[Senate Hearing 112-167]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 112-167

 CYBER SECURITY: RESPONDING TO THE THREAT OF CYBER CRIME AND TERRORISM

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON CRIME AND TERRORISM

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 12, 2011

                               __________

                          Serial No. J-112-16

                               __________

         Printed for the use of the Committee on the Judiciary








                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
71-412 PDF                WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001




                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin                 CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York              JON KYL, Arizona
DICK DURBIN, Illinois                JEFF SESSIONS, Alabama
SHELDON WHITEHOUSE, Rhode Island     LINDSEY GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota             JOHN CORNYN, Texas
AL FRANKEN, Minnesota                MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware       TOM COBURN, Oklahoma
RICHARD BLUMENTHAL, Connecticut
            Bruce A. Cohen, Chief Counsel and Staff Director
        Kolan Davis, Republican Chief Counsel and Staff Director
                                 ------                                

                  Subcommittee on Crime and Terrorism

               SHELDON WHITEHOUSE, Rhode Island, Chairman
HERB KOHL, Wisconsin                 JON KYL, Arizona
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
DICK DURBIN, Illinois                JEFF SESSIONS, Alabama
AMY KLOBUCHAR, Minnesota             LINDSEY GRAHAM, South Carolina
CHRISTOPHER A. COONS, Delaware
                Stephen Lilley, Democratic Chief Counsel
               Stephen Higgins, Republican Chief Counsel






                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Kyl, Hon. Jon, a U.S. Senator from the State of Arizona..........     3
Whitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode 
  Island.........................................................     1

                               WITNESSES

Baker, Stewart A., Partner, Steptoe & Johnson, LLP, Washington, 
  DC.............................................................    29
Martinez, Pablo A., Deputy Special Agent In Charge, Criminal 
  Investigation Division, U.S. Secret Service....................     8
Savage, John E., Professor of Computer Science, Brown University, 
  Providence, Rhode Island.......................................    27
Schneck, Phyllis, vice President and Chief Technology Officer, 
  Global Public Sector, McAfee Inc., Reston, Virginia............    24
Snow, Gordon M., Assistant Director, Cyber Division, Federal 
  Bureau of Investigation........................................     6
Weinstein, Jason, Deputy Assistant Attorney General, Criminal 
  Division, U.S. Department of Justice...........................     4

                         QUESTIONS AND ANSWERS

Responses of Stewart A. Baker to questions submitted by Senator 
  Hatch..........................................................    38
Responses of Pablo A. Martinez to questions submitted by Senators 
  Whitehouse and Feinstein.......................................    39
Responses of Pablo A. Martinez and Gordon M. Snow to questions 
  submitted by Senators Hatch and Klobuchar......................    41
Responses of Gordon M. Snow to questions submitted by Senators 
  Feinstein, Whitehouse, Klobuchar and Hatch.....................    46
Responses of John E. Savage to questions submitted by Senator 
  Hatch..........................................................    56
Responses of Phyllis Schneck to questions submitted by Senator 
  Hatch..........................................................    59
Responses of Jason Weinstein to questions submitted by Senators 
  Hatch and Whitehouse...........................................    61

                       SUBMISSIONS FOR THE RECORD

Baker, Stewart A., Partner, Steptoe & Johnson, LLP, Washington, 
  DC.............................................................    63
Global Energy Cyberattacks: ``Night Dragon'', McAfee Foundstone, 
  February 10, 2011, report......................................    70
Martinez, Pablo A., Deputy Special Agent In Charge, Criminal 
  Investigation Division, U.S. Secret Service....................    89
Savage, John E., Professor of Computer Science, Brown University, 
  Providence, Rhode Island.......................................    98
Schneck, Phyllis, Vice President and Chief Technology Officer, 
  Global Public Sector, McAfee Inc., Reston, Virginia............   106
Snow, Gordon M., Assistant Director, Cyber Division, Federal 
  Bureau of Investigation........................................   120
Weinstein, Jason, Deputy Assistant Attorney General, Criminal 
  Division, U.S. Department of Justice...........................   130

 
 CYBER SECURITY: RESPONDING TO THE THREAT OF CYBER CRIME AND TERRORISM

                              ----------                              


                        TUESDAY, APRIL 12, 2011

                                       U.S. Senate,
                       Subcommittee on Crime and Terrorism,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:38 p.m. in room 
SD-226, Dirksen Senate Office Building, Hon. Sheldon 
Whitehouse, Chairman of the Subcommittee, presiding.
    Present: Senators Whitehouse, Feinstein, Klobuchar, Coons, 
Blumenthal, Kyl, and Hatch.

 OPENING STATEMENT OF HON. SHELDON WHITEHOUSE, A U.S. SENATOR 
                 FROM THE STATE OF RHODE ISLAND

    Chairman Whitehouse. Good afternoon, everyone. Thank you 
all for being here. Today's hearing takes on a topic of vital 
importance: Cyber Security: Responding to the Threat of Cyber 
Crime and Terrorism.
    We live in the most connected and technologically advanced 
country in the world. Our electrical engineers, computer 
scientists, and technology companies have changed the way that 
the world does business, made our daily lives safer and more 
enjoyable, empowered free speech in repressive states, and 
brought the world closer together. These remarkable innovations 
unfortunately also have given criminals, terrorists, and 
hostile states new opportunities to steal American property, 
disrupt our way of life, and compromise our National security.
    American consumers are now subject to endless swindles 
achieved by spear phishing e-mails, malware that turns their 
computers into unwitting bots sending out malicious spam, or 
the many varieties of identity theft cooked up by cyber crooks 
to steal hard-working Americans' privacy and money.
    Our country's businesses likewise are under assault by 
foreign agents who seek to steal American intellectual 
property, a crime that has reportedly led to the loss of over 
$1 trillion of value to date; and by criminal hackers who seek 
to empty out corporate accounts or to blackmail companies by 
threatening to release stolen trade secrets. These crimes hurt 
companies' bottom lines and they rob us of American jobs, 
shuttering small businesses by stealing their core intellectual 
property, making a new product line unprofitable by letting a 
foreign company reap the benefit of American research and 
development, or even preventing the next great American company 
from bringing the next great innovation to market.
    Key elements of our Nation's critical infrastructure such 
as our electrical grid, financial services system, and 
telecommunications networks have been probed by malicious 
actors and in some cases compromised, with the possibility that 
hostile state actors have buried latent attacks that they can 
trigger when it would hurt us most. Even our Government, 
civilian, and military networks are under constant and 
successful attack.
    We need to do more to defeat the massive and worsening 
cyber threat. I am not alone in this belief. The Majority 
Leader has recognized that the Senate should act on cyber 
security legislation. The Commerce, Homeland Security, 
Intelligence, and Armed Services Committees have been hard at 
work. This Committee, under Chairman Leahy's leadership, has 
reported data breach legislation and last week held a hearing 
that has considered reform of the Electronic Communications 
Privacy Act. And we hope and expect the administration to weigh 
in shortly with its proposals to improve our Nation's cyber 
security.
    The Senate has important work ahead. It may be hard and 
complicated work, but I believe that we can accomplish this 
task in a bipartisan and well-considered fashion. I 
particularly look forward to working on this vital national 
issue with the Ranking Member of this Committee, Senator Jon 
Kyl.
    I know that this is a topic of serious interest and prior 
work for you, Senator Kyl, and I believe we will make a lot of 
progress together.
    I am very happy, for example, to be working with you to 
improve public awareness of the cyber security threats facing 
our Nation on a bill that I hope we can file shortly, and to go 
on to work on legislation to provide a safe space for joint 
defense by our private industries to take place.
    Today's hearing will explore the nature, scale, source, and 
sophistication of cyber attacks against consumers, Government 
agencies, and businesses and industries and compare that to the 
resources that our Government currently brings to bear on these 
attacks, as well as investigative and prosecutorial successes 
and limitations. And it will consider the ways in which the 
private sector is able to collaborate with law enforcement to 
defend against and respond to cyber attacks.
    We are lucky to have two very strong panels of expert 
witnesses from inside and outside the administration, including 
a distinguished professor from Brown University in my home 
State of Rhode Island, which I am happy to note is already at 
the forefront of the cyber security field. I thank all of the 
witnesses for being here today.
    Before I turn to Senator Kyl, let me flag my serious 
concern that our prosecutorial and investigative resources are 
not appropriately scaled to the threat we face. Even in this 
time of budget cutting, given the enormous stakes, the cyber 
threat is simply too dangerous to leave underresourced.
    Again, I thank the witnesses for being here and now turn to 
the Ranking Member, Senator Kyl, for his opening statement. 
Senator Kyl.

  STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF 
                            ARIZONA

    Senator Kyl. Thank you, Mr. Chairman, not only for holding 
this hearing today but for the remarks that you just made.
    As one former member of the Intelligence Committee to 
another, I have been deeply impressed by your commitment to 
cyber security and your command of the associated issues and 
look forward to what will be the first of many hearings on this 
subject before this Subcommittee.
    I am also pleased to have been able to work with you to 
draft the forthcoming legislation that you mentioned regarding 
cyber security awareness. While this bill may be considered 
chiefly a place holder for things to come, I think it is an 
important step because of the multitude of topics that it 
covers, and that multitude speaks to a larger point and 
problem.
    I know of your frustration that Congress has waited for so 
long to get cyber security legislative proposals from the White 
House. This delay has complicated the Congress' task of passing 
comprehensive cyber security legislation. By my count, there 
are more than seven full committees on the Senate side alone, 
including the Judiciary Committee, that will be involved in 
drafting a comprehensive bill. This will take time, and we are 
long overdue for the President to share his proposals for cyber 
security legislation so that we can get started.
    I am eager to hear from our expert witnesses about how they 
think Congress should differentiate cyber crime and cyber 
warfare directed by a state or terrorist group, especially 
since, I would argue, it does not much matter if a crippling 
attack on our electric grid, banking system, or other critical 
infrastructure, or the wholesale theft of billions of dollars 
of U.S. intellectual property, defense related or purely 
commercial, is being directed by a cyber mafia or a cyber army. 
It is the responsibility of this Government to stop the attack 
either way. If we are just focusing on prosecuting these 
attacks of cyber crime, then I would say we have failed.
    So I look forward to the testimony of our witnesses, Mr. 
Chairman, and I hope there will be stimulating and informative 
rounds of questions thereafter. Thank you.
    Chairman Whitehouse. Thank you, Senator Kyl.
    If I could ask the witnesses to stand for the oath. Do you 
affirm that the testimony you are about to give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you God?
    Mr. Weinstein. I do.
    Mr. Snow. I do.
    Mr. Martinez. I do.
    Chairman Whitehouse. Thank you very much. Please be seated.
    We will just go right across the table with the witnesses, 
beginning with Jason Weinstein. Jason Weinstein currently 
serves as Deputy Assistant Attorney General in the Department 
of Justice's Criminal Division where he oversees the Division's 
efforts to combat computer crime and intellectual property 
crime, as well as anti-gang and violent crime efforts and human 
rights and human-smuggling programs.
    Before joining the Criminal Division, Mr. Weinstein served 
as chief of the Violent Crimes Section of the U.S. Attorney's 
Office in Baltimore and before that as an Assistant United 
States Attorney in the U.S. Attorney's Office for the Southern 
District--the Sovereign District--of New York. We are delighted 
that he is here, and your full statement will be a matter of 
record, so if you could please make whatever statement you 
would like to make orally within the allotted time, I would 
appreciate that.

    STATEMENT OF JASON WEINSTEIN, DEPUTY ASSISTANT ATTORNEY 
     GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE

    Mr. Weinstein. Thank you, Mr. Chairman. The Sovereign 
District of New York jokes got a lot funnier after I moved to 
Baltimore.
    Good afternoon, Chairman Whitehouse, Ranking Member Kyl, 
and other members of the Subcommittee, and I thank you for the 
opportunity to appear before you today.
    As we all know, the explosive growth of the Internet and 
other modern forms of communication has revolutionized nearly 
every aspect of our daily lives. But at the same time, it has 
also revolutionized crime, and increasingly the Internet has 
being exploited by criminals throughout the world to commit a 
staggering array of crimes.
    From around the corner or around the globe, skilled hackers 
work every single day, and many times every day, to access the 
computer systems of Government agencies, of universities, 
banks, merchants, and credit card companies to steal large 
volumes of personal information and to perpetrate large-scale 
data breaches that leave tens of millions of Americans at risk 
of identity theft.
    Our information infrastructure is under constant attack 
from these criminals as well as from terrorists and nation 
states that seek to exploit our dependency on information 
technology to threaten both our economic and our National 
security.
    So for these reasons, now more than ever cyber security has 
to be a national priority. This administration is committed to 
implementing a comprehensive framework that will allow us to 
bring all appropriate tools, criminal and otherwise, to bear 
against cyber criminals, terrorists, and other malicious 
actors. And the Department of Justice plays a critical role in 
that effort.
    The Justice Department works closely with our partners 
throughout the Government to support the Nation's efforts to 
support cyberspace, including by providing legal support and 
helping to ensure that we vigorously protect privacy and civil 
liberties. The Department also plays a leading role in 
counterintelligence and national security investigations that 
uncover threats to our computer networks from terrorists and 
state actors.
    But perhaps one of the Department's most important 
contributions to the Nation's overall cyber security is the 
investigation and prosecution of cyber criminals as we seek to 
incapacitate and punish the cyber criminals of today and to 
deter the cyber criminals of tomorrow. And in that important 
work, our prosecutors from the Criminal Division, from the 
National Security Division, and from the U.S. Attorney's 
Offices enjoy very strong relationships with our law 
enforcement agency partners, and in particular with the other 
two agencies represented on the panel with me today--the FBI 
and the Secret Service.
    Those strong relationships and the dedication and skill of 
our prosecutors and our agents have led to a number of major 
enforcement successes, including the following:
    In August of 2008, the Department, working with the Secret 
Service, announced one of the largest hacking and identity 
theft cases ever prosecuted, in which charges were brought by 
the U.S. Attorney's Offices in three different districts--
Massachusetts, Southern California, and Eastern New York--
against 11 members of an international ring responsible for the 
theft and sale of more than 40 million credit and debit card 
numbers that had been stolen from major retailers.
    The defendants were from all over the world--from the U.S., 
from Estonia, Ukraine, China, and Belarus--and they included 
one of the world's top hackers, Albert Gonzalez. Gonzalez pled 
guilty to the charges and was sentenced to 20 years in prison, 
which is one of the longest sentences ever imposed in a hacking 
case.
    In November 2009, following a year-long investigation led 
by the FBI, the Department announced the indictment in the 
Northern District of Georgia of a hacking ring responsible for 
executing a global fraud scheme involving defendants from 
Estonia, Russia, and Moldova. The defendants were charged with 
hacking into a network operated by the credit card processing 
company RBS WorldPay, compromising its data encryption and then 
providing a network of cashers throughout the world with 
counterfeit payroll debit cards. Those cashers used those cards 
to withdraw over $9 million from more than 2,100 ATM machines 
in at least 280 cities worldwide, and they conducted that 
coordinated global cashing operation in less than 12 hours.
    Those cases as well as the others referred to in my written 
testimony illustrate the scope of the Department's efforts to 
pursue cyber criminals. But, significantly, they also reveal 
the global nature and the global reach that cyber criminals can 
have.
    The criminals responsible for those and other large-scale 
intrusions often live in and operate from foreign 
jurisdictions. It is often literally impossible to identify, 
arrest, and prosecute the offenders or to obtain critical 
evidence that we need to prosecute the offenders without the 
assistance of foreign law enforcement. And for that reason, our 
work does not stop at our shores.
    Due to the transnational nature of most cyber security 
incidents, continued close coordination and cooperation with 
our foreign partners is critical to our success. And in that 
connection, we rely on the International Convention on Cyber 
Crime to provide a framework for efficient cooperation among 
nations involving electronic crime.
    The Department is proud of these cases and all of our cyber 
security efforts, but there should be no doubt, as the Chairman 
and the Ranking Member said, that the cyber threats to our 
Nation are growing and evolving, and we must remain vigilant 
and prepared to confront them, and we will continue to work 
with our Government and private sector partners and the 
Congress to meet that challenge.
    Thank you for the opportunity to be here today to discuss 
this issue with you, and I would be pleased to answer your 
questions.
    [The prepared statement of Mr. Weinstein appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you very much. We are delighted 
to have you with us.
    We will go on next to Gordon Snow, who is the Assistant 
Director of the Cyber Division at the Federal Bureau of 
Investigation. He was named section chief of the Bureau's Cyber 
Division on January 2008 and now leads the Division's Cyber 
National Security Section and the National Cyber Investigative 
Joint Task Force. From January 2008 to January 2009, he was 
detailed to the Director of National Intelligence on the 
National Counterintelligence Executive. During that assignment, 
he led the effort in drafting the goverment-wide Cyber 
Counterintelligence Plan under the Comprehensive National Cyber 
Initiative.
    Prior to that, Mr. Snow's work with the FBI took him to 
Afghanistan as the FBI's on-scene commander for the 
Counterterrorism Division, to Silicon Valley working on the 
High Value Computer Crimes Task Force, and to Yemen and East 
Africa.
    Thank you, Mr. Snow. Glad to have you with us.

    STATEMENT OF GORDON M. SNOW, ASSISTANT DIRECTOR, CYBER 
           DIVISION, FEDERAL BUREAU OF INVESTIGATION

    Mr. Snow. Good afternoon, Chairman Whitehouse, Ranking 
Member Kyl, and members of the Subcommittee. I am pleased to 
appear before you today to discuss the cyber threats facing our 
Nation and how the FBI and our partners are working together to 
respond to the threat of cyber crime and terrorism.
    As the Committee is aware, cyber attacks have increased 
over the past 5 years and are expected to grow. We have reached 
the point that, given enough time and motivation and funding, a 
determined adversary will likely be able to penetrate any 
system that is accessible directly from the Internet. The FBI 
has identified the most significant cyber threats to our Nation 
as those with high intent and high capability to inflict damage 
or death in the U.S., to illegally obtain sensitive or 
classified information, or to illicitly acquire assets.
    I would like to focus my remarks today on a few of the many 
threats facing the private sector, including threats against 
infrastructure, intellectual property, individual businesses, 
and our partnerships to address these threats.
    U.S. critical infrastructure faces a growing cyber threat 
due to the advancements in the availability and sophistication 
of malicious software tools. The recent security breach by 
unauthorized intruders into the parent company of NASDAQ is an 
example of the kind of breaches directed against important 
financial infrastructure.
    Industrial control systems, which operate the physical 
processes of the Nation's pipelines, railroads, and other 
critical infrastructures, are at great risk of cyber 
exploitation.
    Similarly, new ``smart grid'' and ``smart home'' products 
could also be exploited by cyber criminals, nation states, and 
terrorists. These systems need to be developed and implemented 
in ways that will provide protection from unauthorized use.
    Intellectual property rights violations, including theft of 
trade secrets, digital piracy, and trafficking in counterfeit 
goods, also represent high cyber criminal threats, resulting in 
losses of billions of dollars in profits annually. These 
threats pose significant risk to U.S. public health and safety 
via counterfeit pharmaceuticals, electrical components, 
aircraft parts, and automobile parts.
    Cyber criminals are forming private, trusted, and organized 
groups to conduct cyber crime. The adoption of specialized 
skill sets and professionalized business practices by these 
criminals is steadily increasing the complexity of cyber crime.
    One facet of this are botnets, or networks of compromised 
computers controlled remotely by an attacker. Criminals use 
botnets to facilitate online schemes that steal funds or data, 
to anonymize online activities, and to deny access by others to 
online resources. The botnets run by criminals could be used by 
cyber terrorists or nation states to steal sensitive data, 
raise funds, limit attribution of cyber attacks, or disrupt 
access to critical national infrastructure.
    The potential economic consequences are severe. Often 
businesses are unable to recover their losses, and it may be 
impossible to estimate the damage. Many companies prefer not to 
disclose that their systems have been compromised, making it 
impossible to accurately quantify. Consequently, these damages 
estimates have ranged from millions to hundreds of billions.
    Thanks to Congress and the administration, the FBI is 
devoting significant resources to this threat. Our partnerships 
with industry, academia, and across all of government have led 
to a dramatic improvement in our ability to combat this threat.
    The FBI's statutory authority, expertise, and ability to 
combine resources across multiple programs make it uniquely 
situated to investigate, collect, and disseminate intelligence 
about and counter cyber threats from criminals, nation states, 
and terrorists.
    The FBI has cyber squads in each of its 56 field offices, 
with more than 1,000 advanced cyber-trained FBI agents, 
analysts, and forensic examiners.
    However, the FBI cannot combat the threat alone. Through 
the FBI-led National Cyber Investigative Joint Task Force, we 
coordinate our efforts with over a dozen Federal partners 
throughout the intelligence community and the Department of 
Defense. We also partner through NCIJTF with other Federal law 
enforcement agencies to include most prominently the United 
States Secret Service. The FBI has also embedded cyber staff in 
other intelligence community agencies through joint duty and 
detailee assignments.
    In addition to our 61 legal attaches overseas, we currently 
have FBI agents embedded full-time in five foreign police 
agencies to assist with cyber investigations. These cyber 
agents have identified organized crime groups, supported FBI 
investigations, and trained foreign law enforcement officers 
for more than 40 nations.
    InfraGard is a prime example of the success of public-
private partnerships. Under this initiative, private industry 
leaders work with the FBI to ward off attacks against critical 
infrastructure. Over the last 15 years, this initiative has 
grown from a single chapter to more than 86 chapters in 56 
field offices with 42,000 members.
    In addition to InfraGard, the FBI partners with the 
National White Collar Crime Center and the Internet Crime 
Complaint Center and the National Cyber Forensic and Training 
Alliance. We also partner with the information-sharing and 
analysis centers through the Department of Homeland Security 
and the National Center for Missing and Exploited Children.
    Chairman Whitehouse, Ranking Member Kyl, and members of the 
Subcommittee, in the interest of time today, I have touched 
upon a few of the more significant cyber threats facing our 
Nation. I appreciate the opportunity to come before you and 
share the work the FBI and our partners in the community are 
doing to address the cyber threat in this country and am happy 
to answer any questions you may have.
    [The prepared statement of Mr. Snow appears as a submission 
for the record.]
    Chairman Whitehouse. Thank you, Assistant Director Snow.
    Our next witness, Pablo Martinez, is Deputy Special Agent 
in Charge of the Criminal Investigation Division, Cyber Crime 
Operations, at the United States Secret Service. In this 
capacity, he develops and implements policy for all cyber 
investigations conducted by the Secret Service. Mr. Martinez 
began his career at the Service in 1991, and in 1999 was 
transferred to the Presidential Protective Division. In 2003, 
Mr. Martinez was promoted to the supervisory ranks of the 
Criminal Investigative Division, where he was tasked with 
expanding the Service's Electronic Crimes Task Force. During 
that time, he oversaw the first major cyber operation conducted 
by the Secret Service, Operation Firewall, in which over 30 
online criminals were apprehended worldwide in a simultaneous 
round-up.
    Glad to have you with us, Agent Martinez.

STATEMENT OF PABLO A. MARTINEZ, DEPUTY SPECIAL AGENT IN CHARGE, 
      CRIMINAL INVESTIGATION DIVISION, U.S. SECRET SERVICE

    Mr. Martinez. Good afternoon, Chairman Whitehouse, Ranking 
Member Kyl, and distinguished members of the Subcommittee. 
Thank you for the opportunity to testify on the role of the 
Secret Service in cyber investigations.
    On February 1, 2010, the Department of Homeland Security 
delivered the Quadrennial Homeland Security Review, which 
established a framework for homeland security missions and 
goals. I would like to share just a few sentences from the QHSR 
because it underscores the need for a safe and secure 
cyberspace:
    ``As we migrate more of our economic and societal 
transactions to cyberspace, these benefits come with increasing 
risk. We face a variety of adversaries who are working day and 
night to use our dependence on cyberspace against us. 
Sophisticated cyber criminals pose great cost and risk both to 
our economy and national security. They exploit vulnerabilities 
in cyberspace to steal money and information, and to destroy, 
disrupt, or threaten the delivery of critical services.''
    In order to maintain a safe and secure cyberspace, we have 
to disrupt the criminal organizations and other malicious 
actors engaged in high consequence or wide-scale cyber crime.
    To address the threats posed by these transnational cyber 
criminals, the Secret Service has adopted a multi-faceted 
approach to investigate these crimes while working to prevent 
future attacks. A central component of our approach is the 
training provided through our Electronic Crimes Special Agent 
Program, which gives our special agents the tools they need to 
conduct computer forensic examinations on electronic evidence 
obtained from computers, personal data assistants, and other 
electronic devices. To date, more than 1,400 special agents are 
ECSAP trained. In fact, the Secret Service values this training 
so highly that the basic level is now incorporated as a part of 
the curriculum that all special agent trainees receive at our 
James J. Rowley Training Center.
    In addition, since 2008, the Secret Service has provided 
similar training to 932 State and local law enforcement 
officials, prosecutors, and judges, through the National 
Computer Forensics Institute, located in Hoover, Alabama. The 
Secret Service's commitment to sharing information and best 
practices with our partners, the private sector, and academia 
is perhaps best reflected through the work of our 31 Electronic 
Crime Task Forces, including two located overseas in Rome, 
Italy, and London, England.
    To coordinate these complex investigations at the 
headquarters level, the Secret Service has enhanced our cyber 
intelligence section to identify transnational cyber criminals 
involved in network intrusions, identity theft, credit card 
fraud, bank fraud, and other computer-related crimes. In the 
past 2 years, CIS has directly contributed to the arrest of 41 
transnational cyber criminals who were responsible for the 
largest network intrusion cases ever prosecuted in the United 
States. These intrusions resulted in the theft of hundreds of 
millions of credit card numbers and the financial loss of 
approximately $600 million to financial and retail 
institutions.
    As an example, the partnerships developed through our 
ECTFs, the support provided by our CIS, the liaison established 
by our overseas offices, and the training provided to our 
special agents via ECSAP were all instrumental to the Secret 
Service's successful investigation into the network intrusion 
of Heartland Payment Systems. The August 2009 indictment 
alleged that a transnational organized criminal group used 
various network intrusion techniques to breach security, 
navigate the credit card processing environment, and plant a 
collection device to capture payment transaction data.
    Our investigation revealed data from more than 130 million 
credit card accounts were at risk of being compromised and 
exfiltrated to a command and control server operated by an 
international group. Furthermore, the Secret Service uncovered 
that this international group committed other intrusions into 
multiple corporate networks to steal credit and debit card 
data.
    As a result of our investigation, the three suspects in the 
case were indicted for various computer-related crimes. The 
lead defendant in the indictment pled guilty and was sentenced 
to 20 years in Federal prison. This investigation is ongoing 
with over 100 additional victim companies identified. The 
Secret Service is working with its law enforcement partners 
both domestically and overseas to apprehend the two defendants 
who are still at large.
    Chairman Whitehouse, Ranking Member Kyl, and distinguished 
members of the Subcommittee, the Secret Service is committed to 
our mission of safeguarding the Nation's cyber infrastructure 
and will continue to aggressively investigate cyber and 
computer-related crimes to protect American consumers and 
institutions from harm.
    This concludes my prepared statement. Thank you again for 
this opportunity to testify on behalf of the Secret Service.
    [The prepared statement of Mr. Martinez appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you, Agent Martinez. I 
appreciate having you here.
    One of the purposes of this hearing is to look into the 
comparison between the size of the threat and the resource that 
is dedicated to it, and if I may, Mr. Weinstein, let me ask--I 
have some numbers here about Criminal Division deployment at 
the Department of Justice. And just by way of comparison, we 
have looked at OCDETF, the Organized Crime Drug Enforcement 
Task Force program; we have looked at the Organized Crime Task 
Force, dedicated to traditional Mafia organized crime; and we 
have looked at the cyber staff. And the numbers that I have are 
that there are just under 90 attorneys in the Criminal Division 
dedicated to traditional organized crime. There are 13 
attorneys in the Criminal Division dedicated to the OCDETF 
program, but the OCDETF program is very much a field-based 
program, and so they are sort of the local touch point for over 
1,000 staff out in the field, including more than 550 attorneys 
out in the field. So it is a pretty robust field program behind 
those 13 attorneys at Main Justice.
    In the context of that range, we have been told that there 
are 40 attorneys in the Criminal Division who are dedicated to 
computer intrusions and other hacking cases. There are 
additional attorneys who are dedicated to child exploitation, 
to appellate cases, to other crimes that may have a computer 
component but are not the direct hacking cases.
    It strikes me that if the numbers are correct that there is 
as much as $1 trillion, I contend that we are on the losing end 
of the biggest transfer of wealth in the history of humankind 
through theft and piracy in this country right now, that it is 
being done through cyber crime, and that it is a very, very 
significant national security and economic challenge.
    Senator Feinstein and Senator Kyl and I all have also 
served on the Intelligence Committee, and while much of what we 
know from that Committee is classified, in the public hearing 
the Director of National Intelligence Jim Clapper listed the 
national security threats that he felt he was obliged to 
address as the new DNI, and he put cyber security No. 1 above 
everything else.
    And so that was kind of noteworthy, and in that context it 
strikes me that having fewer attorneys dedicated to computer 
intrusions at Main Justice than are dedicated to old-fashioned, 
traditional organized crime is a sign that we here in Congress 
need to provide you with more resources to focus on the cyber 
threat.
    What is your sense of that?
    Mr. Weinstein. Let me, before I answer your question, put 
those numbers in a little bit of context.
    You are right in observing that the OCDETF program is 
mostly a field-based program, so it is not unexpected that that 
is a relatively low number dedicated to that.
    The organized crime number which you quoted, which is about 
89 attorneys, actually it was organized crime broadly defined. 
That is to say, it is traditional organized crime like LCN, 
Mafia-type cases; it is gang cases; it is drug-related 
organized crime like drug cartel cases, which are pursued as 
enterprises; and it includes international organized crime. And 
in that sense, especially with international organized crime, 
there is some overlap with our cyber security and cyber crime 
efforts.
    I actually also, along with another Deputy AG, oversee the 
organized crime program, and increasingly the priority of our 
international organized crime program is to go after 
transnational crime groups that involve cyber threats. So there 
is some overlap.
    The other thing I would add is that the 40 attorneys that 
you quoted that are cyber specific, those are the attorneys who 
are in the Computer Crime and IP Section, which I have had the 
honor to supervise. There are a substantial number of other 
attorneys, like in the Fraud Section, who also in the course of 
their fraud work focus on fraud cases that have a cyber 
component.
    Having said all that, it is really undeniable that the 
scope of the problem, which is growing every day, far outpaces 
the resources that are available to pursue it currently. And so 
I think that this is the kind of problem that takes a dedicated 
stream of resources, but it also takes dedicated training and 
expertise so we can keep pace with the methods that our cyber 
actors are using.
    I would add that in the President's 2011 budget, which I 
think now is a collector's item, there was a request for four 
additional cyber attorneys. In the 2012, there is actually a 
request for six, and those six attorneys are CHIP prosecutors, 
computer hacking and IP prosecutors. But for the first time, 
they will be CHIP prosecutors who are placed overseas, I think 
to reflect the recognition that fighting this problem requires 
going beyond our borders to do it.
    The President's proposal, the President's budget proposal, 
would put six of these CHIPs, who we would call ICHIPs, 
international CHIPs, in regions throughout the world that have 
a high concentration of cyber crime and IP theft activity so 
that they can not only help American prosecutors at home on 
their cases but also help those contractors beef up their own 
capacity to pursue cyber criminals in their own borders.
    Chairman Whitehouse. My time has expired, but let me ask 
just one more question before I turn to Senator Kyl because 
there is also field staff, attorneys out in the U.S. Attorneys' 
Offices, who are dedicated to this. But it is my understanding 
that the--if you could confirm this, it is my understanding 
that the AUSAs who are your cyber designees are obliged to 
participate in conferences on cyber, be a point of contact for 
the office on cyber; if there are conference calls, they are 
the person for the office who would participate, but they need 
not direct their prosecutive attention to cyber cases. They are 
to be deployed as the U.S. Attorney and the first assistant and 
the head of the Criminal Division see fit, and in that sense it 
is something of an overcount to describe them as full-time--it 
would be something of an overcount to describe them as full-
time cyber prosecutors, would it not?
    Mr. Weinstein. I think, Senator, it depends on where--Mr. 
Chairman, it depends on where they are. In some districts, 
especially districts with very active FBI or Secret Service 
cyber squads in them, and with a heavy concentration of these 
cases, the CHIP prosecutors work exclusively on those cases.
    Chairman Whitehouse. But in some they may not----
    Mr. Weinstein. Some districts they may not. And the role 
really has three or four aspects to it. One is to work on this 
case----
    Chairman Whitehouse. Well, since I am over my time----
    Mr. Weinstein. OK.
    Chairman Whitehouse [continuing]. And since I have my 
Ranking Member waiting, let me--we can pursue that in the----
    Mr. Weinstein. OK.
    Chairman Whitehouse [continuing]. Later discussion.
    Senator Kyl.
    Senator Kyl. Well, thank you, Mr. Chairman. These are all 
right-on questions, and in a related area, it is not only 
resources but also authority.
    Agent Martinez, I would like to ask you a question about 
comments you made in your testimony in which you referred to 
going dark, the going-dark problem, whereby there is a gap 
between the legal authority that you have to intercept 
electronic communications and the provider's practical ability 
to intercept those communications. And you quoted and endorsed 
the statement by the FBI Chief Counsel, who had testified in 
the House of Representatives, that there is--excuse me. She 
said, ``There are significant law enforcement challenges in 
light of the pace of technological advancements.''
    Are there specific tools that you think Congress could 
provide you and your counterparts in domestic law enforcement 
and intelligence to better mitigate this problem? Can you share 
them with us today? If not, could I ask all three of you really 
to provide to this Committee your proposals for improving the 
authorities that all of you need to tackle the problems that 
you have identified here today?
    Mr. Martinez. Yes, Senator Kyl, we did endorse Chief 
Counsel's statements on that. We believe that cyber criminals 
are at the tip of the spear when it comes to exploiting 
technology. The types of communications that cyber criminals 
use or have been using for many years are now just starting to 
come into the forefront of crimes being committed by 
traditional criminals. So cyber criminals have been using 
instant message, have been using VOIP systems, have been 
communicating via the computer for many, many years, and we 
believe as technology continues to develop you are going to 
continue to see cyber criminals exploiting that capability 
because they seem to have the most knowledge when it comes to 
utilizing devices like that.
    I believe right now there are several working groups that 
have been established, you know, at the request of the 
administration, both at the legislative level and at the 
technical working group level. The Secret Service participates 
in a technical working group being led by the FBI, and we are 
in the process right now of finalizing some of our 
recommendations that I believe the administration is looking to 
put forward.
    Senator Kyl. Great. We will appreciate that, hearing from 
FBI, Justice Department, and Secret Service, whomever, to 
assist us in giving you the authority you need.
    Assistant Director Snow, I would like to ask you, could you 
explain the FBI's role in the so-called Team Telecom? And then 
I've got a couple specific questions about what I understand 
that team is engaged in, the advisory role to the Federal 
Communications Commission by the FBI. Is that not a term you 
are familiar with?
    Mr. Snow. Sir, I apologize. It is not a term I am familiar 
with. It usually runs out of our Operational Technology 
Division, which would, along with our Office of General 
Counsel----
    Senator Kyl. OK. Well, let me just ask you to generally 
describe concerns that you all have about telecommunications 
computers that have links to foreign governments or foreign 
militaries providing telecommunications equipment, software, 
network management services and the like here in the United 
States.
    Mr. Snow. Sir, I guess the best way to answer that is in 
another forum we could probably go more in-depth, and I would 
be more than willing to provide you the personnel and myself 
and availability to address those questions.
    Senator Kyl. Well, is it fair to say that there is a 
significant concern about this and that you do play a role, 
that the FBI does play a role along with other intelligence 
services in advising our Government departments with respect to 
these threats?
    Mr. Snow. Yes, sir, absolutely. Always a concern from any 
facet, a country adversary that comes in and that would either 
manipulate or use our supply chain to our disadvantage. So if 
so many things in the supply chain, whether it is a counterfeit 
part, a counterfeit CHIP, something that could be implanted, an 
executable piece of malware, a piece of additional code that 
would be in our telecom system.
    Senator Kyl. When you review the offer of such a company to 
open themselves up to third-party or independent review to deal 
with those supply chain kinds of problems, is it possible for 
you to go through millions of lines of software code to make 
100 percent certain that there is not anything malicious built 
in that is capable of being activated at a moment of a cyber 
criminal's or cyber warrior's choosing?
    Mr. Snow. I do not think, sir, that we have that capability 
right now in the U.S. Government to go through millions of 
lines of code. It is very work intensive. I think we know that 
code now is cobbled together from many pieces. I think 
sometimes even the programmers and people that design that code 
are not even sure what is in that code. They will use other 
pieces, freely available pieces on the outside to assemble that 
program. And we do provide under the CFIUS process counsel, 
guidance, direction, and information to the decisionmakers 
across the Government in order to make those decisions, along 
with the Department of Justice that runs the CFIUS program.
    Senator Kyl. I appreciate it. Thank you.
    Chairman Whitehouse. Senator Coons.
    Senator Coons. Thank you, Senator, and thank you to both 
Senator Whitehouse and Senator Kyl for convening this hearing 
today, and to our panel.
    You have all testified to the different ways in which your 
respective agencies are working together with State and local 
law enforcement, and to some extent, the private sector, the 
intelligence agencies, and our armed forces to combat cyber 
crimes, and I am just interested initially in your opinion 
whether States and local law enforcement have the right 
resources, have the right training, have the right capabilities 
to buildup their investigative capabilities as well as their 
defensive capabilities.
    You made reference, Agent Martinez, in your testimony to 
the National Computer Forensics Institute and where the 900 
folks have been trained. I think that is a great start. There 
was also a reference, I think by Mr. Snow, to 42,000 members of 
the FBI's InfraGard.
    If you could, in order to speak to the training standards 
we are trying to hit, the resources State and local law 
enforcement and Government have, and what additional resources 
do we need in order to be able to develop a nationwide 
professional cadre of folks in law enforcement, in the 
intelligence community, and, frankly, in the private sector? 
Please.
    Mr. Martinez. Thank you, Senator. From our perspective in 
law enforcement, what we have basically done is taken our ECSAP 
model--that is a three-tier model, BICEP, NITRO, and computer 
forensics--and we have mirrored that curriculum at the National 
Computer Forensics Institute where we not only teach law 
enforcement but also prosecutors and judges. We are firm 
believers that you not only have to train the agents or the law 
enforcement officers, but you have to make sure that they can 
explain or they can articulate in a layman's term the case to a 
prosecutor who can then also explain the facts in layman 
fashion to a judge who you are going to have to get the 
warrants signed to. So that is why it has been--it is important 
for us to train all three aspects.
    So far, like I stated in my statement, we are over 900. We 
are looking to try to expand the amount of law enforcement 
personnel that we train. What we try to focus on, since we have 
the 31 Electronic Crime Task Forces, we try to focus on 
individuals who are members not only of our task force, but 
potentially a State and local cyber task force or an FBI task 
force because they are in the most need of having this 
specialized training. We believe that by doing that we are 
multiplying our resources, and we can force multiply and work 
investigations not only at the Federal level but at the State 
and local level.
    And like I said, we continue to work with these partners at 
the State and local level to try to get them a better 
understanding of some of the issues with cyber crime and some 
of the ways to tackle the problem.
    Senator Coons. Mr. Snow.
    Mr. Snow. Sir, as Mr. Martinez talked about, the good news 
portion of the story is that we are making progress on trying 
to help assist and train those personnel. I think inwardly, 
though, if we are more reflective, it is a difficult task to 
make sure that all our personnel are trained, not only that 
they are trained but what is the process that we used in order 
to make sure that we keep them current and how we retain those 
personnel.
    So I would not want to classify all State and local law 
enforcement officers as being in the position we were in about 
10 years ago. We talked recently about the going-dark issue, 
and we also talk about how difficult it is to bring those 
people up to speed. But I would say--because I know we have 
very talented individuals from State and local entities that 
are in our regional computer forensic labs that are run 
nationally across the country.
    However, many of those departments and agencies, you know, 
hundreds of thousands of sworn law enforcement officers across 
the country, have a difficult time coming up with that money, 
that training, the availability of their personnel as they try 
just to meet hiring and payrolls.
    Senator Coons. And if I could, just a follow-on question to 
the Deputy Assistant Attorney General, Mr. Weinstein. One of 
the areas I am most concerned about is intellectual property 
theft, particularly trade secrets. American companies are some 
of the most innovative in the world. In your written testimony, 
there was an example of a successful theft from Dow Chemical 
that had significant long-term consequences for them.
    Where are we in terms of providing coordination, resources, 
and standards for training that will help the private sector 
understand how to defend against these threats and then the 
prosecutorial resources to, as you put it, once these better 
locks are broken, actually then capture the CMS who have broken 
them?
    Mr. Weinstein. Well, Senator, perhaps in IP crime, unlike 
any other type of crime, we rely heavily on the victim 
companies to report the crimes to us and to be able to 
recognize them when they occur, then to provide us with access 
to the information we need to successfully investigate and 
prosecute them.
    One of the things that CCIPS does in conjunction with the 
CHIP prosecutors throughout the country is conduct extensive 
outreach with potential victim companies in various regions. In 
the Pacific Northwest it might be Microsoft, or computer 
companies in Delaware and other States, it may be, you know, 
companies that are the significant industries in those States. 
And what we try to do is explain to them where the risks are, 
how to recognize when there is a potential trade secret theft 
or other IP crime, and then how to make a referral to us, 
either to us directly or to the FBI or to the IPR Rights 
Center, which is jointly operated by ICE and by the FBI.
    So we do that nationally, and we do that regionally. We go 
region by region throughout the country to try to make sure 
that companies that are at the greatest risk are aware of what 
is going on out there and how to protect themselves from it; 
and then if they are violated, how to report it to us so we can 
pursue it.
    Senator Coons. Thank you.
    Chairman Whitehouse. Senator Hatch.
    Senator Hatch. Well, thank you, Mr. Chairman, Chairman 
Whitehouse. I thank you and applaud you for your efforts in 
this area.
    The distinguished witnesses represent a balance of all 
those affected by cyber criminal and terrorism--Government, the 
private sector, and, of course, academia. For successful cyber 
security policy, we must encourage partnerships among many 
sectors. This cannot be solely a Government-led initiative.
    Now, Mr. Snow, China is directing the single largest, most 
intensive foreign intelligence gathering effort since the cold 
war against the United States. Methods for conducting 
informational warfare to advance the goals of a nation state 
might also involve secretly sponsoring terrorists.
    Now, China is often cited as providing Government support 
to computer hackers, and as Richard Clarke, a former White 
House adviser for infrastructure protection and 
counterterrorism, discusses in his book, ``Cyber War,'' the 
Chinese military has placed a new emphasis on information 
warfare methods. Specifically, they have proposed to attack 
enemy financial markets, civilian electricity networks, and 
telecommunication networks by way of computer viruses and, of 
course, hacker detachments.
    Now, it remains very difficult to determine the true 
identity, purpose, or sponsor of a cyber attacker. Can you tell 
me, does the FBI have sufficient capability to identify an 
attack that is state sponsored versus a criminal enterprise?
    Mr. Snow. Senator, obviously, once again, in a different 
forum we can go more in-depth to your question, but let me 
answer it in a form that I can today.
    Senator Hatch. Sure.
    Mr. Snow. Through the National Cyber Investigative Joint 
Task Force, which I mentioned in my opening statement, we have 
18 intelligence community agencies and others there. We use a 
concept that is called the threat focus cell concept where we 
bring all individuals from the community that would address a 
threat. The successes that we have had have been many. The 
problem with it is that there are still some very high profile 
cases that we have seen just by looking through the Wall Street 
Journal and any other media outlet we have out there where we 
still do not know to this day who the attacker is, what state 
we can attribute it to, or who that person behind the keyboard 
was, who that human person was that actually controlled that 
attack or directed that attack.
    Senator Hatch. Mr. Martinez, several months ago, as 
Chairman of the Senate Republican High-Tech Task Force, I 
requested that the Secret Service provide an extensive briefing 
on transnational organized crime and international cyber 
investigations. I thought that briefing was pretty helpful. 
Now, while that briefing was not classified, it certainly was 
law enforcement sensitive and provided the task force members a 
fantastic overview of the transnational crime groups, primarily 
located in Russia and Eastern Europe.
    During that briefing Secret Service officials profiled a 
particular hacker known as ``BadB,'' who was an accomplished 
hacker in Russian cyber crime circles. Fortunately, he was 
arrested overseas based on the investigative work of the Secret 
Service.
    Now, I want to take this opportunity to applaud you and the 
Secret Service for its work in that case and others, including 
the Nation's largest identity theft case that occurred at TJX 
and Heartland Systems. That case had an extensive international 
cyber crime connection.
    Now, No. 1, what presence does the Secret Service have 
overseas in countries such as China and Russia? And, No. 2, 
what other mechanisms does the Secret Service have in place to 
identify countries with the potential for cyber crime?
    Mr. Martinez. Thank you, Senator Hatch. Yes, the Secret 
Service has, I believe--and it is in my written statement. I 
believe it is 22 overseas offices. And in countries where we do 
not have an office, we take a regional approach where we have 
agents that are specifically assigned to those countries. We do 
have an office in Russia, and I am glad to announce that 2 
weeks ago we got our long-term visa to open up our office in 
Beijing, so we are very happy about that.
    In addition to that, though, we rely a lot on our foreign 
law enforcement partners, and as I stated earlier, we have two 
foreign electronic crime task forces. So what we have done is 
we have taken the concept of the domestic Electronic Crime Task 
Force that Congress enacted back in 2002, and we have used that 
same approach to our overseas offices. In doing so, we 
collaborate a lot with our foreign law enforcement partners. 
Just like the FBI does, we have agents embedded into cyber 
crime units, and specifically agencies in specific hot spots 
around the world.
    We believe it has been very successful, and we have 
capitalized on the relationships and partnerships with these 
law enforcement organizations in order to apprehend some of 
these high-value targets.
    But in addition to that, one of the things we have recently 
done, as we did last year, we did what is called the Verizon/
Secret Service 2010 Data Breach Investigative Report, where we 
take information for our investigations and we publish that out 
to the private sector. Well, the 2011 study that is about to 
come out in 2 months not only includes data from Secret Service 
and Verizon investigations, but it also includes information 
from the National High-Tech Crimes Unit in Holland.
    So, once again, there we are leveraging the resources and 
the abilities of our foreign law enforcement partners, and the 
lessons learned, the best practices, and the information that 
we have obtained through our criminal investigations, we are 
pushing that out to the private sector through things such as 
the DBI Report.
    Senator Hatch. Mr. Chairman, could I just make a short set 
of remarks?
    Chairman Whitehouse. Of course, Senator.
    Senator Hatch. Thank you very much, both of you. I did not 
have time to ask you any questions, Mr. Weinstein, but I 
appreciate the work you are doing.
    There is no doubt that we need to have a coordinated effort 
between Government and the private sector to address cyber 
crime abroad, and that is why last Congress I introduced, with 
my colleague Senator Gillibrand, an international cyber crime 
bill.
    Now, our common-sense approach was widely supported amongst 
those who are affected by these crimes on a daily basis. In the 
coming weeks we plan to introduce this bill which will improve 
and strengthen the Government's response to international cyber 
crime. I would like you to look at that and tell us where we 
can make it better and what your suggestions are for us so 
that, when we introduce it, it will be truly something that 
will be bipartisan and everybody can support.
    Thank you, Mr. Chairman. I appreciate it.
    Chairman Whitehouse. Of course, Senator.
    Our next questioner is not only a distinguished member of 
this Committee but also the Chairman of the Intelligence 
Committee. Senator Feinstein.
    Senator Feinstein. Thank you very much. I want to thank 
you, Senator Whitehouse for your work in this area. As Chair of 
Intel, I asked you to head a cyber task force, along with 
Senator Mikulski and Senator Snowe, and I want everybody to 
know that the three of you did a wonderful job, and our 
information is much fuller and richer because of it. So thank 
you for the work.
    One of the things that apparently you accomplished was the 
declassification of a lot of material of some of the robberies 
that had taken place going back to 2008 that we on Intel knew 
about--excuse me, I have a cold--but could not talk about. And 
on January 3rd of this year, the Director of National 
Intelligence wrote you a letter essentially saying that we have 
compiled unclassified and in some cases declassified material 
designed to explain the variety of cyber threats and to provide 
real-world examples of damage in non-technical terms.
    This was provided to the Congress and other elements of the 
executive branch. I want to go over some of it which has now 
been declassified.
    In 2008, the Royal Bank of Scotland lost almost $10 million 
withdrawn from ATMs in 49 cities worldwide.
    Citibank, a cyber theft scheme resulted in over $10 million 
in losses. Now, that is according to news reports.
    Nationwide retailer T.J. Maxx, 45 million credit and debit 
cards stolen in 2007.
    Heartland Payment Systems, tens of millions of credit card 
numbers compromised in 2009. And it goes on and on and on.
    Mr. Snow, I believe in your testimony you indicated that in 
2010 you arrested 202 individuals for criminal intrusions, up 
from 159 in 2009, and obtained a record level of financial 
judgments for cases amounting to $115 million compared to $85 
million in 2009.
    Now, we have looked at some of this and seen a lot of 
attacks coming from Russia, from criminal elements in Russia, 
from China, and from other countries, but I think those were 
the two big ones.
    I would like to ask this question: Where do you see the 
majority of major attacks emanating from? And what is being 
done to stop this?
    Mr. Snow. Senator, right now we see on the criminal side a 
majority of attacks coming from the individuals that are 
located in Russia, obviously different from the Russian state, 
and Eastern European countries. We see a very strong network of 
a cyber underground, very closely associated with almost an 
eBay or an Amazon type system where, you know, once you receive 
a service from one of these cyber criminals, which are able to 
just combine together in chat rooms in this cyber underground, 
which are allowed to buy different pieces that they need to 
carry out the attack, to execute the attack, to have the 
cashers, the mules to receive the funds from the attack. They 
are all graded and rated.
    So we see that very large part of the world that is 
extremely connected being an area where a lot of the threat is 
coming from on the criminal side right now.
    Senator Feinstein. How many arrests have been made? And how 
do they get made? And how do individuals get prosecuted?
    Mr. Snow. They get prosecuted--and I will refer back to DOJ 
after I finish my statement, but they get prosecuted in 
different realms. Some countries, depending on what the MLAT or 
the extradition treaty is, will either agree to extradite an 
individual if we have provided the information for them. As Mr. 
Martinez talked about, with the collaboration that we are 
working with these other countries, some will abide by the 
extradition treaties that we have and bring the people back 
here to the United States.
    Senator Feinstein. Are the Russians cooperative in that 
regard?
    Mr. Snow. We have not had the Russians--they have been 
cooperative in the joint prosecution arena.
    Senator Feinstein. Have any Russian Mafia people been 
arrested and prosecuted?
    Mr. Snow. I would defer the Mafia side, but are you talking 
cyber organized crime?
    Senator Feinstein. Yes.
    Mr. Snow. Yes, ma'am.
    Senator Feinstein. And has Russia cooperated with the 
United States in going after them?
    Mr. Snow. Russia has helped in large part in many of the 
cases that we have been involved in. We have exchanged 
information with the Russian individuals that work cyber crime, 
and we are still working on those types of relationships with 
them.
    Senator Feinstein. Thank you very much. Thank you. I am 
glad to hear that.
    Thanks, Mr. Chairman.
    Chairman Whitehouse. Thank you, Chairman Feinstein.
    Next is Senator Klobuchar, then Senator Blumenthal.
    Senator Klobuchar. Well, thank you very much, Chairman 
Whitehouse, for holding this hearing, and I truly believe that 
protecting our Nation's cyber infrastructure is critical as we 
increasingly depend on it for everything from paying our 
utility bills to our financial services.
    The innovation surrounding a free and transparent Internet 
has been great for our economy, but we have also opened 
ourselves up to risks, and those are risks that, unfortunately, 
criminals try to exploit.
    I am working with Senator Hatch on a cloud computing bill, 
and we hope to introduce it soon. And I really do see that 
cloud computing has the potential to alleviate some of the 
concerns in the cyber security field, particularly by 
introducing economies of scale and making sophisticated 
protection available to all users on the cloud. However, it 
also raises some unique diplomatic issues because data is being 
stored in multiple countries.
    Could you talk, maybe Mr. Weinstein, about issues of 
international jurisdiction faced by your agencies when 
investigating cyber crime or, Deputy Director Snow, involving 
cloud computing? And would better international agreements be 
helpful to enforce the rules?
    Mr. Weinstein. We flipped and I won.
    Senator Klobuchar. I noticed that, yes.
    Mr. Weinstein. Senator, I cannot speak specifically to 
international issues involving cloud computing. It is a 
relatively new phenomenon, at least known by that name. But I 
can say that, as a general matter, it is increasingly important 
that we have strong agreements, international agreements, 
either multilateral or bilateral agreements, with our foreign 
law enforcement partners because so often the targets or the 
instrumentalities of the crime are located overseas, even if 
the data is not overseas.
    For example, in the cases that Senator Feinstein just 
mentioned, in the TJX intrusion, the servers that the data was 
stored on, the primary hacker was located in Florida. But the 
data was stored in Latvia and Ukraine.
    Senator Klobuchar. Right.
    Mr. Weinstein. In the Heartland case that Senator Feinstein 
mentioned, some of the servers were--there were three servers 
in the United States, or in three States of the United States; 
but servers were also in Latvia, Ukraine, and the Netherlands. 
In the RBS case, some of the targets and evidence was in eight 
different countries.
    What makes the RBS case useful, I think, as an example, 
though, is that the intrusion was reported to us by the victim 
company in December of 2008, and the indictment was brought in 
November 2009. So in less than 11 months, the FBI, working very 
closely with foreign law enforcement, managed to get the 
evidence we needed, even though it was across our borders, 
identify the targets, put fingers at the keyboard, and actually 
bring charges. And, in fact, BadB, the hacker that Senator 
Hatch made reference to, is now indicted in that case and is 
pending extradition.
    So when we have got those agreements in place and when the 
foreign country we are working with has the will, the capacity 
and the will--because you have got to have both--we can be very 
effective. Too often the countries have the will but not the 
capacity, and that we can deal with because we can devote 
resources, as we do, to training them and to helping them 
strengthen their own criminal laws and then to developing 
international agreements in which they work with us. If they do 
not have the will, there is a limit to how much we can do.
    One thing we do do throughout the world is try to get as 
many countries as possible to accede to the Convention on Cyber 
Crime, which we think is a very useful international framework, 
one that provides a very strong foundation for international 
cooperation in these cases.
    Senator Klobuchar. Now, I know a lot of my colleagues have 
asked you about resources and how that would be helpful. How 
about legal changes? Are there changes that we could make to 
current law? What would you have on your top list of things 
that would be helpful as we battle this new-found crime?
    Mr. Weinstein. Well, I can say that we have got some ideas 
about some potential changes to 1030 that we are discussing and 
working on, and as soon as they are done, we will be pleased to 
bring them to your attention and to work with you on them, as 
well as any other ideas that you have.
    Obviously, we are watching and very eager to be engaged on 
the ECPA debate. I know you had a hearing on that where Mr. 
Baker and others testified last week because changes in ECPA 
actually--if standards are increased in such a way that puts 
information out of the reach of law enforcement, it makes it 
very difficult for us to investigate and prosecute cases 
against cyber criminals who threaten Americans' privacy. So we 
are very eager to engage in that debate.
    And as you may know, there is an interagency process that 
is moving at a fever pitch to develop some cyber security 
legislation. I would not say it has been at a fever pitch 
throughout its life, but I can tell you that in the last 6 
weeks it has.
    Senator Klobuchar. When did it start, Mr. Weinstein?
    Mr. Weinstein. It started a while ago.
    Senator Klobuchar. OK.
    Mr. Weinstein. The fever pitch started more recently.
    Senator Klobuchar. OK.
    Mr. Weinstein. But, you know, we have got people who are 
literally working around the clock, judging by the time at 
which they are e-mailing me in the middle of the night to try 
to get proposals ready to present to you, and so I think that 
will happen very soon.
    Senator Klobuchar. Are you satisfied with the criminal 
penalties in place for engaging in cyber crime?
    Mr. Weinstein. Well, one of the ideas we do have involves 
some streamlining and strengthening some of the penalties that 
are provided in 1030. As I said, that proposal is still baking, 
and when it is fully cooked, we will be pleased to bring it to 
you and talk to you about it further.
    Senator Klobuchar. OK. I am out of time here, and I will 
just ask in writing Assistant Director Snow questions about the 
work with the private sector. Minnesota is home to Target and 
Best Buy and several major companies that deal with this all 
the time, and so I am interested in that issue. I actually 
visited McAfee, their offices in Minnesota, and the work that 
is being done there.
    And then I also will, for the record, Mr. Martinez, follow 
up on some questions with you as well.
    Mr. Martinez. Absolutely.
    [The questions of Senator Klobuchar appears under questions 
and answers.]
    Senator Klobuchar. Thank you very much.
    Chairman Whitehouse. Senator Blumenthal.
    Senator Blumenthal. Thank you, Mr. Chairman.
    I would like to join in thanking Senator Whitehouse for 
holding this hearing and for his interest and effective action 
in this area.
    You know, we have been talking a lot about enforcement and 
about potential changes in the law, and if I have time, I would 
like to return to that subject. But I was very interested in an 
observation made by one of the people who is going to follow 
you in talking to us today, John Savage, who is a professor at 
Brown, who says in his testimony, and I am going to quote, 
``Computer industry insiders have solutions to many cyber 
security problems, but the incentives to adopt them are weak, 
primarily because security is expensive and there is no 
requirement they be adopted until disaster strikes.''
    Now, I have been involved in enforcement relating to this 
issue, and I do not mean to minimize your efforts. In fact, I 
think they have been heroic and remarkably effective, both at 
the Federal level where you work and often at the State level. 
But don't the holders of this information--and I am thinking of 
Epsilon, for example, most recently the supposed victim of a 
major breach--have a greater obligation to do more to safeguard 
this information? And how do we create those incentives that 
Professor Savage mentions to make your job more effective? I 
will not say ``easier'' because nothing can make your job 
easier, and I have great admiration for what you do. But how do 
we create those incentives so that private companies are more 
partners of yours in this enforcement effort? And I ask that of 
all three of you, and I will let you go in whatever order you 
would like.
    Mr. Martinez. I will take it. Senator----
    Senator Blumenthal. And, by the way, you may disagree with 
Professor Savage, too. I am not assuming that you will 
necessarily agree.
    Mr. Martinez. Senator, I believe also Mr. Weinstein spoke 
about a proposed package that is forthcoming here to Congress 
regarding a comprehensive number of cyber bills that all three 
organizations sitting at this table have been involved in the 
crafting.
    One of those proposals involves data breach legislation, 
and I think it is important for us to create a national data 
breach bill so that we do not continue to have this myriad of--
I believe right now there are 47 individual State data breach 
requirements, all of which are unique and all of which have 
different reporting requirements. So I think it is important 
that we do have a national data breach bill.
    As part of that national breach bill, I think it is 
incumbent and it should be required that if companies do have 
an intrusion, they not only notify the consumers or the victims 
whose information might have potentially been stolen, but that 
they also notify the Government and that the Government be 
notified of the fact that there has been an intrusion.
    To the point of the professor's, the other part that I 
think is important in the legislation--and I think the 
administration is going to be addressing that--is that there 
also be a safe harbor for those computers that have protected 
the information in a proper way. So even though they have an 
intrusion but the information is protected, that they 
themselves be protected via some type of safe harbor so that 
civil action might not be taken.
    I think in the package of legislation that the 
administration is finalizing, you are going to see all three 
aspects of that in that legislation.
    Mr. Snow. And, Senator, I would just add that I would echo 
Mr. Martinez's comments, and I would also say that I do not 
think anything in the professor's statement is wrong. I think 
the professor is exactly right. But a little bit closer 
scrutiny of this statement would say something that is really 
important, and that is that many of these people have many of 
the solutions for many of the problems and understand that it 
is a multi-layered, multi-faceted problem. To throw a few 
solutions at some of the problems does not solve all the 
problems. So we have to understand.
    Right now I do not think there is any secure system out 
there. I think it takes a defense in-depth layering, and I 
think that is something that we have to work on.
    On his point of weak incentives, I think he is exactly on 
point. You know, I will go back to the bank robbery days that 
the FBI was going from place to place. Just getting somebody to 
put in a new VCR was extremely difficult because that was 60-
odd-some dollars at the time, and that did not do anything but 
take away from the security budget.
    I think that is the same thing we see in businesses right 
now. That security that we layer that we think is essential is 
not really put in place until there is a tragic incident, an 
embarrassing incident, an incident that costs them close to a 
huge concern about them being a continuing entity or a going 
concern.
    Senator Blumenthal. Mr. Weinstein.
    Mr. Weinstein. I do not have anything to add to what Mr. 
Martinez and Assistant Director Snow said other than to 
emphasize that it has to be both incentives for companies to 
protect themselves against breaches--and I do think that most 
companies, especially those that operate in good faith and care 
about their business reputations, do want to protect 
themselves--but also, as Mr. Martinez said, to report the 
breaches when they do happen.
    I anticipate, although the shape of our package of 
proposals is still being formed, but I do anticipate there will 
be something about data breach reporting in that package, and 
we look forward to working with you on that.
    Senator Blumenthal. Well, I would be eager to work with. As 
you may know, Connecticut is one of those States that has a 
reporting requirement. I have asked for Epsilon to provide 
credit reporting services as well as identity theft insurance, 
which has been standard in what Connecticut at least has asked 
the companies that had this information that may have been 
breached to do in the past and has also sought penalties. So I 
might just suggest, without commenting on Epsilon or any other 
particular instance, that providing these incentives for 
adoption of this technology is something that is worth your 
very serious and positive scrutiny.
    Thank you.
    Chairman Whitehouse. We will go very shortly to the next 
group of witnesses, and I will excuse this panel. I do have a 
question for the record that I would like each of you to take 
with you and answer for me, and I think Senator Kyl will do his 
in writing.
    Assistant Director Snow mentioned the high level of 
activity of the sort of eBay type situation of the Russian-
based hackers and criminals who are working on this, and I am 
reminded of the lawsuit that was brought by Microsoft against 
the Waledac botnet, which was able to obtain a court order 
involving the legitimate Internet world--the domain providers, 
the ISPs and so forth--to cut off service from the command-and-
control nodes of that botnet so that it no longer was 
operative. And it strikes me that without actually doing 
criminal prosecutions of folks, we could be very aggressively 
hunting down these criminals and these attackers on the Web and 
disabling them with civil injunctive measures that require the 
ISPs, the domain registers, and so forth to stop providing 
service in certain components or to certain addresses or to 
certain types of transmissions from addresses. And because 
virtually all of this flows through the United States at some 
point, jurisdiction should be fairly easy to get compared to an 
unknown hacker who is working through a server in Estonia that 
links to a server in the Ukraine that links to a server 
somewhere else before it even gets here.
    So I would like to hear from each of you as to what extent 
your organization's cyber resources are empowered to support an 
active criminal defense that uses civil law to shut down some 
of these activities by authorizing the service providers to 
engage with court permission, protected from liability because 
of that, in a way that disables this. OK. Clear?
    [The information appears as a submission for the record.]
    Chairman Whitehouse. And Senator Kyl will do his for the 
record.
    [The questions of Senator Kyl appear under questions and 
answers.]
    Chairman Whitehouse. So with gratitude for your service and 
for your focus on this very significant problem, I will excuse 
this panel, and we will take a 2-minute recess while the next 
panel convenes. Gentlemen, thank you all very much.
    [Pause.]
    Chairman Whitehouse. Let me call the new panel to order, 
and thank you all for being here. Let me first ask that you 
stand and be sworn. Do you affirm that the testimony you will 
give in this Committee will be the truth, the whole truth, and 
nothing but the truth, so help you God?
    Ms. Schneck. I do.
    Mr. Savage. I do.
    Mr. Baker. I do.
    Chairman Whitehouse. Thank you. Please be seated.
    Welcome. We will begin with Phyllis Schneck, who comes to 
us from McAfee, where she is vice president and chief 
technology officer for their global public sector operations. 
Previously, she was vice president for threat intelligence for 
McAfee. She served as a commissioner and a working group co-
chair on the public-private partnership for the CSIS Commission 
to Advise the 44th President on Cyber Security, which I am 
proud to say was a report co-authored by my colleague in the 
Rhode Island delegation, Congressman Jim Langevin. Ms. Schneck 
also served--Dr. Schneck, I should say, also served for eight 
years as Chairman of the National Board of Directors of the 
FBI's InfraGard program, which has already been mentioned 
today, and vice president of research integration at Secure 
Computing. She has a Ph.D. in computer science from Georgia 
Tech.
    Ms. Schneck.

 STATEMENT OF PHYLLIS SCHNECK, PH.D., VICE PRESIDENT AND CHIEF 
TECHNOLOGY OFFICER, GLOBAL PUBLIC SECTOR, MCAFEE INC., RESTON, 
                            VIRGINIA

    Ms. Schneck. Chairman Whitehouse, Ranking Member Kyl, and 
other distinguished members of the Subcommittee, thank you for 
requesting McAfee's views on responding to the threat of cyber 
crime and cyber terrorism. Your Subcommittee is playing a vital 
role in cyber security, helping to investigate sophisticated 
syndicates of criminals and terrorists who deploy cyber attacks 
to finance their operations and undermine the security of our 
country. Thank you for your commitment.
    My testimony will focus on the following three areas: the 
evolution of the cyber security threat landscape, as that has 
changed over the past few decades; two major cyber security 
attacks--Operation Aurora and Night Dragon--McAfee's technical 
response to the cyber crime challenge and the implications for 
national security from those attacks and others that look just 
like it as we look at the future of our cyber security and 
resilience in this country; McAfee's commitment to partnering 
with law enforcement and the law enforcement community; and 
policy recommendations to support law enforcement and improved 
public-private collaboration and information sharing that is so 
vital to give the Government the capabilities that it needs to 
respond to this modern cyber security challenge.
    First, a rollback on McAfee and our definition of cyber 
crime for this testimony. McAfee protects businesses, 
consumers, and the public sector worldwide from cyber threat. 
Headquartered in Santa Clara, California; Plano, Texas; and a 
large operation in Minnesota, McAfee is the world's largest 
pure dedicated cyber security company, and McAfee is a wholly 
owned subsidiary of Intel Corporation.
    Today we use the term ``cyber crime'' to cover the act of 
using electronic means to gain unauthorized access. As we heard 
in the last hearing, cyber crime covers the spectrum, from 
simply gaining notoriety to pooling funds, for organized crime, 
now to intellectual property, and destruction--destruction of 
critical infrastructure--with the very far end of the spectrum 
some are calling ``cyber terrorism.''
    Our overall key challenge is that the profit model benefits 
the cyber adversary: very low barrier to entry, this stuff is 
easy for them; and very, very strong reward, often large 
amounts of money; often destruction; very, very little 
attribution.
    This adversary is fast. This adversary works faster than we 
do. They build relationships, they build trust. As was 
mentioned in the last hearing, the cyber underground, they know 
how to share information. They have no intellectual property 
boundaries, no legal boundaries, very often funded fully by 
their government. No problems to execution.
    As we have evolved in the cyber security threat landscape, 
the traditional model of defeating malware, which is basically 
an instruction that commands a machine to do now whatever the 
adversary desires, and whenever, and send back whatever the 
adversary desires, our traditional signature model does not 
work.
    For the past decade, the industry has looked at 
understanding what could come in, recognizing what is wrong, 
and blocking it, just like a vaccine would block a cold from 
your body or a disease.
    So we look at 50,000 new pieces of malware every day in 
McAfee labs. We have seen many of the sites that were described 
earlier in the cyber underground. We track the criminals. We 
see this adversary, and we propose two key technologies that we 
believe are the future to cyber security technology on the 
technical side, understanding that this is half a people 
problem, half a technology problem. These key technologies are:
    Whitelisting, which is very simply closing the door. If you 
are not an approved instruction, you do not run. It no longer 
matters how many bad-guy instructions are on a machine. If you 
are not known to be good, you simply do not run.
    The second one being global threat intelligence, behavioral 
understanding to build the cyber immune system, just like your 
body fights off a cold or disease without knowing its name 
automatically, we believe our networks should be a lot smarter 
and pull data from our companies and others across the 
financial field and the energy sector, across the critical 
infrastructure to block bad things from coming into networks.
    Two major attacks this year that McAfee led for 
investigation: Operation Aurora and Night Dragon. In January 
2010, Operation Aurora was exposed for having compromised 
Google and 30 other companies. This year, Night Dragon.
    In Operation Aurora, the adversary was looking for 
intellectual property. Very large stores of IP and software, 
and they identified exactly who in those companies would have 
it, and they got it by social engineering their way in and 
getting those people to answer an instant message.
    In Night Dragon, they targeted the oil and gas industry 
across the world looking for architectural documents, 
pipelines, and looking at where the new oil exploration would 
occur.
    McAfee is fully committed to partnering with law 
enforcement. We have a long history, my own having run the 
FBI's InfraGard program nationally on the private sector side 
for 8 years. I also chair the National Cyber Forensics and 
Training Alliance. My colleagues, thousands of them working in 
partnership with law enforcement every day at the Federal, 
state, and local levels, assisting with investigations, working 
closely with the intelligence community, also building strong 
relationships with the FBI and Secret Service across our 
partners.
    We recommend in policy more budget to fund our law 
enforcement colleagues, greater situational awareness in this 
data, and stronger global partnerships, protect the private 
sector so that we can release data very quickly without 
worrying about material benefits for shareholders.
    Thank you again for the opportunity to be a part of the 
process in fighting cyber crime with law enforcement and 
Government relationships. I look forward to your questions and 
continued discussion.
    [The prepared statement of Ms. Schneck appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you, Dr. Schneck.
    Before I go on to Dr. Savage, since you referenced the 
Night Dragon report, I would, first of all, like to compliment 
it. It is the clearest, most trenchant, accessible document I 
have yet read in a lot of reading that I have done about cyber 
security. Anybody who is watching this or listening to this and 
has not had a look at that, it is a really, really good 
document, both in terms of the overlay, the sort of 
contextualization of this as a rapidly emerging threat with 
rapidly increasing sophistication and multiplication of 
incidents, but also as a quite clear layman's description of 
how the attack takes place right down to showing the screens on 
the computer that you would see as you go through the attack.
    So what I will ask is unanimous consent that that report be 
made a matter of record for this Committee hearing, and we can 
provide a copy because I have got it. But I do applaud that. I 
think that is a very, very clear, useful document, and thank 
you very much for preparing that.
    [The report appears as a submission for the record.]
    Chairman Whitehouse. Also, unlike most of the stuff that is 
put out here, it was unclassified and not kept proprietary. One 
of the real problems in this area is that we know so little 
about it because if it is the Government it is classified, if 
it is the private sector it is held proprietary, and the public 
is kept, unfortunately, ignorant of the actual threat. So I 
think you did a real service with that, and I thank you.
    Ms. Schneck. Thank you, Chairman Whitehouse. Would it be 
out of line for me to point out that report was written by my 
colleague, Dmitri Alperovich, in the row behind me.
    Chairman Whitehouse. No, it would not be. It would be very 
appropriate, and I am glad that he is here for this. I guess I 
lucked out by saying nice things about it instead of bad 
things.
    [Laughter.]
    Chairman Whitehouse. And now from the great State of Rhode 
Island, from a university we are very proud of, Brown 
University. I am delighted to have the chance to introduce Dr. 
Savage. He is a professor in the Department of Computer Science 
at Brown, currently conducting research on cyber security, 
computational nanotechnology, the performance of multi-core 
chips, and reliable computing with unreliable elements.
    It sounds like something we try to do here in Congress.
    Dr. Savage served as a Jefferson Science Fellow in the U.S. 
Department of State during the 2009-10 academic year. He earned 
his Ph.D. in electrical engineering at MIT, after which he 
joined Bell Labs and then the faculty at Brown where he co-
founded the Department of Computer Science in 1979. He has 
multiple clearances and knows a lot about this.
    Dr. Savage, thank you. Please proceed.

  STATEMENT OF JOHN E. SAVAGE, PROFESSOR OF COMPUTER SCIENCE, 
           BROWN UNIVERSITY, PROVIDENCE, RHODE ISLAND

    Mr. Savage. Thank you, Chairman Whitehouse and Ranking 
Member Kyl and members of the Subcommittee.
    As you have heard, the Internet which is so important to 
our economy, also exposes us to great risks. I have a few 
statistics that highlight this, fact. Last year it was reported 
that more than half of all the computers worldwide were 
compromised. This means that each of these computers is not 
only capable of being used to steal personal, corporate, or 
Government data; they can also be marshalled into botnets and 
used for nefarious purposes.
    For example, the Mariposa botnet is reported to have 
controlled a remarkable 12.7 million computers, distributed 
across 190 countries, before it was silenced in early 2010. If 
a botnet of this size were used to launch a denial-of-service 
attack, it could wreak havoc on the Internet. More importantly, 
if deployed to disrupt Internet routing tables using a 
technique discovered and announced in early February, experts 
say that routing on the Internet could be severely disrupted.
    I cite these examples to illustrate some of the damage that 
could be done via the Internet. If we add to the mix that some 
important control systems, such as those used for electrical 
power generation, can also be attacked, destroyed, or disabled 
by the Internet, we see that hazards lurk here that were 
unanticipated when the Internet was designed. The Internet, 
which has contributed so much to our economic strength, allows 
us to more tightly integrate segments of our economy; thus, 
attacking the Internet is a way to attack large portions of our 
economy.
    Because cyber crime and terrorism are international in 
nature, they both require a domestic and international 
response. We must elevate our domestic security standards in 
our hardware and software networks. We cannot tolerate having 
several times more botnets than any other nation, nor large 
numbers of compromised computers. We also need to better 
control the supply chain as well as strike international 
agreements to curb abuses that originate at foreign sites.
    So we ask: What steps can we take as a Nation?
    First, we should create the incentives and, if necessary, 
regulations to design and improve computer security. Any 
proposed regulations should be developed through a consultative 
process involving those being regulated.
    Second, the private sector and individual citizens need to 
be educated to the need to keep their systems current with 
security standards.
    Third, steps should be taken to make the domain name system 
more robust by accelerating the adoption of the domain name 
system security extensions.
    Fourth, understanding that our Nation faces a serious 
deficit, we must nevertheless maintain strategic and targeted 
funding for cyber R&D. In the policy dimension, we should 
engage in a national conversation on the types of international 
agreements that will best serve our cyber security interests. 
Many interesting ideas have been proposed that should be 
debated. Leading thinkers have said that the U.S. is not 
sufficiently engaged in international negotiations to our 
detriment.
    Some may ask: Can we manage these problems? Are these 
problems manageable? My answer is yes. I liken our computers to 
our homes. A determined attacker can easily break into them. So 
why aren't most of our homes invaded more often? Apparently 
because the locks are good enough, the neighbors sufficiently 
vigilant, uniformed police officers are sufficiently visible, 
and the punishment if caught and convicted sufficiently onerous 
to deter attackers. We need to arrive at a similar state in 
cyberspace.
    Many of us are struggling to understand, from both policy 
and technological points of view, these issues. There are few 
technologists conversant with policy and few policymaker 
sufficiently knowledgeable about technology. Thus, there is an 
opportunity here to bring the two camps together.
    In the early days of the cold war, strategy development is 
said to have lacked sophistication. However, once the 
insightful analysts studied the issues, a more mature approach 
to policy emerged. The same must be done for cyber security 
policy.
    In closing, let me say that cyber security research is very 
young. While some profoundly interesting results have been 
developed, many challenges remain. Since cyber security plays a 
central role in our economy and is an important branch of 
national security, it deserves to be given priority for 
strategic, targeted research funding in both the technological 
and policy realms.
    Thanks, and I am happy to answer your questions.
    [The prepared statement of Mr. Savage appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you, Dr. Savage.
    Our final witness is Stewart Baker, a partner in the law 
firm of Steptoe & Johnson, where his practice covers national 
and homeland security, cyber security, electronic surveillance, 
law enforcement, export control, encryption, and related 
technology issues. From 2005 to 2009, Mr. Baker served as the 
first Assistant Secretary for Policy at the Department of 
Homeland Security, where he oversaw the office responsible for 
department-wide policy analysis, international affairs, 
strategic planning, and relationships with the private sector. 
From 1992 to 1994, Mr. Baker was General Counsel of the 
National Security Agency.
    Thank you for being with us.

STATEMENT OF STEWART A. BAKER, PARTNER, STEPTOE & JOHNSON, LLP, 
                        WASHINGTON, D.C.

    Mr. Baker. Thank you, Mr. Chairman, Ranking Member Kyl, 
Senator Blumenthal.
    I should say the one other credential that was left off of 
my biography is that I am Brown Class of 1969.
    Chairman Whitehouse. Very important credential to the 
Chairman. Thank you.
    Mr. Baker. I would like to spend a little time on--I talked 
in my testimony about how bad this problem is. It is worse even 
than we have heard today because there really are very few 
barriers to a substantial increase in cyber attacks and cyber 
crime. I laid out in my testimony the many things that we had 
hoped will save us that will not.
    Blaming Microsoft is not going to save us because almost 
all of the software that is being used today has similar flaws. 
Trying to use tokens, which many of us believe would save us 
instead of passwords, increasingly have been compromised by 
hacking attacks and by realtime exfiltration of those token 
credentials.
    We are not even going to be able to save ourselves if we 
call people up and say, ``Did you really send me this e-mail? 
'' Because that kind of out-of-band confirmation of the sort 
you get with your credit card is increasingly at risk as we 
move to IP telephony, which will have all of the problems that 
ordinarily computers have as well.
    Disconnecting from the Internet, which we also are not 
going to do, is not going to solve this problem because the 
agencies that have tried doing that--the Defense Department, 
the Iranian Natanz centrifuge plant--have, nonetheless, been 
compromised by attacks that use thumb drives and other media as 
a way of transporting the compromising software.
    What many of us hope to rely on, the anonymity that nobody 
is really particularly looking for me, is also not going to 
save us because, increasingly, it is possible to essentially 
infect the world and then ask your malware to run in the 
background until you do something that the crooks think is 
interesting, like log on to a particular account with a private 
equity fund, which indicates you have enough money to be worth 
stealing from, at which point they will start stealing from 
you.
    All of those things are solutions that will not actually 
work. And perhaps most important for this Committee and this 
hearing, law enforcement is, in my view, almost entirely 
helpless at this point. Six more prosecutors are not going to 
address this issue in any significant way, and the principal 
reason for that is that--I thought Professor Savage got it 
right. We do feel safe in our houses, but it is not because the 
locks are perfect. The locks on our houses are much worse than 
the locks that are already on our computers. What is different 
is that there is a realistic possibility of being caught 
committing a crime if you try to break into somebody's house 
and almost no possibility that you will be caught and 
prosecuted if you commit a cyber crime.
    I have suggested a bunch of rather tentative approaches to 
solutions in my testimony, but I would like to just focus on 
one, which is we really need to do a much better job of 
building in attribution and minimizing anonymity on the 
Internet, making it much more difficult for people to do 
business, send e-mails, transmit packets and the like, and be 
confident that they cannot be tracked back to their actual 
identity.
    This is a very difficult task. It is an architectural 
problem that is quite significant. But, in my view, we will not 
solve this problem if we cannot realistically threaten to 
punish the people who are carrying these attacks out. We will 
simply see more and more sophisticated, more and more 
elaborate, and more and more damaging attacks until we begin 
structuring the Internet and structuring the relationship that 
ISPs have with each other and with their customers so that it 
is much more difficult for people to avoid being identified 
when they commit these crimes.
    I will stop there.
    [The prepared statement of Mr. Baker appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you very much.
    We had General Alexander, who I think is a really 
remarkable individual, come to the University of Rhode Island 
yesterday. He came at the invitation of Congressman Langevin, 
who has a very significant role in this area on the House side, 
and Jim Langevin and I talk frequently about this issue because 
I have an interest on our side as well.
    During the course of the discussion, General Alexander said 
that we could--right now our stock markets, our financial 
markets could be taken down, our power grid could be taken 
down. If our power grid were taken down, it would not come up 
quickly. It would not be just like the branch fell on the wire 
outside your house, but do not worry, when the truck comes, the 
power will be back on. It would be much more persistent and 
prolonged than that. He said that the entire financial sector 
is vulnerable and could be compromised, communications 
networks, and that they could interlock. So the scale of how 
bad this could be, if it really gets to the level of full-blown 
cyber war, is really very, very dramatic.
    I am interested--since we have private sector folks here, 
this may seem like a hypothetical question, but I would love to 
get your take on it.
    If you imagine that there is a universe of cyber threats 
out there and within that universe of cyber threats there is a 
group of them about which the Government has awareness--Mr. 
Baker, your old shop has pretty wide awareness, probably wider 
than anybody else in the world, into the criminal ecosystem of 
the cyber world. Within that larger awareness, there is an 
awareness that the private sector has at its best level, at the 
level of McAfee, at the level of Symantec, RSA, and so forth.
    I would love, starting with you, Dr. Schneck, to get your 
sense of what portion of the awareness that NSA has of the 
cyber threat you think the private sector has. Clearly, it is 
going to be a subset. But is it a tiny subset, or is it a 
significant portion? What is your guess on how much visibility 
McAfee and Symantec and the rest of the private sector 
defenders of our private sector corporations have compared to 
the NSA and to the overall picture?
    Ms. Schneck. Thank you, Chairman Whitehouse. I will steal 
some words from AD Snow earlier and ask that we could continue 
part of this answer in a different forum. So clearly there will 
be an overlap between what any Government entity, whether it is 
intelligence, community law enforcement, DHS--would know and 
what the private sector knows. I think we get our intelligence 
differently in some cases. We gets ours from protecting 
customers, so first and foremost, whether the threat is just to 
get a little money or whether it is to destroy the electric 
grid, we block that threat. We stand in front of the target; we 
make sure the threat does not get there. That is our first 
move. That is the in-line, speed-of-light work.
    The second line is the human work. The reason that is so 
hard is because we see all this data come together, and it 
paints a picture. This happened in Night Dragon. And as that 
picture came together, you realize that it is targeting the oil 
and gas sector. At what point can we in the private sector 
share that picture with the intelligence community, with the 
FBI and the Secret Service?
    Chairman Whitehouse. Let me try to focus back on my 
question, and before I give the other two witnesses a chance to 
answer it, would you at least concede that the awareness that 
the cyber defense private sector community has of the threat is 
significantly smaller than the awareness that NSA has of the 
threat?
    Ms. Schneck. So it is hard to answer that question in this 
forum. I think the awareness is different. I do believe there 
is an overlap. I think there is a lot of data in the private 
sector that, if we were able to share that more readily with 
some legal protection, we would protect our country better.
    Senator Whitehouse. Do you understand my question, Dr. 
Savage----
    Ms. Schneck. I do, and I believe----
    Chairman Whitehouse. No, no. I am sorry. I am going on to 
the next witness.
    Ms. Schneck. OK.
    Mr. Savage. I do understand your question, and I cannot 
answer it either because I do not represent either the private 
industry or the intelligence community.
    However, what I will say is I would not be surprised if the 
private sector had access to perhaps more data than the 
National Security Agency simply by virtue of the fact that have 
sold, they sell products to customers worldwide, monitor the 
state of computers worldwide. Although before I do not know for 
sure, I expect that the National Security Agency has a 
different focus.
    So I would not be surprised if the private sector had a 
great deal of very useful information.
    Chairman Whitehouse. And, Mr. Baker, what is your take?
    Mr. Baker. I would divide the problem into three possible 
kinds of attacks: there are attacks to steal money, there are 
attacks to steal secrets, and there are attacks to sabotage a 
system.
    When it is a question of stealing money, I would say the 
private sector is better informed and better protected than the 
U.S. Government or Government agencies generally. It affects 
the bottom line. They know how much to spend. They want to 
spend enough to stop losses that are equivalent to what they 
have spent. And they do a better job than the U.S. Government 
protecting themselves from that kind of an attack.
    Stealing secrets, I would say the U.S. Government has a 
better awareness and, by and large, I get more calls from 
people in the private sector who are alerted to their losses by 
the U.S. Government than the other way around. And there is a 
tendency, if you do not steal secrets for a living, as 
intelligence agencies do, not to believe that people are really 
doing that to you, and the private sector falls prey to that 
illusion.
    And then there is sabotage where I think the private sector 
is utterly clueless. They do not want to think about the 
possibility of sabotage because they have no idea what to do 
about that. They will end up spending money and getting nothing 
obvious back because they are running now--they have not been 
sabotaged yet, so all they get is a sense that maybe they would 
withstand an attack, but they do not even know that.
    And so they are reluctant to spend money or even to hear 
the message in the private sector, the electrical grid, or the 
pipeline companies and the like. The reluctance to hear that 
message is profound.
    Chairman Whitehouse. Senator Kyl.
    Senator Kyl. Thank you, Mr. Chairman.
    First, Mr. Baker, two questions for you. You discussed the 
supply chain vulnerabilities, including the new smart grid 
infrastructure. What is being done to ensure that the smart 
grid does not become in essence an electronic Trojan horse?
    Mr. Baker. Well, some things are being done on paper. There 
are security standards being developed. Whether they are really 
sufficient is open to question. But even if they were 
sufficient, there is not an obvious enforcement mechanism. The 
mechanisms for regulating power companies are deeply local and 
State, and both the power companies and the State PUCs like it 
that way, and they do not want the Federal Government to step 
in and start telling them anything about their business. And so 
while the Federal Government can recommend some security 
standards, the PUCs who have to enforce them, in my 
understanding, are not really doing much.
    Senator Kyl. So we have still got a big problem there.
    Mr. Baker. Yes.
    Senator Kyl. Now, I think you are aware that last year 
Congress gave the Department of Defense some new powers to 
protect its information systems, and I wonder--regarding the 
supply chain, again. I am just wondering whether you think 
maybe Congress should use that kind of authority as a template 
for other agencies in the Federal Government.
    Mr. Baker. Well, certainly other agencies beyond the 
Defense Department have to worry about the possibility that the 
supply chain will compromise them, and indeed, you know, 
anything that we think is a worry for the Defense Department is 
probably a worry for the New York Stock Exchange or Citibank, 
and we should not be encouraging them or allowing them, without 
knowing about the risk, to continue to rely on insecure 
material.
    Senator Kyl. So we might take a look at that template in 
dealing with other agencies that have important issues like 
that.
    Mr. Baker. Yes.
    Senator Kyl. Now, for all of you, there is a sense here 
that there is no silver bullet except better enforcement, but 
better enforcement is really hard to do, well, primarily from a 
resource standpoint, but also a capability standpoint. So I 
presume that incremental changes, including creating 
incentives, is one of the answers here. And in terms of 
changing behavior, my question is with the private sector--in 
particular business but also individuals--whether a greater use 
of the concept of insurance as providing incentives would help 
the private sector develop better protections. Maybe we will 
start with you, Mr. Savage, and then Phyllis.
    Mr. Savage. I agree. Cyber insurance to protect against 
fraud, theft, interruption of service, things of that sort 
would be very valuable, because I recall many years ago 
learning about workers' compensation insurance where an 
insurance company would issue a policy but they would also 
provide experts to come into your place of business to help you 
improve it so that they could reduce the number of injuries 
and, therefore, the number of charges.
    When I was in the State Department, I sat on a NITRD panel 
that put together a set of recommendations, one of which was a 
cyber economics recommendation for funding in fiscal year 2012s 
budget, and the idea there being that if you offer insurance, 
you can invite companies who are going to purchase the 
insurance to provide you with incident information, which you 
can then collect and use to create actuarial tables reducing 
their costs, but also pooling these resources with other 
insurance companies.
    The good news is that when I was in the State Department, I 
received a call from a Brown grad who had seen I was a 
Jefferson Science Fellow. She works for an insurance company in 
the Hartford area that sells insurance of this kind, but they 
were at a little bit at sea because they could not really find 
the others and work with the others to do this kind of thing 
that I described.
    Senator Kyl. Especially ways to help resolve that problem 
and whether the Government should be involved in this, Dr. 
Schneck?
    Ms. Schneck. So, thank you. We have looked at the insurance 
model for about 11 years that I remember. The key road block to 
that was the lack of the actuarial data, to Professor Savage's 
point on the need for that data. So in the startup, we have 
plenty of data we can look back on in driving habits and other 
areas where things are insured, but in this arena so little is 
reported that we know what we know because we are out there 
protecting, but to Mr. Baker's point, most of the private 
sector does not have this kind of knowledge. So that actuarial 
data to make the model work on the insurance would be 
exceedingly difficult.
    That is not to say it would not be a great idea to 
incentive, but we would have to make sure of two things: one is 
that the data is there so that nobody gets burnt, so the model 
fits; and the other is to ensure that we are not encouraging 
companies to be compliant, they have to be secure. There is a 
very big difference. Do not just check the box, but 
comprehensively protect your infrastructure.
    Senator Kyl. Mr. Baker, any other thoughts?
    Mr. Baker. Yes, very briefly. For insurance to work, people 
have to either expect a harm, an identifiable harm, or 
identifiable liability. The likelihood of liability in this 
area has so far been pretty minimal just because of the 
difficulty of tracking the attacks. And if all they steal is 
secrets, you are not going to be able to identify a harm that 
an insurance company will be comfortable reimbursing you for.
    So it is part of the solution, but it is not as good a 
solution as I would like.
    Senator Kyl. Thank you.
    Chairman Whitehouse. Senator Blumenthal.
    Senator Blumenthal. Thank you. I would like to pursue that 
line of questioning, but first thank you, all three of you, for 
your very enlightening and useful testimony, and I would like 
to pursue some of the questions here outside the time that I 
have.
    But in terms of liability, that is something that 
corporations understand. If we talk about incentives, which is 
where I was going with the last panel--treble damages--we know 
how to impose liability, we know how to penalize. The courts do 
it all the time. They have to put estimates on that harm. It 
may be difficult to calculate, but, you know, we do it with 
pain and suffering. If we can do it with pain and suffering, 
then we can do it with the kind of commercial damage that 
people suffer, which is much easier in many respects to 
quantify.
    So for all of you--but it is a question raised by Dr. 
Savage's testimony, and I am quoting again: ``.  .  .  the 
incentives to adopt them are weak''--referring to the solutions 
to these cyber security problems--``primarily because security 
is expensive and there is no requirement they be adopted until 
disaster strikes.''
    What can we require--and I invite you to supplement your 
answers here perhaps after you think about it some more. What 
can we require, whether it is liability or Senator Kyl 
mentioned insurance--and I agree with you about all the 
difficulties raised by the insurance model. What can we do to 
really grow your business, Dr. Schneck? And I do not mean that 
altogether facetiously, I mean not just grow your business, but 
grow the interest and incentive to do the kinds of things that 
you advise your clients to do.
    Ms. Schneck. Thank you. I think the first might be to 
incentivize some innovation. So we have grown by finding ways 
around this adversary. We get them by going at the speed of 
light. That was a focus of necessity. That was market driven.
    If we can change our culture a bit to have companies 
incented to innovate around security and find models that work, 
find ways that make them money by being more secure--and the 
insurance models is a subset of that--I think that is one area.
    The other might be some tax incentives, and, again, not 
just being compliant but in doing it right and having that--
again, the decade-old discussion but the top-down policy, the 
culture of security in the company.
    Senator Blumenthal. But we want to measure results, not 
just that they put a better fence around the home----
    Ms. Schneck. Correct.
    Senator Blumenthal.--or a better fire alarm--which, by the 
way, insurance companies do reward so the insurance model does 
work--or other kinds of alarms on homes.
    Professor Savage or Mr. Baker.
    Mr. Savage. I will say quickly, I continue to be troubled 
by end-user licensing agreements which state that the company 
selling me the software has no responsibility for it once it is 
in my hands. I cannot fix any bugs that exist or any security 
hazards that exist in that software myself. I cannot even keep 
it up to date quickly enough because, as we know, as we have 
heard, half of all the malware goes undetected.
    It is said that last year PandaLabs reported that half of 
the malware lived for 1 day. I am not sure to what extent that 
statement is correct, but that is what I read.
    Coming back to a point you made earlier, you asked about 
the technologies that could be incorporated, well, there are--
you know, research is being done all the time, and it takes 
time, of course, for these results to appear in products. But 
there are ways to detect botnets. There are ways to defeat 
denial-of-service attacks and things of that sort. And if there 
were the right incentives--and I do not know what they are--
maybe some of our companies would be more ready to adopt them.
    Now, having said that, there has been a lot of work done by 
a number of companies both in the software sector and financial 
services sector to introduce security techniques to teach their 
engineers to write code that is less easily attacked. And I 
think many of those efforts are actually terrific, and you can 
see it, I think, in the reporting rates of errors.
    So I want to applaud the industry for doing that. At the 
same time, I think they need to take responsibility for this 
issue. And as I say, many are, but not all.
    Senator Blumenthal. Thank you.
    Mr. Baker. If I could just--I know you are deeply familiar 
with the data breach laws and the penalties for that, and I 
have good news and bad news about those laws.
    The good news is they have made a big difference in 
corporate behavior. The companies do not want to have to 
disclose that they have released a large amount of personal 
information about consumers, and they will take steps to 
prevent that from happening.
    The bad news is that that is where the security budgets 
have, by and large, gone. They are spending a lot of money to 
make sure that their hard drives are encrypted so that if they 
leave the computer, the laptop, at the airport, they do not 
have to disclose a breach. They are not, by and large, treating 
some of these more sophisticated attacks with the same kind of 
attention because they do not tend to produce a verifiable 
personal information breach.
    And so if you are going to go down that road, I would urge 
you to try to find an agency with a broader picture of the 
kinds of attacks that can adjust the incentives so people are 
actually responding to the worst kinds of attacks, the ones 
that are most dangerous to us as a country.
    Senator Blumenthal. Thank you.
    Thank you, Mr. Chairman.
    Chairman Whitehouse. Mr. Baker, as the lawyer on the panel, 
let me ask you two questions.
    One, in response to what Dr. Savage said, should we be 
concerned that significant players in this area are purporting, 
at least, in their contractual arrangements to relieve 
themselves of any liability, given that liability is often a 
motivating factor in human behavior?
    And, second, to follow up on my question to the earlier 
panel, I was very impressed by Microsoft's lawsuit. I asked 
them to send me the complaint. I thought it was very well done. 
And they did not really have a hostile defendant. The 
defendant, the provider who was at stake, was perfectly happy 
to comply as long as they had a court order that gave them a 
reason to do it and protected them from any liability for what 
they did. And I am a little bit surprised that there does not 
seem to be more activity in that arena, somebody knows that 
there is a bot out there that they can disable, somebody knows 
that there is a worm out there, somebody knows that there is a 
piece of--a website that is--you know, whatever it is that they 
know about their risk posture, it seems very rare that somebody 
actually goes to a court and says, oh, by the way, let us bring 
in--again, the domain registrar, their ISP, or whoever--and say 
we want you, because of the threat to our welfare here, to make 
this change in your programming so that our threat is 
diminished. And then everybody sits around and says yes, the 
judge hits the gavel, everybody is happy. It seems to me to 
be--the Microsoft thing does not seem to be repeating itself as 
often as I would have expected. I am aware of a couple of 
others, but that seems to be the breakthrough one, and it does 
not seem to have created the sort of torrent I expected of 
people going out to the courts, to the ISPs, to the domain 
registrars, to help them clean up the environment.
    Mr. Baker. Microsoft is in the unique position of seeing 
attacks around the world on their software and having the 
resources to pursue creative solutions. And I agree with you, 
that was a very creative and constructive approach.
    I do think that it is worth exploring what could be done to 
allow companies that have an interest in doing more but need 
some reassurance that what they are doing is not going to 
result in liability. One of the great values of a civil 
injunction and a civil order is that you know that the people 
that you are going after are not going to turn around and file 
lawsuits against you, because you have already gotten prior 
approval. And finding ways to relieve ISPs, other companies, of 
their fear that doing the right thing will result in liability 
is worth looking at. I think that is a constructive approach.
    By and large, using the tort system to improve security is 
a pretty backward-looking approach; that is to say, by the time 
you get a judgment, you are 6 years past the problem, and it is 
probably----
    Chairman Whitehouse. You are back to my first question.
    Mr. Baker. Yes, I am coming back to your first----
    Chairman Whitehouse. Yes, I am not sure it is the best 
way----
    Mr. Baker. So I----
    Chairman Whitehouse. I am also not sure that allowing a 
company to completely relieve itself of liability contractually 
is very helpful in this space either, because it takes their 
mind off it and they go on to other projects.
    Mr. Baker. I do not disagree with you on that, and I 
support the idea of having at least agencies that understand 
what good security practices are, start to define those for 
companies, including software companies, to make sure that they 
are actually doing the things that they need to do. And if they 
say you need to do this and then the company does not do it, I 
do not think those contractual clauses are going to save them 
from liability.
    Chairman Whitehouse. Senator Kyl?
    Senator Kyl. Thank you very much.
    Chairman Whitehouse. Anything further?
    Senator Blumenthal. No. Thank you.
    Chairman Whitehouse. All right. We will conclude this 
hearing. I thank all of the witnesses, and once again I very 
much appreciate the Night Dragon report that McAfee did.
    The hearing will stay open, the docket of the hearing will 
stay open for an additional week, and we will, of course, ask 
all of the witnesses to comply with the questions for the 
record that you will get in writing.
    Again, thank you very much. This has been instructive and 
helpful.
    The hearing is adjourned.
    [Whereupon, at 4:33 p.m., the Subcommittee was adjourned.]
    [Questions and answers and submissions for the record 
follow.]




                                 
