, limit attribution of cyber attacks, or disrupt access to critical national infrastructure. The potential economic consequences are severe. Often businesses are unable to recover their losses, and it may be impossible to estimate the damage. Many companies prefer not to disclose that their systems have been compromised, making it impossible to accurately quantify. Consequently, these damages estimates have ranged from millions to hundreds of billions. Thanks to Congress and the administration, the FBI is devoting significant resources to this threat. Our partnerships with industry, academia, and across all of government have led to a dramatic improvement in our ability to combat this threat. The FBI's statutory authority, expertise, and ability to combine resources across multiple programs make it uniquely situated to investigate, collect, and disseminate intelligence about and counter cyber threats from criminals, nation states, and terrorists. The FBI has cyber squads in each of its 56 field offices, with more than 1,000 advanced cyber-trained FBI agents, analysts, and forensic examiners. However, the FBI cannot combat the threat alone. Through the FBI-led National Cyber Investigative Joint Task Force, we coordinate our efforts with over a dozen Federal partners throughout the intelligence community and the Department of Defense. We also partner through NCIJTF with other Federal law enforcement agencies to include most prominently the United States Secret Service. The FBI has also embedded cyber staff in other intelligence community agencies through joint duty and detailee assignments. In addition to our 61 legal attaches overseas, we currently have FBI agents embedded full-time in five foreign police agencies to assist with cyber investigations. These cyber agents have identified organized crime groups, supported FBI investigations, and trained foreign law enforcement officers for more than 40 nations. InfraGard is a prime example of the success of public- private partnerships. Under this initiative, private industry leaders work with the FBI to ward off attacks against critical infrastructure. Over the last 15 years, this initiative has grown from a single chapter to more than 86 chapters in 56 field offices with 42,000 members. In addition to InfraGard, the FBI partners with the National White Collar Crime Center and the Internet Crime Complaint Center and the National Cyber Forensic and Training Alliance. We also partner with the information-sharing and analysis centers through the Department of Homeland Security and the National Center for Missing and Exploited Children. Chairman Whitehouse, Ranking Member Kyl, and members of the Subcommittee, in the interest of time today, I have touched upon a few of the more significant cyber threats facing our Nation. I appreciate the opportunity to come before you and share the work the FBI and our partners in the community are doing to address the cyber threat in this country and am happy to answer any questions you may have. [The prepared statement of Mr. Snow appears as a submission for the record.] Chairman Whitehouse. Thank you, Assistant Director Snow. Our next witness, Pablo Martinez, is Deputy Special Agent in Charge of the Criminal Investigation Division, Cyber Crime Operations, at the United States Secret Service. In this capacity, he develops and implements policy for all cyber investigations conducted by the Secret Service. Mr. Martinez began his career at the Service in 1991, and in 1999 was transferred to the Presidential Protective Division. In 2003, Mr. Martinez was promoted to the supervisory ranks of the Criminal Investigative Division, where he was tasked with expanding the Service's Electronic Crimes Task Force. During that time, he oversaw the first major cyber operation conducted by the Secret Service, Operation Firewall, in which over 30 online criminals were apprehended worldwide in a simultaneous round-up. Glad to have you with us, Agent Martinez. STATEMENT OF PABLO A. MARTINEZ, DEPUTY SPECIAL AGENT IN CHARGE, CRIMINAL INVESTIGATION DIVISION, U.S. SECRET SERVICE Mr. Martinez. Good afternoon, Chairman Whitehouse, Ranking Member Kyl, and distinguished members of the Subcommittee. Thank you for the opportunity to testify on the role of the Secret Service in cyber investigations. On February 1, 2010, the Department of Homeland Security delivered the Quadrennial Homeland Security Review, which established a framework for homeland security missions and goals. I would like to share just a few sentences from the QHSR because it underscores the need for a safe and secure cyberspace: ``As we migrate more of our economic and societal transactions to cyberspace, these benefits come with increasing risk. We face a variety of adversaries who are working day and night to use our dependence on cyberspace against us. Sophisticated cyber criminals pose great cost and risk both to our economy and national security. They exploit vulnerabilities in cyberspace to steal money and information, and to destroy, disrupt, or threaten the delivery of critical services.'' In order to maintain a safe and secure cyberspace, we have to disrupt the criminal organizations and other malicious actors engaged in high consequence or wide-scale cyber crime. To address the threats posed by these transnational cyber criminals, the Secret Service has adopted a multi-faceted approach to investigate these crimes while working to prevent future attacks. A central component of our approach is the training provided through our Electronic Crimes Special Agent Program, which gives our special agents the tools they need to conduct computer forensic examinations on electronic evidence obtained from computers, personal data assistants, and other electronic devices. To date, more than 1,400 special agents are ECSAP trained. In fact, the Secret Service values this training so highly that the basic level is now incorporated as a part of the curriculum that all special agent trainees receive at our James J. Rowley Training Center. In addition, since 2008, the Secret Service has provided similar training to 932 State and local law enforcement officials, prosecutors, and judges, through the National Computer Forensics Institute, located in Hoover, Alabama. The Secret Service's commitment to sharing information and best practices with our partners, the private sector, and academia is perhaps best reflected through the work of our 31 Electronic Crime Task Forces, including two located overseas in Rome, Italy, and London, England. To coordinate these complex investigations at the headquarters level, the Secret Service has enhanced our cyber intelligence section to identify transnational cyber criminals involved in network intrusions, identity theft, credit card fraud, bank fraud, and other computer-related crimes. In the past 2 years, CIS has directly contributed to the arrest of 41 transnational cyber criminals who were responsible for the largest network intrusion cases ever prosecuted in the United States. These intrusions resulted in the theft of hundreds of millions of credit card numbers and the financial loss of approximately $600 million to financial and retail institutions. As an example, the partnerships developed through our ECTFs, the support provided by our CIS, the liaison established by our overseas offices, and the training provided to our special agents via ECSAP were all instrumental to the Secret Service's successful investigation into the network intrusion of Heartland Payment Systems. The August 2009 indictment alleged that a transnational organized criminal group used various network intrusion techniques to breach security, navigate the credit card processing environment, and plant a collection device to capture payment transaction data. Our investigation revealed data from more than 130 million credit card accounts were at risk of being compromised and exfiltrated to a command and control server operated by an international group. Furthermore, the Secret Service uncovered that this international group committed other intrusions into multiple corporate networks to steal credit and debit card data. As a result of our investigation, the three suspects in the case were indicted for various computer-related crimes. The lead defendant in the indictment pled guilty and was sentenced to 20 years in Federal prison. This investigation is ongoing with over 100 additional victim companies identified. The Secret Service is working with its law enforcement partners both domestically and overseas to apprehend the two defendants who are still at large. Chairman Whitehouse, Ranking Member Kyl, and distinguished members of the Subcommittee, the Secret Service is committed to our mission of safeguarding the Nation's cyber infrastructure and will continue to aggressively investigate cyber and computer-related crimes to protect American consumers and institutions from harm. This concludes my prepared statement. Thank you again for this opportunity to testify on behalf of the Secret Service. [The prepared statement of Mr. Martinez appears as a submission for the record.] Chairman Whitehouse. Thank you, Agent Martinez. I appreciate having you here. One of the purposes of this hearing is to look into the comparison between the size of the threat and the resource that is dedicated to it, and if I may, Mr. Weinstein, let me ask--I have some numbers here about Criminal Division deployment at the Department of Justice. And just by way of comparison, we have looked at OCDETF, the Organized Crime Drug Enforcement Task Force program; we have looked at the Organized Crime Task Force, dedicated to traditional Mafia organized crime; and we have looked at the cyber staff. And the numbers that I have are that there are just under 90 attorneys in the Criminal Division dedicated to traditional organized crime. There are 13 attorneys in the Criminal Division dedicated to the OCDETF program, but the OCDETF program is very much a field-based program, and so they are sort of the local touch point for over 1,000 staff out in the field, including more than 550 attorneys out in the field. So it is a pretty robust field program behind those 13 attorneys at Main Justice. In the context of that range, we have been told that there are 40 attorneys in the Criminal Division who are dedicated to computer intrusions and other hacking cases. There are additional attorneys who are dedicated to child exploitation, to appellate cases, to other crimes that may have a computer component but are not the direct hacking cases. It strikes me that if the numbers are correct that there is as much as $1 trillion, I contend that we are on the losing end of the biggest transfer of wealth in the history of humankind through theft and piracy in this country right now, that it is being done through cyber crime, and that it is a very, very significant national security and economic challenge. Senator Feinstein and Senator Kyl and I all have also served on the Intelligence Committee, and while much of what we know from that Committee is classified, in the public hearing the Director of National Intelligence Jim Clapper listed the national security threats that he felt he was obliged to address as the new DNI, and he put cyber security No. 1 above everything else. And so that was kind of noteworthy, and in that context it strikes me that having fewer attorneys dedicated to computer intrusions at Main Justice than are dedicated to old-fashioned, traditional organized crime is a sign that we here in Congress need to provide you with more resources to focus on the cyber threat. What is your sense of that? Mr. Weinstein. Let me, before I answer your question, put those numbers in a little bit of context. You are right in observing that the OCDETF program is mostly a field-based program, so it is not unexpected that that is a relatively low number dedicated to that. The organized crime number which you quoted, which is about 89 attorneys, actually it was organized crime broadly defined. That is to say, it is traditional organized crime like LCN, Mafia-type cases; it is gang cases; it is drug-related organized crime like drug cartel cases, which are pursued as enterprises; and it includes international organized crime. And in that sense, especially with international organized crime, there is some overlap with our cyber security and cyber crime efforts. I actually also, along with another Deputy AG, oversee the organized crime program, and increasingly the priority of our international organized crime program is to go after transnational crime groups that involve cyber threats. So there is some overlap. The other thing I would add is that the 40 attorneys that you quoted that are cyber specific, those are the attorneys who are in the Computer Crime and IP Section, which I have had the honor to supervise. There are a substantial number of other attorneys, like in the Fraud Section, who also in the course of their fraud work focus on fraud cases that have a cyber component. Having said all that, it is really undeniable that the scope of the problem, which is growing every day, far outpaces the resources that are available to pursue it currently. And so I think that this is the kind of problem that takes a dedicated stream of resources, but it also takes dedicated training and expertise so we can keep pace with the methods that our cyber actors are using. I would add that in the President's 2011 budget, which I think now is a collector's item, there was a request for four additional cyber attorneys. In the 2012, there is actually a request for six, and those six attorneys are CHIP prosecutors, computer hacking and IP prosecutors. But for the first time, they will be CHIP prosecutors who are placed overseas, I think to reflect the recognition that fighting this problem requires going beyond our borders to do it. The President's proposal, the President's budget proposal, would put six of these CHIPs, who we would call ICHIPs, international CHIPs, in regions throughout the world that have a high concentration of cyber crime and IP theft activity so that they can not only help American prosecutors at home on their cases but also help those contractors beef up their own capacity to pursue cyber criminals in their own borders. Chairman Whitehouse. My time has expired, but let me ask just one more question before I turn to Senator Kyl because there is also field staff, attorneys out in the U.S. Attorneys' Offices, who are dedicated to this. But it is my understanding that the--if you could confirm this, it is my understanding that the AUSAs who are your cyber designees are obliged to participate in conferences on cyber, be a point of contact for the office on cyber; if there are conference calls, they are the person for the office who would participate, but they need not direct their prosecutive attention to cyber cases. They are to be deployed as the U.S. Attorney and the first assistant and the head of the Criminal Division see fit, and in that sense it is something of an overcount to describe them as full-time--it would be something of an overcount to describe them as full- time cyber prosecutors, would it not? Mr. Weinstein. I think, Senator, it depends on where--Mr. Chairman, it depends on where they are. In some districts, especially districts with very active FBI or Secret Service cyber squads in them, and with a heavy concentration of these cases, the CHIP prosecutors work exclusively on those cases. Chairman Whitehouse. But in some they may not---- Mr. Weinstein. Some districts they may not. And the role really has three or four aspects to it. One is to work on this case---- Chairman Whitehouse. Well, since I am over my time---- Mr. Weinstein. OK. Chairman Whitehouse [continuing]. And since I have my Ranking Member waiting, let me--we can pursue that in the---- Mr. Weinstein. OK. Chairman Whitehouse [continuing]. Later discussion. Senator Kyl. Senator Kyl. Well, thank you, Mr. Chairman. These are all right-on questions, and in a related area, it is not only resources but also authority. Agent Martinez, I would like to ask you a question about comments you made in your testimony in which you referred to going dark, the going-dark problem, whereby there is a gap between the legal authority that you have to intercept electronic communications and the provider's practical ability to intercept those communications. And you quoted and endorsed the statement by the FBI Chief Counsel, who had testified in the House of Representatives, that there is--excuse me. She said, ``There are significant law enforcement challenges in light of the pace of technological advancements.'' Are there specific tools that you think Congress could provide you and your counterparts in domestic law enforcement and intelligence to better mitigate this problem? Can you share them with us today? If not, could I ask all three of you really to provide to this Committee your proposals for improving the authorities that all of you need to tackle the problems that you have identified here today? Mr. Martinez. Yes, Senator Kyl, we did endorse Chief Counsel's statements on that. We believe that cyber criminals are at the tip of the spear when it comes to exploiting technology. The types of communications that cyber criminals use or have been using for many years are now just starting to come into the forefront of crimes being committed by traditional criminals. So cyber criminals have been using instant message, have been using VOIP systems, have been communicating via the computer for many, many years, and we believe as technology continues to develop you are going to continue to see cyber criminals exploiting that capability because they seem to have the most knowledge when it comes to utilizing devices like that. I believe right now there are several working groups that have been established, you know, at the request of the administration, both at the legislative level and at the technical working group level. The Secret Service participates in a technical working group being led by the FBI, and we are in the process right now of finalizing some of our recommendations that I believe the administration is looking to put forward. Senator Kyl. Great. We will appreciate that, hearing from FBI, Justice Department, and Secret Service, whomever, to assist us in giving you the authority you need. Assistant Director Snow, I would like to ask you, could you explain the FBI's role in the so-called Team Telecom? And then I've got a couple specific questions about what I understand that team is engaged in, the advisory role to the Federal Communications Commission by the FBI. Is that not a term you are familiar with? Mr. Snow. Sir, I apologize. It is not a term I am familiar with. It usually runs out of our Operational Technology Division, which would, along with our Office of General Counsel---- Senator Kyl. OK. Well, let me just ask you to generally describe concerns that you all have about telecommunications computers that have links to foreign governments or foreign militaries providing telecommunications equipment, software, network management services and the like here in the United States. Mr. Snow. Sir, I guess the best way to answer that is in another forum we could probably go more in-depth, and I would be more than willing to provide you the personnel and myself and availability to address those questions. Senator Kyl. Well, is it fair to say that there is a significant concern about this and that you do play a role, that the FBI does play a role along with other intelligence services in advising our Government departments with respect to these threats? Mr. Snow. Yes, sir, absolutely. Always a concern from any facet, a country adversary that comes in and that would either manipulate or use our supply chain to our disadvantage. So if so many things in the supply chain, whether it is a counterfeit part, a counterfeit CHIP, something that could be implanted, an executable piece of malware, a piece of additional code that would be in our telecom system. Senator Kyl. When you review the offer of such a company to open themselves up to third-party or independent review to deal with those supply chain kinds of problems, is it possible for you to go through millions of lines of software code to make 100 percent certain that there is not anything malicious built in that is capable of being activated at a moment of a cyber criminal's or cyber warrior's choosing? Mr. Snow. I do not think, sir, that we have that capability right now in the U.S. Government to go through millions of lines of code. It is very work intensive. I think we know that code now is cobbled together from many pieces. I think sometimes even the programmers and people that design that code are not even sure what is in that code. They will use other pieces, freely available pieces on the outside to assemble that program. And we do provide under the CFIUS process counsel, guidance, direction, and information to the decisionmakers across the Government in order to make those decisions, along with the Department of Justice that runs the CFIUS program. Senator Kyl. I appreciate it. Thank you. Chairman Whitehouse. Senator Coons. Senator Coons. Thank you, Senator, and thank you to both Senator Whitehouse and Senator Kyl for convening this hearing today, and to our panel. You have all testified to the different ways in which your respective agencies are working together with State and local law enforcement, and to some extent, the private sector, the intelligence agencies, and our armed forces to combat cyber crimes, and I am just interested initially in your opinion whether States and local law enforcement have the right resources, have the right training, have the right capabilities to buildup their investigative capabilities as well as their defensive capabilities. You made reference, Agent Martinez, in your testimony to the National Computer Forensics Institute and where the 900 folks have been trained. I think that is a great start. There was also a reference, I think by Mr. Snow, to 42,000 members of the FBI's InfraGard. If you could, in order to speak to the training standards we are trying to hit, the resources State and local law enforcement and Government have, and what additional resources do we need in order to be able to develop a nationwide professional cadre of folks in law enforcement, in the intelligence community, and, frankly, in the private sector? Please. Mr. Martinez. Thank you, Senator. From our perspective in law enforcement, what we have basically done is taken our ECSAP model--that is a three-tier model, BICEP, NITRO, and computer forensics--and we have mirrored that curriculum at the National Computer Forensics Institute where we not only teach law enforcement but also prosecutors and judges. We are firm believers that you not only have to train the agents or the law enforcement officers, but you have to make sure that they can explain or they can articulate in a layman's term the case to a prosecutor who can then also explain the facts in layman fashion to a judge who you are going to have to get the warrants signed to. So that is why it has been--it is important for us to train all three aspects. So far, like I stated in my statement, we are over 900. We are looking to try to expand the amount of law enforcement personnel that we train. What we try to focus on, since we have the 31 Electronic Crime Task Forces, we try to focus on individuals who are members not only of our task force, but potentially a State and local cyber task force or an FBI task force because they are in the most need of having this specialized training. We believe that by doing that we are multiplying our resources, and we can force multiply and work investigations not only at the Federal level but at the State and local level. And like I said, we continue to work with these partners at the State and local level to try to get them a better understanding of some of the issues with cyber crime and some of the ways to tackle the problem. Senator Coons. Mr. Snow. Mr. Snow. Sir, as Mr. Martinez talked about, the good news portion of the story is that we are making progress on trying to help assist and train those personnel. I think inwardly, though, if we are more reflective, it is a difficult task to make sure that all our personnel are trained, not only that they are trained but what is the process that we used in order to make sure that we keep them current and how we retain those personnel. So I would not want to classify all State and local law enforcement officers as being in the position we were in about 10 years ago. We talked recently about the going-dark issue, and we also talk about how difficult it is to bring those people up to speed. But I would say--because I know we have very talented individuals from State and local entities that are in our regional computer forensic labs that are run nationally across the country. However, many of those departments and agencies, you know, hundreds of thousands of sworn law enforcement officers across the country, have a difficult time coming up with that money, that training, the availability of their personnel as they try just to meet hiring and payrolls. Senator Coons. And if I could, just a follow-on question to the Deputy Assistant Attorney General, Mr. Weinstein. One of the areas I am most concerned about is intellectual property theft, particularly trade secrets. American companies are some of the most innovative in the world. In your written testimony, there was an example of a successful theft from Dow Chemical that had significant long-term consequences for them. Where are we in terms of providing coordination, resources, and standards for training that will help the private sector understand how to defend against these threats and then the prosecutorial resources to, as you put it, once these better locks are broken, actually then capture the CMS who have broken them? Mr. Weinstein. Well, Senator, perhaps in IP crime, unlike any other type of crime, we rely heavily on the victim companies to report the crimes to us and to be able to recognize them when they occur, then to provide us with access to the information we need to successfully investigate and prosecute them. One of the things that CCIPS does in conjunction with the CHIP prosecutors throughout the country is conduct extensive outreach with potential victim companies in various regions. In the Pacific Northwest it might be Microsoft, or computer companies in Delaware and other States, it may be, you know, companies that are the significant industries in those States. And what we try to do is explain to them where the risks are, how to recognize when there is a potential trade secret theft or other IP crime, and then how to make a referral to us, either to us directly or to the FBI or to the IPR Rights Center, which is jointly operated by ICE and by the FBI. So we do that nationally, and we do that regionally. We go region by region throughout the country to try to make sure that companies that are at the greatest risk are aware of what is going on out there and how to protect themselves from it; and then if they are violated, how to report it to us so we can pursue it. Senator Coons. Thank you. Chairman Whitehouse. Senator Hatch. Senator Hatch. Well, thank you, Mr. Chairman, Chairman Whitehouse. I thank you and applaud you for your efforts in this area. The distinguished witnesses represent a balance of all those affected by cyber criminal and terrorism--Government, the private sector, and, of course, academia. For successful cyber security policy, we must encourage partnerships among many sectors. This cannot be solely a Government-led initiative. Now, Mr. Snow, China is directing the single largest, most intensive foreign intelligence gathering effort since the cold war against the United States. Methods for conducting informational warfare to advance the goals of a nation state might also involve secretly sponsoring terrorists. Now, China is often cited as providing Government support to computer hackers, and as Richard Clarke, a former White House adviser for infrastructure protection and counterterrorism, discusses in his book, ``Cyber War,'' the Chinese military has placed a new emphasis on information warfare methods. Specifically, they have proposed to attack enemy financial markets, civilian electricity networks, and telecommunication networks by way of computer viruses and, of course, hacker detachments. Now, it remains very difficult to determine the true identity, purpose, or sponsor of a cyber attacker. Can you tell me, does the FBI have sufficient capability to identify an attack that is state sponsored versus a criminal enterprise? Mr. Snow. Senator, obviously, once again, in a different forum we can go more in-depth to your question, but let me answer it in a form that I can today. Senator Hatch. Sure. Mr. Snow. Through the National Cyber Investigative Joint Task Force, which I mentioned in my opening statement, we have 18 intelligence community agencies and others there. We use a concept that is called the threat focus cell concept where we bring all individuals from the community that would address a threat. The successes that we have had have been many. The problem with it is that there are still some very high profile cases that we have seen just by looking through the Wall Street Journal and any other media outlet we have out there where we still do not know to this day who the attacker is, what state we can attribute it to, or who that person behind the keyboard was, who that human person was that actually controlled that attack or directed that attack. Senator Hatch. Mr. Martinez, several months ago, as Chairman of the Senate Republican High-Tech Task Force, I requested that the Secret Service provide an extensive briefing on transnational organized crime and international cyber investigations. I thought that briefing was pretty helpful. Now, while that briefing was not classified, it certainly was law enforcement sensitive and provided the task force members a fantastic overview of the transnational crime groups, primarily located in Russia and Eastern Europe. During that briefing Secret Service officials profiled a particular hacker known as ``BadB,'' who was an accomplished hacker in Russian cyber crime circles. Fortunately, he was arrested overseas based on the investigative work of the Secret Service. Now, I want to take this opportunity to applaud you and the Secret Service for its work in that case and others, including the Nation's largest identity theft case that occurred at TJX and Heartland Systems. That case had an extensive international cyber crime connection. Now, No. 1, what presence does the Secret Service have overseas in countries such as China and Russia? And, No. 2, what other mechanisms does the Secret Service have in place to identify countries with the potential for cyber crime? Mr. Martinez. Thank you, Senator Hatch. Yes, the Secret Service has, I believe--and it is in my written statement. I believe it is 22 overseas offices. And in countries where we do not have an office, we take a regional approach where we have agents that are specifically assigned to those countries. We do have an office in Russia, and I am glad to announce that 2 weeks ago we got our long-term visa to open up our office in Beijing, so we are very happy about that. In addition to that, though, we rely a lot on our foreign law enforcement partners, and as I stated earlier, we have two foreign electronic crime task forces. So what we have done is we have taken the concept of the domestic Electronic Crime Task Force that Congress enacted back in 2002, and we have used that same approach to our overseas offices. In doing so, we collaborate a lot with our foreign law enforcement partners. Just like the FBI does, we have agents embedded into cyber crime units, and specifically agencies in specific hot spots around the world. We believe it has been very successful, and we have capitalized on the relationships and partnerships with these law enforcement organizations in order to apprehend some of these high-value targets. But in addition to that, one of the things we have recently done, as we did last year, we did what is called the Verizon/ Secret Service 2010 Data Breach Investigative Report, where we take information for our investigations and we publish that out to the private sector. Well, the 2011 study that is about to come out in 2 months not only includes data from Secret Service and Verizon investigations, but it also includes information from the National High-Tech Crimes Unit in Holland. So, once again, there we are leveraging the resources and the abilities of our foreign law enforcement partners, and the lessons learned, the best practices, and the information that we have obtained through our criminal investigations, we are pushing that out to the private sector through things such as the DBI Report. Senator Hatch. Mr. Chairman, could I just make a short set of remarks? Chairman Whitehouse. Of course, Senator. Senator Hatch. Thank you very much, both of you. I did not have time to ask you any questions, Mr. Weinstein, but I appreciate the work you are doing. There is no doubt that we need to have a coordinated effort between Government and the private sector to address cyber crime abroad, and that is why last Congress I introduced, with my colleague Senator Gillibrand, an international cyber crime bill. Now, our common-sense approach was widely supported amongst those who are affected by these crimes on a daily basis. In the coming weeks we plan to introduce this bill which will improve and strengthen the Government's response to international cyber crime. I would like you to look at that and tell us where we can make it better and what your suggestions are for us so that, when we introduce it, it will be truly something that will be bipartisan and everybody can support. Thank you, Mr. Chairman. I appreciate it. Chairman Whitehouse. Of course, Senator. Our next questioner is not only a distinguished member of this Committee but also the Chairman of the Intelligence Committee. Senator Feinstein. Senator Feinstein. Thank you very much. I want to thank you, Senator Whitehouse for your work in this area. As Chair of Intel, I asked you to head a cyber task force, along with Senator Mikulski and Senator Snowe, and I want everybody to know that the three of you did a wonderful job, and our information is much fuller and richer because of it. So thank you for the work. One of the things that apparently you accomplished was the declassification of a lot of material of some of the robberies that had taken place going back to 2008 that we on Intel knew about--excuse me, I have a cold--but could not talk about. And on January 3rd of this year, the Director of National Intelligence wrote you a letter essentially saying that we have compiled unclassified and in some cases declassified material designed to explain the variety of cyber threats and to provide real-world examples of damage in non-technical terms. This was provided to the Congress and other elements of the executive branch. I want to go over some of it which has now been declassified. In 2008, the Royal Bank of Scotland lost almost $10 million withdrawn from ATMs in 49 cities worldwide. Citibank, a cyber theft scheme resulted in over $10 million in losses. Now, that is according to news reports. Nationwide retailer T.J. Maxx, 45 million credit and debit cards stolen in 2007. Heartland Payment Systems, tens of millions of credit card numbers compromised in 2009. And it goes on and on and on. Mr. Snow, I believe in your testimony you indicated that in 2010 you arrested 202 individuals for criminal intrusions, up from 159 in 2009, and obtained a record level of financial judgments for cases amounting to $115 million compared to $85 million in 2009. Now, we have looked at some of this and seen a lot of attacks coming from Russia, from criminal elements in Russia, from China, and from other countries, but I think those were the two big ones. I would like to ask this question: Where do you see the majority of major attacks emanating from? And what is being done to stop this? Mr. Snow. Senator, right now we see on the criminal side a majority of attacks coming from the individuals that are located in Russia, obviously different from the Russian state, and Eastern European countries. We see a very strong network of a cyber underground, very closely associated with almost an eBay or an Amazon type system where, you know, once you receive a service from one of these cyber criminals, which are able to just combine together in chat rooms in this cyber underground, which are allowed to buy different pieces that they need to carry out the attack, to execute the attack, to have the cashers, the mules to receive the funds from the attack. They are all graded and rated. So we see that very large part of the world that is extremely connected being an area where a lot of the threat is coming from on the criminal side right now. Senator Feinstein. How many arrests have been made? And how do they get made? And how do individuals get prosecuted? Mr. Snow. They get prosecuted--and I will refer back to DOJ after I finish my statement, but they get prosecuted in different realms. Some countries, depending on what the MLAT or the extradition treaty is, will either agree to extradite an individual if we have provided the information for them. As Mr. Martinez talked about, with the collaboration that we are working with these other countries, some will abide by the extradition treaties that we have and bring the people back here to the United States. Senator Feinstein. Are the Russians cooperative in that regard? Mr. Snow. We have not had the Russians--they have been cooperative in the joint prosecution arena. Senator Feinstein. Have any Russian Mafia people been arrested and prosecuted? Mr. Snow. I would defer the Mafia side, but are you talking cyber organized crime? Senator Feinstein. Yes. Mr. Snow. Yes, ma'am. Senator Feinstein. And has Russia cooperated with the United States in going after them? Mr. Snow. Russia has helped in large part in many of the cases that we have been involved in. We have exchanged information with the Russian individuals that work cyber crime, and we are still working on those types of relationships with them. Senator Feinstein. Thank you very much. Thank you. I am glad to hear that. Thanks, Mr. Chairman. Chairman Whitehouse. Thank you, Chairman Feinstein. Next is Senator Klobuchar, then Senator Blumenthal. Senator Klobuchar. Well, thank you very much, Chairman Whitehouse, for holding this hearing, and I truly believe that protecting our Nation's cyber infrastructure is critical as we increasingly depend on it for everything from paying our utility bills to our financial services. The innovation surrounding a free and transparent Internet has been great for our economy, but we have also opened ourselves up to risks, and those are risks that, unfortunately, criminals try to exploit. I am working with Senator Hatch on a cloud computing bill, and we hope to introduce it soon. And I really do see that cloud computing has the potential to alleviate some of the concerns in the cyber security field, particularly by introducing economies of scale and making sophisticated protection available to all users on the cloud. However, it also raises some unique diplomatic issues because data is being stored in multiple countries. Could you talk, maybe Mr. Weinstein, about issues of international jurisdiction faced by your agencies when investigating cyber crime or, Deputy Director Snow, involving cloud computing? And would better international agreements be helpful to enforce the rules? Mr. Weinstein. We flipped and I won. Senator Klobuchar. I noticed that, yes. Mr. Weinstein. Senator, I cannot speak specifically to international issues involving cloud computing. It is a relatively new phenomenon, at least known by that name. But I can say that, as a general matter, it is increasingly important that we have strong agreements, international agreements, either multilateral or bilateral agreements, with our foreign law enforcement partners because so often the targets or the instrumentalities of the crime are located overseas, even if the data is not overseas. For example, in the cases that Senator Feinstein just mentioned, in the TJX intrusion, the servers that the data was stored on, the primary hacker was located in Florida. But the data was stored in Latvia and Ukraine. Senator Klobuchar. Right. Mr. Weinstein. In the Heartland case that Senator Feinstein mentioned, some of the servers were--there were three servers in the United States, or in three States of the United States; but servers were also in Latvia, Ukraine, and the Netherlands. In the RBS case, some of the targets and evidence was in eight different countries. What makes the RBS case useful, I think, as an example, though, is that the intrusion was reported to us by the victim company in December of 2008, and the indictment was brought in November 2009. So in less than 11 months, the FBI, working very closely with foreign law enforcement, managed to get the evidence we needed, even though it was across our borders, identify the targets, put fingers at the keyboard, and actually bring charges. And, in fact, BadB, the hacker that Senator Hatch made reference to, is now indicted in that case and is pending extradition. So when we have got those agreements in place and when the foreign country we are working with has the will, the capacity and the will--because you have got to have both--we can be very effective. Too often the countries have the will but not the capacity, and that we can deal with because we can devote resources, as we do, to training them and to helping them strengthen their own criminal laws and then to developing international agreements in which they work with us. If they do not have the will, there is a limit to how much we can do. One thing we do do throughout the world is try to get as many countries as possible to accede to the Convention on Cyber Crime, which we think is a very useful international framework, one that provides a very strong foundation for international cooperation in these cases. Senator Klobuchar. Now, I know a lot of my colleagues have asked you about resources and how that would be helpful. How about legal changes? Are there changes that we could make to current law? What would you have on your top list of things that would be helpful as we battle this new-found crime? Mr. Weinstein. Well, I can say that we have got some ideas about some potential changes to 1030 that we are discussing and working on, and as soon as they are done, we will be pleased to bring them to your attention and to work with you on them, as well as any other ideas that you have. Obviously, we are watching and very eager to be engaged on the ECPA debate. I know you had a hearing on that where Mr. Baker and others testified last week because changes in ECPA actually--if standards are increased in such a way that puts information out of the reach of law enforcement, it makes it very difficult for us to investigate and prosecute cases against cyber criminals who threaten Americans' privacy. So we are very eager to engage in that debate. And as you may know, there is an interagency process that is moving at a fever pitch to develop some cyber security legislation. I would not say it has been at a fever pitch throughout its life, but I can tell you that in the last 6 weeks it has. Senator Klobuchar. When did it start, Mr. Weinstein? Mr. Weinstein. It started a while ago. Senator Klobuchar. OK. Mr. Weinstein. The fever pitch started more recently. Senator Klobuchar. OK. Mr. Weinstein. But, you know, we have got people who are literally working around the clock, judging by the time at which they are e-mailing me in the middle of the night to try to get proposals ready to present to you, and so I think that will happen very soon. Senator Klobuchar. Are you satisfied with the criminal penalties in place for engaging in cyber crime? Mr. Weinstein. Well, one of the ideas we do have involves some streamlining and strengthening some of the penalties that are provided in 1030. As I said, that proposal is still baking, and when it is fully cooked, we will be pleased to bring it to you and talk to you about it further. Senator Klobuchar. OK. I am out of time here, and I will just ask in writing Assistant Director Snow questions about the work with the private sector. Minnesota is home to Target and Best Buy and several major companies that deal with this all the time, and so I am interested in that issue. I actually visited McAfee, their offices in Minnesota, and the work that is being done there. And then I also will, for the record, Mr. Martinez, follow up on some questions with you as well. Mr. Martinez. Absolutely. [The questions of Senator Klobuchar appears under questions and answers.] Senator Klobuchar. Thank you very much. Chairman Whitehouse. Senator Blumenthal. Senator Blumenthal. Thank you, Mr. Chairman. I would like to join in thanking Senator Whitehouse for holding this hearing and for his interest and effective action in this area. You know, we have been talking a lot about enforcement and about potential changes in the law, and if I have time, I would like to return to that subject. But I was very interested in an observation made by one of the people who is going to follow you in talking to us today, John Savage, who is a professor at Brown, who says in his testimony, and I am going to quote, ``Computer industry insiders have solutions to many cyber security problems, but the incentives to adopt them are weak, primarily because security is expensive and there is no requirement they be adopted until disaster strikes.'' Now, I have been involved in enforcement relating to this issue, and I do not mean to minimize your efforts. In fact, I think they have been heroic and remarkably effective, both at the Federal level where you work and often at the State level. But don't the holders of this information--and I am thinking of Epsilon, for example, most recently the supposed victim of a major breach--have a greater obligation to do more to safeguard this information? And how do we create those incentives that Professor Savage mentions to make your job more effective? I will not say ``easier'' because nothing can make your job easier, and I have great admiration for what you do. But how do we create those incentives so that private companies are more partners of yours in this enforcement effort? And I ask that of all three of you, and I will let you go in whatever order you would like. Mr. Martinez. I will take it. Senator---- Senator Blumenthal. And, by the way, you may disagree with Professor Savage, too. I am not assuming that you will necessarily agree. Mr. Martinez. Senator, I believe also Mr. Weinstein spoke about a proposed package that is forthcoming here to Congress regarding a comprehensive number of cyber bills that all three organizations sitting at this table have been involved in the crafting. One of those proposals involves data breach legislation, and I think it is important for us to create a national data breach bill so that we do not continue to have this myriad of-- I believe right now there are 47 individual State data breach requirements, all of which are unique and all of which have different reporting requirements. So I think it is important that we do have a national data breach bill. As part of that national breach bill, I think it is incumbent and it should be required that if companies do have an intrusion, they not only notify the consumers or the victims whose information might have potentially been stolen, but that they also notify the Government and that the Government be notified of the fact that there has been an intrusion. To the point of the professor's, the other part that I think is important in the legislation--and I think the administration is going to be addressing that--is that there also be a safe harbor for those computers that have protected the information in a proper way. So even though they have an intrusion but the information is protected, that they themselves be protected via some type of safe harbor so that civil action might not be taken. I think in the package of legislation that the administration is finalizing, you are going to see all three aspects of that in that legislation. Mr. Snow. And, Senator, I would just add that I would echo Mr. Martinez's comments, and I would also say that I do not think anything in the professor's statement is wrong. I think the professor is exactly right. But a little bit closer scrutiny of this statement would say something that is really important, and that is that many of these people have many of the solutions for many of the problems and understand that it is a multi-layered, multi-faceted problem. To throw a few solutions at some of the problems does not solve all the problems. So we have to understand. Right now I do not think there is any secure system out there. I think it takes a defense in-depth layering, and I think that is something that we have to work on. On his point of weak incentives, I think he is exactly on point. You know, I will go back to the bank robbery days that the FBI was going from place to place. Just getting somebody to put in a new VCR was extremely difficult because that was 60- odd-some dollars at the time, and that did not do anything but take away from the security budget. I think that is the same thing we see in businesses right now. That security that we layer that we think is essential is not really put in place until there is a tragic incident, an embarrassing incident, an incident that costs them close to a huge concern about them being a continuing entity or a going concern. Senator Blumenthal. Mr. Weinstein. Mr. Weinstein. I do not have anything to add to what Mr. Martinez and Assistant Director Snow said other than to emphasize that it has to be both incentives for companies to protect themselves against breaches--and I do think that most companies, especially those that operate in good faith and care about their business reputations, do want to protect themselves--but also, as Mr. Martinez said, to report the breaches when they do happen. I anticipate, although the shape of our package of proposals is still being formed, but I do anticipate there will be something about data breach reporting in that package, and we look forward to working with you on that. Senator Blumenthal. Well, I would be eager to work with. As you may know, Connecticut is one of those States that has a reporting requirement. I have asked for Epsilon to provide credit reporting services as well as identity theft insurance, which has been standard in what Connecticut at least has asked the companies that had this information that may have been breached to do in the past and has also sought penalties. So I might just suggest, without commenting on Epsilon or any other particular instance, that providing these incentives for adoption of this technology is something that is worth your very serious and positive scrutiny. Thank you. Chairman Whitehouse. We will go very shortly to the next group of witnesses, and I will excuse this panel. I do have a question for the record that I would like each of you to take with you and answer for me, and I think Senator Kyl will do his in writing. Assistant Director Snow mentioned the high level of activity of the sort of eBay type situation of the Russian- based hackers and criminals who are working on this, and I am reminded of the lawsuit that was brought by Microsoft against the Waledac botnet, which was able to obtain a court order involving the legitimate Internet world--the domain providers, the ISPs and so forth--to cut off service from the command-and- control nodes of that botnet so that it no longer was operative. And it strikes me that without actually doing criminal prosecutions of folks, we could be very aggressively hunting down these criminals and these attackers on the Web and disabling them with civil injunctive measures that require the ISPs, the domain registers, and so forth to stop providing service in certain components or to certain addresses or to certain types of transmissions from addresses. And because virtually all of this flows through the United States at some point, jurisdiction should be fairly easy to get compared to an unknown hacker who is working through a server in Estonia that links to a server in the Ukraine that links to a server somewhere else before it even gets here. So I would like to hear from each of you as to what extent your organization's cyber resources are empowered to support an active criminal defense that uses civil law to shut down some of these activities by authorizing the service providers to engage with court permission, protected from liability because of that, in a way that disables this. OK. Clear? [The information appears as a submission for the record.] Chairman Whitehouse. And Senator Kyl will do his for the record. [The questions of Senator Kyl appear under questions and answers.] Chairman Whitehouse. So with gratitude for your service and for your focus on this very significant problem, I will excuse this panel, and we will take a 2-minute recess while the next panel convenes. Gentlemen, thank you all very much. [Pause.] Chairman Whitehouse. Let me call the new panel to order, and thank you all for being here. Let me first ask that you stand and be sworn. Do you affirm that the testimony you will give in this Committee will be the truth, the whole truth, and nothing but the truth, so help you God? Ms. Schneck. I do. Mr. Savage. I do. Mr. Baker. I do. Chairman Whitehouse. Thank you. Please be seated. Welcome. We will begin with Phyllis Schneck, who comes to us from McAfee, where she is vice president and chief technology officer for their global public sector operations. Previously, she was vice president for threat intelligence for McAfee. She served as a commissioner and a working group co- chair on the public-private partnership for the CSIS Commission to Advise the 44th President on Cyber Security, which I am proud to say was a report co-authored by my colleague in the Rhode Island delegation, Congressman Jim Langevin. Ms. Schneck also served--Dr. Schneck, I should say, also served for eight years as Chairman of the National Board of Directors of the FBI's InfraGard program, which has already been mentioned today, and vice president of research integration at Secure Computing. She has a Ph.D. in computer science from Georgia Tech. Ms. Schneck. STATEMENT OF PHYLLIS SCHNECK, PH.D., VICE PRESIDENT AND CHIEF TECHNOLOGY OFFICER, GLOBAL PUBLIC SECTOR, MCAFEE INC., RESTON, VIRGINIA Ms. Schneck. Chairman Whitehouse, Ranking Member Kyl, and other distinguished members of the Subcommittee, thank you for requesting McAfee's views on responding to the threat of cyber crime and cyber terrorism. Your Subcommittee is playing a vital role in cyber security, helping to investigate sophisticated syndicates of criminals and terrorists who deploy cyber attacks to finance their operations and undermine the security of our country. Thank you for your commitment. My testimony will focus on the following three areas: the evolution of the cyber security threat landscape, as that has changed over the past few decades; two major cyber security attacks--Operation Aurora and Night Dragon--McAfee's technical response to the cyber crime challenge and the implications for national security from those attacks and others that look just like it as we look at the future of our cyber security and resilience in this country; McAfee's commitment to partnering with law enforcement and the law enforcement community; and policy recommendations to support law enforcement and improved public-private collaboration and information sharing that is so vital to give the Government the capabilities that it needs to respond to this modern cyber security challenge. First, a rollback on McAfee and our definition of cyber crime for this testimony. McAfee protects businesses, consumers, and the public sector worldwide from cyber threat. Headquartered in Santa Clara, California; Plano, Texas; and a large operation in Minnesota, McAfee is the world's largest pure dedicated cyber security company, and McAfee is a wholly owned subsidiary of Intel Corporation. Today we use the term ``cyber crime'' to cover the act of using electronic means to gain unauthorized access. As we heard in the last hearing, cyber crime covers the spectrum, from simply gaining notoriety to pooling funds, for organized crime, now to intellectual property, and destruction--destruction of critical infrastructure--with the very far end of the spectrum some are calling ``cyber terrorism.'' Our overall key challenge is that the profit model benefits the cyber adversary: very low barrier to entry, this stuff is easy for them; and very, very strong reward, often large amounts of money; often destruction; very, very little attribution. This adversary is fast. This adversary works faster than we do. They build relationships, they build trust. As was mentioned in the last hearing, the cyber underground, they know how to share information. They have no intellectual property boundaries, no legal boundaries, very often funded fully by their government. No problems to execution. As we have evolved in the cyber security threat landscape, the traditional model of defeating malware, which is basically an instruction that commands a machine to do now whatever the adversary desires, and whenever, and send back whatever the adversary desires, our traditional signature model does not work. For the past decade, the industry has looked at understanding what could come in, recognizing what is wrong, and blocking it, just like a vaccine would block a cold from your body or a disease. So we look at 50,000 new pieces of malware every day in McAfee labs. We have seen many of the sites that were described earlier in the cyber underground. We track the criminals. We see this adversary, and we propose two key technologies that we believe are the future to cyber security technology on the technical side, understanding that this is half a people problem, half a technology problem. These key technologies are: Whitelisting, which is very simply closing the door. If you are not an approved instruction, you do not run. It no longer matters how many bad-guy instructions are on a machine. If you are not known to be good, you simply do not run. The second one being global threat intelligence, behavioral understanding to build the cyber immune system, just like your body fights off a cold or disease without knowing its name automatically, we believe our networks should be a lot smarter and pull data from our companies and others across the financial field and the energy sector, across the critical infrastructure to block bad things from coming into networks. Two major attacks this year that McAfee led for investigation: Operation Aurora and Night Dragon. In January 2010, Operation Aurora was exposed for having compromised Google and 30 other companies. This year, Night Dragon. In Operation Aurora, the adversary was looking for intellectual property. Very large stores of IP and software, and they identified exactly who in those companies would have it, and they got it by social engineering their way in and getting those people to answer an instant message. In Night Dragon, they targeted the oil and gas industry across the world looking for architectural documents, pipelines, and looking at where the new oil exploration would occur. McAfee is fully committed to partnering with law enforcement. We have a long history, my own having run the FBI's InfraGard program nationally on the private sector side for 8 years. I also chair the National Cyber Forensics and Training Alliance. My colleagues, thousands of them working in partnership with law enforcement every day at the Federal, state, and local levels, assisting with investigations, working closely with the intelligence community, also building strong relationships with the FBI and Secret Service across our partners. We recommend in policy more budget to fund our law enforcement colleagues, greater situational awareness in this data, and stronger global partnerships, protect the private sector so that we can release data very quickly without worrying about material benefits for shareholders. Thank you again for the opportunity to be a part of the process in fighting cyber crime with law enforcement and Government relationships. I look forward to your questions and continued discussion. [The prepared statement of Ms. Schneck appears as a submission for the record.] Chairman Whitehouse. Thank you, Dr. Schneck. Before I go on to Dr. Savage, since you referenced the Night Dragon report, I would, first of all, like to compliment it. It is the clearest, most trenchant, accessible document I have yet read in a lot of reading that I have done about cyber security. Anybody who is watching this or listening to this and has not had a look at that, it is a really, really good document, both in terms of the overlay, the sort of contextualization of this as a rapidly emerging threat with rapidly increasing sophistication and multiplication of incidents, but also as a quite clear layman's description of how the attack takes place right down to showing the screens on the computer that you would see as you go through the attack. So what I will ask is unanimous consent that that report be made a matter of record for this Committee hearing, and we can provide a copy because I have got it. But I do applaud that. I think that is a very, very clear, useful document, and thank you very much for preparing that. [The report appears as a submission for the record.] Chairman Whitehouse. Also, unlike most of the stuff that is put out here, it was unclassified and not kept proprietary. One of the real problems in this area is that we know so little about it because if it is the Government it is classified, if it is the private sector it is held proprietary, and the public is kept, unfortunately, ignorant of the actual threat. So I think you did a real service with that, and I thank you. Ms. Schneck. Thank you, Chairman Whitehouse. Would it be out of line for me to point out that report was written by my colleague, Dmitri Alperovich, in the row behind me. Chairman Whitehouse. No, it would not be. It would be very appropriate, and I am glad that he is here for this. I guess I lucked out by saying nice things about it instead of bad things. [Laughter.] Chairman Whitehouse. And now from the great State of Rhode Island, from a university we are very proud of, Brown University. I am delighted to have the chance to introduce Dr. Savage. He is a professor in the Department of Computer Science at Brown, currently conducting research on cyber security, computational nanotechnology, the performance of multi-core chips, and reliable computing with unreliable elements. It sounds like something we try to do here in Congress. Dr. Savage served as a Jefferson Science Fellow in the U.S. Department of State during the 2009-10 academic year. He earned his Ph.D. in electrical engineering at MIT, after which he joined Bell Labs and then the faculty at Brown where he co- founded the Department of Computer Science in 1979. He has multiple clearances and knows a lot about this. Dr. Savage, thank you. Please proceed. STATEMENT OF JOHN E. SAVAGE, PROFESSOR OF COMPUTER SCIENCE, BROWN UNIVERSITY, PROVIDENCE, RHODE ISLAND Mr. Savage. Thank you, Chairman Whitehouse and Ranking Member Kyl and members of the Subcommittee. As you have heard, the Internet which is so important to our economy, also exposes us to great risks. I have a few statistics that highlight this, fact. Last year it was reported that more than half of all the computers worldwide were compromised. This means that each of these computers is not only capable of being used to steal personal, corporate, or Government data; they can also be marshalled into botnets and used for nefarious purposes. For example, the Mariposa botnet is reported to have controlled a remarkable 12.7 million computers, distributed across 190 countries, before it was silenced in early 2010. If a botnet of this size were used to launch a denial-of-service attack, it could wreak havoc on the Internet. More importantly, if deployed to disrupt Internet routing tables using a technique discovered and announced in early February, experts say that routing on the Internet could be severely disrupted. I cite these examples to illustrate some of the damage that could be done via the Internet. If we add to the mix that some important control systems, such as those used for electrical power generation, can also be attacked, destroyed, or disabled by the Internet, we see that hazards lurk here that were unanticipated when the Internet was designed. The Internet, which has contributed so much to our economic strength, allows us to more tightly integrate segments of our economy; thus, attacking the Internet is a way to attack large portions of our economy. Because cyber crime and terrorism are international in nature, they both require a domestic and international response. We must elevate our domestic security standards in our hardware and software networks. We cannot tolerate having several times more botnets than any other nation, nor large numbers of compromised computers. We also need to better control the supply chain as well as strike international agreements to curb abuses that originate at foreign sites. So we ask: What steps can we take as a Nation? First, we should create the incentives and, if necessary, regulations to design and improve computer security. Any proposed regulations should be developed through a consultative process involving those being regulated. Second, the private sector and individual citizens need to be educated to the need to keep their systems current with security standards. Third, steps should be taken to make the domain name system more robust by accelerating the adoption of the domain name system security extensions. Fourth, understanding that our Nation faces a serious deficit, we must nevertheless maintain strategic and targeted funding for cyber R&D. In the policy dimension, we should engage in a national conversation on the types of international agreements that will best serve our cyber security interests. Many interesting ideas have been proposed that should be debated. Leading thinkers have said that the U.S. is not sufficiently engaged in international negotiations to our detriment. Some may ask: Can we manage these problems? Are these problems manageable? My answer is yes. I liken our computers to our homes. A determined attacker can easily break into them. So why aren't most of our homes invaded more often? Apparently because the locks are good enough, the neighbors sufficiently vigilant, uniformed police officers are sufficiently visible, and the punishment if caught and convicted sufficiently onerous to deter attackers. We need to arrive at a similar state in cyberspace. Many of us are struggling to understand, from both policy and technological points of view, these issues. There are few technologists conversant with policy and few policymaker sufficiently knowledgeable about technology. Thus, there is an opportunity here to bring the two camps together. In the early days of the cold war, strategy development is said to have lacked sophistication. However, once the insightful analysts studied the issues, a more mature approach to policy emerged. The same must be done for cyber security policy. In closing, let me say that cyber security research is very young. While some profoundly interesting results have been developed, many challenges remain. Since cyber security plays a central role in our economy and is an important branch of national security, it deserves to be given priority for strategic, targeted research funding in both the technological and policy realms. Thanks, and I am happy to answer your questions. [The prepared statement of Mr. Savage appears as a submission for the record.] Chairman Whitehouse. Thank you, Dr. Savage. Our final witness is Stewart Baker, a partner in the law firm of Steptoe & Johnson, where his practice covers national and homeland security, cyber security, electronic surveillance, law enforcement, export control, encryption, and related technology issues. From 2005 to 2009, Mr. Baker served as the first Assistant Secretary for Policy at the Department of Homeland Security, where he oversaw the office responsible for department-wide policy analysis, international affairs, strategic planning, and relationships with the private sector. From 1992 to 1994, Mr. Baker was General Counsel of the National Security Agency. Thank you for being with us. STATEMENT OF STEWART A. BAKER, PARTNER, STEPTOE & JOHNSON, LLP, WASHINGTON, D.C. Mr. Baker. Thank you, Mr. Chairman, Ranking Member Kyl, Senator Blumenthal. I should say the one other credential that was left off of my biography is that I am Brown Class of 1969. Chairman Whitehouse. Very important credential to the Chairman. Thank you. Mr. Baker. I would like to spend a little time on--I talked in my testimony about how bad this problem is. It is worse even than we have heard today because there really are very few barriers to a substantial increase in cyber attacks and cyber crime. I laid out in my testimony the many things that we had hoped will save us that will not. Blaming Microsoft is not going to save us because almost all of the software that is being used today has similar flaws. Trying to use tokens, which many of us believe would save us instead of passwords, increasingly have been compromised by hacking attacks and by realtime exfiltration of those token credentials. We are not even going to be able to save ourselves if we call people up and say, ``Did you really send me this e-mail? '' Because that kind of out-of-band confirmation of the sort you get with your credit card is increasingly at risk as we move to IP telephony, which will have all of the problems that ordinarily computers have as well. Disconnecting from the Internet, which we also are not going to do, is not going to solve this problem because the agencies that have tried doing that--the Defense Department, the Iranian Natanz centrifuge plant--have, nonetheless, been compromised by attacks that use thumb drives and other media as a way of transporting the compromising software. What many of us hope to rely on, the anonymity that nobody is really particularly looking for me, is also not going to save us because, increasingly, it is possible to essentially infect the world and then ask your malware to run in the background until you do something that the crooks think is interesting, like log on to a particular account with a private equity fund, which indicates you have enough money to be worth stealing from, at which point they will start stealing from you. All of those things are solutions that will not actually work. And perhaps most important for this Committee and this hearing, law enforcement is, in my view, almost entirely helpless at this point. Six more prosecutors are not going to address this issue in any significant way, and the principal reason for that is that--I thought Professor Savage got it right. We do feel safe in our houses, but it is not because the locks are perfect. The locks on our houses are much worse than the locks that are already on our computers. What is different is that there is a realistic possibility of being caught committing a crime if you try to break into somebody's house and almost no possibility that you will be caught and prosecuted if you commit a cyber crime. I have suggested a bunch of rather tentative approaches to solutions in my testimony, but I would like to just focus on one, which is we really need to do a much better job of building in attribution and minimizing anonymity on the Internet, making it much more difficult for people to do business, send e-mails, transmit packets and the like, and be confident that they cannot be tracked back to their actual identity. This is a very difficult task. It is an architectural problem that is quite significant. But, in my view, we will not solve this problem if we cannot realistically threaten to punish the people who are carrying these attacks out. We will simply see more and more sophisticated, more and more elaborate, and more and more damaging attacks until we begin structuring the Internet and structuring the relationship that ISPs have with each other and with their customers so that it is much more difficult for people to avoid being identified when they commit these crimes. I will stop there. [The prepared statement of Mr. Baker appears as a submission for the record.] Chairman Whitehouse. Thank you very much. We had General Alexander, who I think is a really remarkable individual, come to the University of Rhode Island yesterday. He came at the invitation of Congressman Langevin, who has a very significant role in this area on the House side, and Jim Langevin and I talk frequently about this issue because I have an interest on our side as well. During the course of the discussion, General Alexander said that we could--right now our stock markets, our financial markets could be taken down, our power grid could be taken down. If our power grid were taken down, it would not come up quickly. It would not be just like the branch fell on the wire outside your house, but do not worry, when the truck comes, the power will be back on. It would be much more persistent and prolonged than that. He said that the entire financial sector is vulnerable and could be compromised, communications networks, and that they could interlock. So the scale of how bad this could be, if it really gets to the level of full-blown cyber war, is really very, very dramatic. I am interested--since we have private sector folks here, this may seem like a hypothetical question, but I would love to get your take on it. If you imagine that there is a universe of cyber threats out there and within that universe of cyber threats there is a group of them about which the Government has awareness--Mr. Baker, your old shop has pretty wide awareness, probably wider than anybody else in the world, into the criminal ecosystem of the cyber world. Within that larger awareness, there is an awareness that the private sector has at its best level, at the level of McAfee, at the level of Symantec, RSA, and so forth. I would love, starting with you, Dr. Schneck, to get your sense of what portion of the awareness that NSA has of the cyber threat you think the private sector has. Clearly, it is going to be a subset. But is it a tiny subset, or is it a significant portion? What is your guess on how much visibility McAfee and Symantec and the rest of the private sector defenders of our private sector corporations have compared to the NSA and to the overall picture? Ms. Schneck. Thank you, Chairman Whitehouse. I will steal some words from AD Snow earlier and ask that we could continue part of this answer in a different forum. So clearly there will be an overlap between what any Government entity, whether it is intelligence, community law enforcement, DHS--would know and what the private sector knows. I think we get our intelligence differently in some cases. We gets ours from protecting customers, so first and foremost, whether the threat is just to get a little money or whether it is to destroy the electric grid, we block that threat. We stand in front of the target; we make sure the threat does not get there. That is our first move. That is the in-line, speed-of-light work. The second line is the human work. The reason that is so hard is because we see all this data come together, and it paints a picture. This happened in Night Dragon. And as that picture came together, you realize that it is targeting the oil and gas sector. At what point can we in the private sector share that picture with the intelligence community, with the FBI and the Secret Service? Chairman Whitehouse. Let me try to focus back on my question, and before I give the other two witnesses a chance to answer it, would you at least concede that the awareness that the cyber defense private sector community has of the threat is significantly smaller than the awareness that NSA has of the threat? Ms. Schneck. So it is hard to answer that question in this forum. I think the awareness is different. I do believe there is an overlap. I think there is a lot of data in the private sector that, if we were able to share that more readily with some legal protection, we would protect our country better. Senator Whitehouse. Do you understand my question, Dr. Savage---- Ms. Schneck. I do, and I believe---- Chairman Whitehouse. No, no. I am sorry. I am going on to the next witness. Ms. Schneck. OK. Mr. Savage. I do understand your question, and I cannot answer it either because I do not represent either the private industry or the intelligence community. However, what I will say is I would not be surprised if the private sector had access to perhaps more data than the National Security Agency simply by virtue of the fact that have sold, they sell products to customers worldwide, monitor the state of computers worldwide. Although before I do not know for sure, I expect that the National Security Agency has a different focus. So I would not be surprised if the private sector had a great deal of very useful information. Chairman Whitehouse. And, Mr. Baker, what is your take? Mr. Baker. I would divide the problem into three possible kinds of attacks: there are attacks to steal money, there are attacks to steal secrets, and there are attacks to sabotage a system. When it is a question of stealing money, I would say the private sector is better informed and better protected than the U.S. Government or Government agencies generally. It affects the bottom line. They know how much to spend. They want to spend enough to stop losses that are equivalent to what they have spent. And they do a better job than the U.S. Government protecting themselves from that kind of an attack. Stealing secrets, I would say the U.S. Government has a better awareness and, by and large, I get more calls from people in the private sector who are alerted to their losses by the U.S. Government than the other way around. And there is a tendency, if you do not steal secrets for a living, as intelligence agencies do, not to believe that people are really doing that to you, and the private sector falls prey to that illusion. And then there is sabotage where I think the private sector is utterly clueless. They do not want to think about the possibility of sabotage because they have no idea what to do about that. They will end up spending money and getting nothing obvious back because they are running now--they have not been sabotaged yet, so all they get is a sense that maybe they would withstand an attack, but they do not even know that. And so they are reluctant to spend money or even to hear the message in the private sector, the electrical grid, or the pipeline companies and the like. The reluctance to hear that message is profound. Chairman Whitehouse. Senator Kyl. Senator Kyl. Thank you, Mr. Chairman. First, Mr. Baker, two questions for you. You discussed the supply chain vulnerabilities, including the new smart grid infrastructure. What is being done to ensure that the smart grid does not become in essence an electronic Trojan horse? Mr. Baker. Well, some things are being done on paper. There are security standards being developed. Whether they are really sufficient is open to question. But even if they were sufficient, there is not an obvious enforcement mechanism. The mechanisms for regulating power companies are deeply local and State, and both the power companies and the State PUCs like it that way, and they do not want the Federal Government to step in and start telling them anything about their business. And so while the Federal Government can recommend some security standards, the PUCs who have to enforce them, in my understanding, are not really doing much. Senator Kyl. So we have still got a big problem there. Mr. Baker. Yes. Senator Kyl. Now, I think you are aware that last year Congress gave the Department of Defense some new powers to protect its information systems, and I wonder--regarding the supply chain, again. I am just wondering whether you think maybe Congress should use that kind of authority as a template for other agencies in the Federal Government. Mr. Baker. Well, certainly other agencies beyond the Defense Department have to worry about the possibility that the supply chain will compromise them, and indeed, you know, anything that we think is a worry for the Defense Department is probably a worry for the New York Stock Exchange or Citibank, and we should not be encouraging them or allowing them, without knowing about the risk, to continue to rely on insecure material. Senator Kyl. So we might take a look at that template in dealing with other agencies that have important issues like that. Mr. Baker. Yes. Senator Kyl. Now, for all of you, there is a sense here that there is no silver bullet except better enforcement, but better enforcement is really hard to do, well, primarily from a resource standpoint, but also a capability standpoint. So I presume that incremental changes, including creating incentives, is one of the answers here. And in terms of changing behavior, my question is with the private sector--in particular business but also individuals--whether a greater use of the concept of insurance as providing incentives would help the private sector develop better protections. Maybe we will start with you, Mr. Savage, and then Phyllis. Mr. Savage. I agree. Cyber insurance to protect against fraud, theft, interruption of service, things of that sort would be very valuable, because I recall many years ago learning about workers' compensation insurance where an insurance company would issue a policy but they would also provide experts to come into your place of business to help you improve it so that they could reduce the number of injuries and, therefore, the number of charges. When I was in the State Department, I sat on a NITRD panel that put together a set of recommendations, one of which was a cyber economics recommendation for funding in fiscal year 2012s budget, and the idea there being that if you offer insurance, you can invite companies who are going to purchase the insurance to provide you with incident information, which you can then collect and use to create actuarial tables reducing their costs, but also pooling these resources with other insurance companies. The good news is that when I was in the State Department, I received a call from a Brown grad who had seen I was a Jefferson Science Fellow. She works for an insurance company in the Hartford area that sells insurance of this kind, but they were at a little bit at sea because they could not really find the others and work with the others to do this kind of thing that I described. Senator Kyl. Especially ways to help resolve that problem and whether the Government should be involved in this, Dr. Schneck? Ms. Schneck. So, thank you. We have looked at the insurance model for about 11 years that I remember. The key road block to that was the lack of the actuarial data, to Professor Savage's point on the need for that data. So in the startup, we have plenty of data we can look back on in driving habits and other areas where things are insured, but in this arena so little is reported that we know what we know because we are out there protecting, but to Mr. Baker's point, most of the private sector does not have this kind of knowledge. So that actuarial data to make the model work on the insurance would be exceedingly difficult. That is not to say it would not be a great idea to incentive, but we would have to make sure of two things: one is that the data is there so that nobody gets burnt, so the model fits; and the other is to ensure that we are not encouraging companies to be compliant, they have to be secure. There is a very big difference. Do not just check the box, but comprehensively protect your infrastructure. Senator Kyl. Mr. Baker, any other thoughts? Mr. Baker. Yes, very briefly. For insurance to work, people have to either expect a harm, an identifiable harm, or identifiable liability. The likelihood of liability in this area has so far been pretty minimal just because of the difficulty of tracking the attacks. And if all they steal is secrets, you are not going to be able to identify a harm that an insurance company will be comfortable reimbursing you for. So it is part of the solution, but it is not as good a solution as I would like. Senator Kyl. Thank you. Chairman Whitehouse. Senator Blumenthal. Senator Blumenthal. Thank you. I would like to pursue that line of questioning, but first thank you, all three of you, for your very enlightening and useful testimony, and I would like to pursue some of the questions here outside the time that I have. But in terms of liability, that is something that corporations understand. If we talk about incentives, which is where I was going with the last panel--treble damages--we know how to impose liability, we know how to penalize. The courts do it all the time. They have to put estimates on that harm. It may be difficult to calculate, but, you know, we do it with pain and suffering. If we can do it with pain and suffering, then we can do it with the kind of commercial damage that people suffer, which is much easier in many respects to quantify. So for all of you--but it is a question raised by Dr. Savage's testimony, and I am quoting again: ``. . . the incentives to adopt them are weak''--referring to the solutions to these cyber security problems--``primarily because security is expensive and there is no requirement they be adopted until disaster strikes.'' What can we require--and I invite you to supplement your answers here perhaps after you think about it some more. What can we require, whether it is liability or Senator Kyl mentioned insurance--and I agree with you about all the difficulties raised by the insurance model. What can we do to really grow your business, Dr. Schneck? And I do not mean that altogether facetiously, I mean not just grow your business, but grow the interest and incentive to do the kinds of things that you advise your clients to do. Ms. Schneck. Thank you. I think the first might be to incentivize some innovation. So we have grown by finding ways around this adversary. We get them by going at the speed of light. That was a focus of necessity. That was market driven. If we can change our culture a bit to have companies incented to innovate around security and find models that work, find ways that make them money by being more secure--and the insurance models is a subset of that--I think that is one area. The other might be some tax incentives, and, again, not just being compliant but in doing it right and having that-- again, the decade-old discussion but the top-down policy, the culture of security in the company. Senator Blumenthal. But we want to measure results, not just that they put a better fence around the home---- Ms. Schneck. Correct. Senator Blumenthal.--or a better fire alarm--which, by the way, insurance companies do reward so the insurance model does work--or other kinds of alarms on homes. Professor Savage or Mr. Baker. Mr. Savage. I will say quickly, I continue to be troubled by end-user licensing agreements which state that the company selling me the software has no responsibility for it once it is in my hands. I cannot fix any bugs that exist or any security hazards that exist in that software myself. I cannot even keep it up to date quickly enough because, as we know, as we have heard, half of all the malware goes undetected. It is said that last year PandaLabs reported that half of the malware lived for 1 day. I am not sure to what extent that statement is correct, but that is what I read. Coming back to a point you made earlier, you asked about the technologies that could be incorporated, well, there are-- you know, research is being done all the time, and it takes time, of course, for these results to appear in products. But there are ways to detect botnets. There are ways to defeat denial-of-service attacks and things of that sort. And if there were the right incentives--and I do not know what they are-- maybe some of our companies would be more ready to adopt them. Now, having said that, there has been a lot of work done by a number of companies both in the software sector and financial services sector to introduce security techniques to teach their engineers to write code that is less easily attacked. And I think many of those efforts are actually terrific, and you can see it, I think, in the reporting rates of errors. So I want to applaud the industry for doing that. At the same time, I think they need to take responsibility for this issue. And as I say, many are, but not all. Senator Blumenthal. Thank you. Mr. Baker. If I could just--I know you are deeply familiar with the data breach laws and the penalties for that, and I have good news and bad news about those laws. The good news is they have made a big difference in corporate behavior. The companies do not want to have to disclose that they have released a large amount of personal information about consumers, and they will take steps to prevent that from happening. The bad news is that that is where the security budgets have, by and large, gone. They are spending a lot of money to make sure that their hard drives are encrypted so that if they leave the computer, the laptop, at the airport, they do not have to disclose a breach. They are not, by and large, treating some of these more sophisticated attacks with the same kind of attention because they do not tend to produce a verifiable personal information breach. And so if you are going to go down that road, I would urge you to try to find an agency with a broader picture of the kinds of attacks that can adjust the incentives so people are actually responding to the worst kinds of attacks, the ones that are most dangerous to us as a country. Senator Blumenthal. Thank you. Thank you, Mr. Chairman. Chairman Whitehouse. Mr. Baker, as the lawyer on the panel, let me ask you two questions. One, in response to what Dr. Savage said, should we be concerned that significant players in this area are purporting, at least, in their contractual arrangements to relieve themselves of any liability, given that liability is often a motivating factor in human behavior? And, second, to follow up on my question to the earlier panel, I was very impressed by Microsoft's lawsuit. I asked them to send me the complaint. I thought it was very well done. And they did not really have a hostile defendant. The defendant, the provider who was at stake, was perfectly happy to comply as long as they had a court order that gave them a reason to do it and protected them from any liability for what they did. And I am a little bit surprised that there does not seem to be more activity in that arena, somebody knows that there is a bot out there that they can disable, somebody knows that there is a worm out there, somebody knows that there is a piece of--a website that is--you know, whatever it is that they know about their risk posture, it seems very rare that somebody actually goes to a court and says, oh, by the way, let us bring in--again, the domain registrar, their ISP, or whoever--and say we want you, because of the threat to our welfare here, to make this change in your programming so that our threat is diminished. And then everybody sits around and says yes, the judge hits the gavel, everybody is happy. It seems to me to be--the Microsoft thing does not seem to be repeating itself as often as I would have expected. I am aware of a couple of others, but that seems to be the breakthrough one, and it does not seem to have created the sort of torrent I expected of people going out to the courts, to the ISPs, to the domain registrars, to help them clean up the environment. Mr. Baker. Microsoft is in the unique position of seeing attacks around the world on their software and having the resources to pursue creative solutions. And I agree with you, that was a very creative and constructive approach. I do think that it is worth exploring what could be done to allow companies that have an interest in doing more but need some reassurance that what they are doing is not going to result in liability. One of the great values of a civil injunction and a civil order is that you know that the people that you are going after are not going to turn around and file lawsuits against you, because you have already gotten prior approval. And finding ways to relieve ISPs, other companies, of their fear that doing the right thing will result in liability is worth looking at. I think that is a constructive approach. By and large, using the tort system to improve security is a pretty backward-looking approach; that is to say, by the time you get a judgment, you are 6 years past the problem, and it is probably---- Chairman Whitehouse. You are back to my first question. Mr. Baker. Yes, I am coming back to your first---- Chairman Whitehouse. Yes, I am not sure it is the best way---- Mr. Baker. So I---- Chairman Whitehouse. I am also not sure that allowing a company to completely relieve itself of liability contractually is very helpful in this space either, because it takes their mind off it and they go on to other projects. Mr. Baker. I do not disagree with you on that, and I support the idea of having at least agencies that understand what good security practices are, start to define those for companies, including software companies, to make sure that they are actually doing the things that they need to do. And if they say you need to do this and then the company does not do it, I do not think those contractual clauses are going to save them from liability. Chairman Whitehouse. Senator Kyl? Senator Kyl. Thank you very much. Chairman Whitehouse. Anything further? Senator Blumenthal. No. Thank you. Chairman Whitehouse. All right. We will conclude this hearing. I thank all of the witnesses, and once again I very much appreciate the Night Dragon report that McAfee did. The hearing will stay open, the docket of the hearing will stay open for an additional week, and we will, of course, ask all of the witnesses to comply with the questions for the record that you will get in writing. Again, thank you very much. This has been instructive and helpful. The hearing is adjourned. [Whereupon, at 4:33 p.m., the Subcommittee was adjourned.] [Questions and answers and submissions for the record follow.]
![]()