[Senate Hearing 112-886]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 112-886

        CYBERSECURITY: EVALUATING THE ADMINISTRATION'S PROPOSALS

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON CRIME AND TERRORISM

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 21, 2011

                               __________

                          Serial No. J-112-29

                               __________

         Printed for the use of the Committee on the Judiciary





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]










                         U.S. GOVERNMENT PRINTING OFFICE 

88-182 PDF                     WASHINGTON : 2012 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Printing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001

















                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin                 CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York              JON KYL, Arizona
DICK DURBIN, Illinois                JEFF SESSIONS, Alabama
SHELDON WHITEHOUSE, Rhode Island     LINDSEY GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota             JOHN CORNYN, Texas
AL FRANKEN, Minnesota                MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware       TOM COBURN, Oklahoma
RICHARD BLUMENTHAL, Connecticut
            Bruce A. Cohen, Chief Counsel and Staff Director
        Kolan Davis, Republican Chief Counsel and Staff Director
                                 ------                                

                  Subcommittee on Crime and Terrorism

               SHELDON WHITEHOUSE, Rhode Island, Chairman
HERB KOHL, Wisconsin                 JON KYL, Arizona
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
DICK DURBIN, Illinois                JEFF SESSIONS, Alabama
AMY KLOBUCHAR, Minnesota             LINDSEY GRAHAM, South Carolina
CHRISTOPHER A. COONS, Delaware
                Stephen Lilley, Democratic Chief Counsel
               Stephen Higgins, Republican Chief Counsel




















                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Whitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode 
  Island.........................................................     1
Blumenthal, Hon. Richard, a U.S. Senator from the State of 
  Connecticut....................................................     3
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     9
    prepared statement...........................................    36

                               WITNESSES

Witness List.....................................................    35
Langevin, Hon. Jim, a Representative in Congress from the State 
  of Rhode Island................................................     4
    prepared statement...........................................    38
Baker, James A., Associate Deputy Attornery General, U.S. 
  Department of Justice, Washington, DC..........................     7
    prepared joint statement.....................................    41
Schaffer, Greg, Acting Deputy Under Secretary, National 
  Protection and Programs Directorate, U.S. Department of 
  Homeland Security, Washington, DC..............................    10
    prepared joint statement.....................................    41
Schwartz, Ari, Senior Internet Policy Advisor, National Institute 
  of Standards and Technology (NIST), U.S. Department of 
  Commerce, Washington, DC.......................................    12
    prepared joint statement.....................................    41

                               QUESTIONS

Questions submitted by Senator Sheldon Whitehouse to James A. 
  Baker, Greg Schaffer, and Ari Schwartz.........................    47

                                ANSWERS

Responses of James A. Baker, Greg Schaffer, and Ari Schwartz to 
  questions submitted by Senator Whitehouse......................    48

                       SUBMISSIONS FOR THE RECORD

Center for Democracy & Technology (CDT), Gregory T. Nojeim, 
  Director, Project on Freedom, Security & Technology, 
  Washington, DC,................................................    50
Financial Services Roundtable, Washington, DC, statement.........    65

 
        CYBERSECURITY: EVALUATING THE ADMINISTRATION'S PROPOSALS

                              ----------                              


                         TUESDAY, JUNE 21, 2011

                                       U.S. Senate,
                       Subcommittee on Crime and Terrorism,
                                Committee on the Judiciary,
                                                   Washington, D.C.
    The Committee met, pursuant to notice, at 2:38 p.m., in 
Room SD-226, Dirksen Senate Office Building, Hon. Sheldon 
Whitehouse, Chairman of the Subcommittee, presiding.
    Present: Senators Whitehouse, Leahy, Klobuchar, Coons, and 
Blumenthal.

 OPENING STATEMENT OF HON. SHELDON WHITEHOUSE, A U.S. SENATOR 
                 FROM THE STATE OF RHODE ISLAND

    Senator Whitehouse. All right. The hearing will come to 
order. I understand that Congressman Langevin is nearby, and I 
have been waiting for him to be nearby. And what I think I will 
do in terms of order of proceeding is to give my opening 
statement, invite Senator Blumenthal to give an opening 
statement, invite anybody else who joins the hearing to give an 
opening statement, and then call on Congressman Langevin, who 
by then should be here.
    I want to note that it has been a real pleasure to work on 
this issue with the Ranking Member, Senator Jon Kyl. He cannot 
be here today for the best of reasons. He is up at the White 
House in the debt limit negotiations. As important as this 
hearing is, I do not think it tops being at the White House and 
the debt limit negotiations. He has been great to work with, 
and this is an important issue to him, and we have worked on 
legislation together, so I just want to make it a matter of 
record that he has been a thoughtful and helpful colleague in 
these discussions.
    The hearing that brings us together today returns to a 
topic of vital importance: our Nation's cybersecurity. Since 
the Subcommittee's hearing back in April, the news has been 
full of reports of hacks and cyber intrusions. Lockheed Martin, 
Sony, Epsilon, Sega, the International Monetary Fund, and the 
Web sites of the CIA and the Senate, to name just a few, have 
been compromised in just a two-month period. This reflects the 
fact that our Nation's privacy, intellectual property, and 
security are under constant and worsening cyber attack.
    The Internet age has brought with it an explosion of new 
commerce, freedom of expression, and economic opportunity. We 
see its benefits at home and around the world. Unfortunately, 
our increased connectivity allows criminals, terrorists, and 
hostile nations to exploit cyberspace, to attack America, 
invade our privacy, loot our intellectual property, and expose 
America's core infrastructure to cyber sabotage. Whether by 
copying source code, by industrial espionage of military 
product designs, by identity theft, by online piracy, or by 
outright stealing from banks, cyber crime cripples American 
innovation and commerce, kills jobs, and undermines our 
economic and national security.
    Congress must act to provide the administration as well as 
private entities the tools and authorities they need to improve 
our Nation's cybersecurity. To that end, I am very glad that 
the administration has weighed in with its legislative 
proposals to improve our Nation's cybersecurity. The 
administration proposals aim at key cybersecurity challenges, 
for instance, securing our critical infrastructure, such as our 
electric grid, and providing for voluntary assistance and 
response to a cyber incident.
    I am glad that the Subcommittee will have the opportunity 
to hear from the administration today, and I am happy to 
welcome our witnesses from the Department of Justice, the 
Department of Homeland Security, and the Department of 
Commerce.
    I am also very glad to be welcoming Congressman Jim 
Langevin of my home State--boy, his timing is good. He just 
came through the door as I said that--to the Committee. 
Congressman Langevin is a well-regarded leader on 
cybersecurity, having served on the House Intelligence 
Committee, led the Congressional Cybersecurity Caucus, and co-
chaired the Center for Strategic and International Studies 
Commission on Cybersecurity for the 44th Presidency. I very 
much look forward to his testimony and appreciate his 
friendship.
    Our hearing today will focus on three elements of the 
administration's proposals that fall within the Judiciary 
Committee's jurisdiction and expertise: the data breach 
section, the voluntary information-sharing proposal, and 
recommendations for increased criminal penalties under the 
hacking statute, 18 United States Code Section 1030.
    This Committee is well situated to consider those 
questions, particularly in light of the longstanding leadership 
of Chairman Leahy on these issues. I look forward to working 
with the Chairman, with Senator Kyl, and other Members of this 
Committee as the Senate prepares cybersecurity legislation.
    The three proposals we will focus on today are central to 
any discussion of improved cybersecurity and individual 
privacy. The recent data breaches at Sony, Epsilon, and Sega 
reveal how determined criminals can compromise Americans' 
privacy and economic security. Prompt and clear notification of 
such a breach is important to enable Americans to limit the 
damage caused by data breaches and resulting identity theft.
    Today a confusing patchwork of state laws provides for 
different notifications to different customers across the 
country, delaying and raising the cost of breach notification. 
The administration would replace this patchwork of State laws 
with a single federal standard: requiring notification of a 
breach to the Department of Homeland Security, which would then 
pass on the information to the Federal Trade Commission, the 
Secret Service, and the FBI for appropriate enforcement 
actions.
    Proper sharing of cybersecurity threat information also is 
vital. The administration has recommended, subject to various 
safeguards, enhanced sharing of cybersecurity threat 
information between private industry and the government. The 
administration also has recommended enhancing criminal 
penalties for hackers. Our current laws have proven to lack 
appropriate deterrent effect.
    This hearing will consider the need for stiffer penalties 
for hackers who harm our privacy, our National security, and 
our economic well-being. Stiffer penalties, I would note, are 
of little use without adequate law enforcement resources to 
impose them. I would note further that this is an area where 
civil actions by the government to protect the public, such as 
the government's recent action in the Coreflood Botnet, are 
particularly important.
    I am glad that we have the opportunity to evaluate the 
administration's proposals today. We have witnesses joining us 
from the Department of Justice, the Department of Homeland 
Security, and the Department of Commerce. I thank them for 
being with us today and for their ongoing work to secure 
cyberspace.
    I would also briefly note that I believe that the Senate 
should consider issues beyond the current scope of the 
administration's proposals, such as increasing public awareness 
of cybersecurity threats, improving industry self-defense, 
developing rules of the road for our information highways, 
improving supply chain security, considering secure domains for 
critical infrastructure like the electric grid, increasing 
cyber resources within the Government, and strengthening cyber 
research and development.
    I look forward to working with the administration and my 
colleagues on each of these important issues as we strive to 
strengthen our Nation's cybersecurity.
    Before I recognize Congressman Langevin, Senator 
Blumenthal, would you like to make a statement?

 STATEMENT OF HON. RICHARD BLUMENTHAL, A U.S. SENATOR FROM THE 
                      STATE OF CONNECTICUT

    Senator Blumenthal. A very brief statement. Thank you, 
Senator Whitehouse, Mr. Chairman. Thank you for your work on 
this issue, which has been continuing not only in hearings but 
in many other arenas and forums, and thank you to the Chairman 
of the Judiciary Committee, Senator Leahy, for his leadership. 
And welcome, Congressman. Thank you for being here. And to the 
administration, I appreciate not only your being here but the 
very constructive and important proposals that you have made in 
many of these areas.
    Senator Whitehouse has articulated many of my own concerns 
that arise from the real and present danger that cyber attack 
reflects. My own view is that America's next 9/11 may well be a 
cyber attack, and I am paraphrasing when I say that the soon-
to-be-confirmed Secretary of Defense, Leon Panetta, who in the 
hearing said America's next Pearl Harbor is likely to be a 
cyber attack.
    For consumers, of course, the danger is very much real and 
present because they entrust companies like Sony or Citigroup 
with very sensitive and personal information, which could do 
grave harm to them if it is hacked or improperly used or lost, 
and we have seen all occur in recent months and years.
    Let me just say that I appreciate the administration's 
proposal that notification occur in the case of breaches that 
carry, and I am quoting, ``a significant risk of harm.'' I 
believe the notification has to be broader, and I believe that 
there are principles that have to be included: notification as 
soon as possible by mail, phone, or email, or all of them; a 
second notification that clearly indicates whether the breach 
compromised any consumer information; third, notification that 
is provided without unreasonable delay so long a law 
enforcement authorities do not require that notification--and I 
mean explicitly require that notification--be delayed for 
investigative purposes. And I will be interested to know 
whether the witnesses agree with those principles.
    I also believe, as Senator Whitehouse articulated very 
well, both of being former law enforcement officials, that 
indeed law enforcement is critical here and that the government 
cannot be expected or relied upon to do it all. I happen to 
believe that there ought to be a private right of action, and I 
will be interested to know whether the witnesses agree that 
citizens who are potentially harmed, who can show damages, 
should be able themselves to go to court and seek remedies.
    And, finally, I believe that remedies should be greatly 
enhanced. There is a very real need for stronger, more 
effective remedies to help mitigate any ongoing damage as well 
as provide relief for people who are actually harmed.
    So thank you, Senator Whitehouse, for giving me this 
opportunity to begin.
    Senator Whitehouse. Thank you, Senator Blumenthal.
    It is now my great pleasure and privilege to recognize my 
friend and colleague, Congressman Langevin, who has represented 
the Second Congressional District of my home State of Rhode 
Island since 2000. During that time, he has emerged as a well-
regarded leader on cybersecurity. He serves on the House 
Intelligence Committee. He led the Congressional Cybersecurity 
Caucus. He co-chaired the Center for Strategic and 
International Studies Commission on Cybersecurity for the 44th 
Presidency. He has introduced important cybersecurity 
legislation in the House, and he has convened an important 
meeting at our university at home, the University of Rhode 
Island, at which General Alexander, the commander both of NSA 
and Cyber Command, attended and spoke. It is not often we get 
four-star generals in Rhode Island, so that was a memorable day 
organized by Congressman Langevin.
    Before being elected to the House, Congressman Langevin was 
the secretary of state for Rhode Island and a member of the 
Rhode Island House of Representatives. He is a graduate of 
Rhode Island College and earned a master's degree in public 
administration from the Kennedy School of Government at Harvard 
University.
    We are delighted to have you here, Congressman Langevin. 
Please proceed.

 STATEMENT OF HON. JIM LANGEVIN, A REPRESENTATIVE IN CONGRESS 
                 FROM THE STATE OF RHODE ISLAND

    Representative Langevin. Chairman Whitehouse, thank you 
very much for the introduction, the welcome, and the 
opportunity to speak today. Before I begin my prepared remarks, 
let me just thank you for your leadership on this very 
important issue of cybersecurity. Your partnership and 
leadership on this issue have been invaluable to me, deeply 
appreciated both in the work we have done on this issue back in 
Rhode Island, but nationally here in the Congress, and 
particularly your experience as a former Attorney General and 
U.S. Attorney have been very insightful and, again, invaluable, 
and especially your work when you were on the Senate 
Intelligence Committee. So, again, I could not have done a lot 
of the work I have done without your leadership and support, 
and I am very grateful for your work.
    I would like to thank you, Chairman Whitehouse and Ranking 
Member Kyl and Senator Blumenthal, for inviting me to testify 
today on one of the most critical national security challenges 
facing our contractor today. Cyber incidents have grabbed 
headlines in recent months, with our top companies seeing 
intrusions and loss of data and our constituents are beginning 
to realize that the Internet is a highly contested space where 
personal information is never truly secure.
    The common thread is that these threats all take advantage 
of our strong reliance on the Internet for social 
communications, business, and national defense, and the damage 
will only increase as that reliance grows.
    The first crisis that we are facing, of course, is highly 
skilled cybersecurity professionals. Our Nation is a leader in 
Internet security technology, but we do not have enough highly 
trained individuals to match our growing needs. In Rhode 
Island, we are working to educate our future workforce for the 
21st century cybersecurity jobs through programs like 
developing a statewide Cyber Center of Excellence that will 
cultivate cyber talent in our State while meeting the 
increasing need for a strong public-private relationship in 
cyberspace.
    We must also align our laws and policies with the realities 
of today's Internet, and I appreciate the administration's 
proposal to move in this direction. The foundations of trust 
and known identity upon which the Internet was built have 
enabled criminals to take advantage of those using the Internet 
for legitimate commerce. Organized crime, of course, is fully 
operational online, stealing billions of dollars every year to 
support worldwide networks of crime, yet RICO laws do not apply 
in cyberspace. The administration has proposed allowing RICO to 
cover crimes committed in cyberspace as well as setting 
mandatory minimum sentences for intrusions into critical 
infrastructure.
    Similarly, recent incidents, such as the Sony and Citibank 
intrusions, have highlighted large discrepancies in our data 
breach laws. Currently each State regulates when and how a 
company should disclose a breach of customer data and those 
affected. This regime makes little sense in cyberspace where 
crimes and transactions take place at a national or 
international level. The administration's proposals, as well as 
those introduced in the House and Senate, seek to set a federal 
standard. As we move to this model, however, we must also take 
care to implement the most effective, not the lowest, standard 
for reporting.
    Finally, we must reexamine new opportunities for voluntary 
information sharing to ensure that we stop new threats before 
they reach their target. Today government, businesses, and 
citizens all build their own digital fortifications and hope 
they as positioned to stop the right threat.
    Now, while the problem of attribution in cyberspace is 
always an issue, the government has a sophisticated 
understanding of what the various threats look like. It also 
currently lacks the visibility of the private sector, 
telecommunications in particular, which can better pinpoint the 
source of the threat or even stop it before it reaches our 
digital doorstep. Rather than protecting our citizens, we are 
actually losing the ability to stop attacks before they take 
place and provide better data security for everyone.
    To address this issue without compromising individual 
privacy, the administration proposes allowing cyber threat 
information to be shared voluntarily with the Department of 
Homeland Security so that businesses, private citizens, and the 
Government can all benefit from and be better protected by the 
increased capabilities and insight of an enhanced public-
private partnership.
    For this arrangement to work, of course, we must institute 
strict oversight to ensure that no personal communications or 
sensitive data are inappropriately shared with the government 
by businesses. If done correctly, this could greatly enhance 
privacy by stopping malicious intrusions or large data theft 
efforts and would provide a clearer picture of the health and 
the security of the Internet.
    Mr. Chairman, I will stop there but, of course, invite you 
to consider the longer statement that I am submitting for the 
record. We must implement sensible policies that enhance our 
security and our privacy before a serious cyber incident leads 
to decisions that could fundamentally alter one of the most 
incredible tools of our time.
    I want to just conclude by, again, commending you, Senator 
Whitehouse, for being a true leader on this issue. Again, as a 
former Member of the Senate Intelligence Community and Chairman 
of this Subcommittee, I appreciate the great work that you are 
doing. Thank you, Mr. Chairman, Ranking Member Kyl, and Senator 
Blumenthal, for this opportunity, and I certainly look forward 
to working with you to make the Internet a stronger, more 
secure domain for all.
    [The prepared statement of Representative Langevin appears 
as a submission for the record.]
    Senator Whitehouse. Well, thank you, Congressman Langevin.
    First, your longer statement will, without objection, be 
part of the record of this hearing, and I appreciate the 
thought and care that you put into it. And I look forward to 
continuing to work with you as this goes forward. Your interest 
and expertise in this issue, your leadership on this issue, are 
recognized on this side of the Capitol, and clearly you have 
taken considerable trouble to come over here and join us on the 
Senate side today. So we appreciate it very much. I know that 
important business calls you back to the House, so we will 
excuse you at this time with much appreciation for your trouble 
today and for the content of your testimony.
    Representative Langevin. Thank you, Mr. Chairman.
    Senator Whitehouse. All right. We will now call up the 
administration witnesses.
    There is a statement that we have that is, I gather, a 
joint statement. Do the three of you adopt it as your testimony 
to this Committee?
    Mr. Baker. That is correct, Senator, yes. We ask that it be 
made part of the record.
    Senator Whitehouse. Okay, so that is yes, yes, and yes for 
the three witnesses, may the record reflect. And I understand 
that each of you would like to make a separate oral statement 
before we get into questions and answers. Is that correct? All 
right. Well, why don't we proceed across the line. It turns out 
to be alphabetical order as well, but we will start with Jim 
Baker.
    Jim Baker currently serves as an Associate Deputy Attorney 
General at the U.S. Department of Justice where he is 
responsible for a wide range of national security, 
cybersecurity, and other matters. Mr. Baker previously served 
as Counsel for Intelligence Policy at the Department from 2001 
to 2007 where, among other things, he was in charge of 
representing the United States before the Foreign Intelligence 
Surveillance Court. From 2008 to 2009, Mr. Baker was assistant 
general counsel for National Security at Verizon Business. He 
has also taught national security law at Harvard Law School and 
been a fellow at the Institute of Politics at Harvard's Kennedy 
School of Government.
    Mr. Baker, please proceed.

STATEMENT OF JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY GENERAL, 
           U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC

    Mr. Baker. Thank you, Mr. Chairman, Members of the 
Committee. Thank you for the opportunity to testify today 
before you today on the administration's cyber legislative 
proposal.
    Mr. Chairman, as you have noted and as everyone else has 
noted so far today, the Nation faces a dangerous and persistent 
cyber threat. As we all know, we rely heavily on the Internet 
to conduct our most important activities. Information 
technology has become the nervous system of the country, and 
today that system is highly vulnerable to exploitation and 
attack.
    More importantly, malicious actors know this. Recent 
publicly disclosed cyber intrusions reflect the breadth and 
intensity of the efforts by malicious actors to exploit 
existing vulnerabilities and infiltrate and compromise our 
networks. Such actions threaten those networks, the data they 
contain, and the critical infrastructure systems that rely upon 
them. Every day information systems in the United States are 
compromised, and criminals and other malicious actors steal 
significant quantities of intellectual property and money.
    Over the past several years, the Federal Government has 
worked to improve the security of its own networks by, for 
example, reducing the number of Internet connections that the 
departments and agencies use, implementing the EINSTEIN 
program, and enhancing information sharing and coordination 
with our international partners.
    In addition, we recently launched a pilot program to 
improve the security of key defense industrial base companies. 
We have also urged private citizens to improve the security of 
their own computers by installing software updates promptly and 
using updated anti-virus programs.
    As we go forward, it is critical that the American people 
understand that when our cyber defenses are not successful at 
preventing an intrusion, many of the mechanisms that malicious 
actors use to steal from us could allow them to disrupt or 
damage our data and our infrastructure. Malicious actors could, 
for example, interfere with our ability to communicate 
effectively by misrouting emails; they could also divert 
aircraft containing passengers and military equipment; they 
could delete medical information on hospital computers; and 
they could shut down transportation systems and the electric 
grid.
    Malicious actors attempt to exploit the vulnerabilities of 
our information systems to compromise them at the hardware, 
software, and firmware levels. They try to establish a 
persistent presence in our networks, using system 
administrators' authorities that they have purloined, in a 
manner that makes them difficult to detect and virtually 
impossible to eradicate. Even if we build firewalls and have 
air gaps around networks to protect those systems from known 
malware, there are still ways to get in.
    Anti-virus and other perimeter-based malware detection and 
prevention systems cannot detect and stop malware that no one 
has seen before, and malicious actors develop new malware 
continually. This is known as the Zero Day threat.
    Moreover, firewalls and air gaps do not protect against the 
insider threat. Employees or other insiders could, 
intentionally or inadvertently, introduce malware into our 
networks using a compromised thumb drive, for example, on a 
protected network or connecting a computer from a protected 
network to the Internet. In addition, our adversaries 
compromise our information by installing software, hardware, 
and firmware already containing vulnerabilities in the products 
that we use while those products are being manufactured. This 
is the supply chain threat.
    All of this emphasizes the need for us to develop effective 
cybersecurity solutions that account for the fact that 
frequently we will have to use networks that may be 
compromised. We will have to learn how to operate successfully 
in a degraded cybersecurity environment.
    Mr. Chairman, we must be candid about these risks. For 
example, private entities must do a better job of informing 
their customers and their shareholders about the losses they 
suffer and the vulnerabilities that they face, including the 
problems that exist with the products that they bring to 
market. Government must, for example, act purposefully and with 
dispatch to improve the security of its own networks.
    Several of the administration's legislative proposals are 
intended to enhance our ability to protect the American people. 
Our data breach proposal, for example, as several have noted, 
would establish a uniform national standard for certain 
entities that suffer a data breach to require them to timely 
report such breaches to the customers and to law enforcement. 
Other proposals would enhance and harmonize penalties for cyber 
offenses such as causing damage to critical infrastructure 
computers. The administration's proposal is a first step in 
addressing these challenges. We look forward to working with 
Congress on a bipartisan basis to improve and amplify this 
proposal.
    As we move forward, whatever we do to enhance security, we 
must ensure that we establish adequate oversight mechanisms and 
appropriate privacy protections to safeguard the civil 
liberties of all Americans. We must also ensure that we foster 
innovation in this vibrant sector of our economy.
    Thank you, Mr. Chairman.
    Senator Whitehouse. Thank you, Associate Deputy Attorney 
General Baker. We, too, look forward to working with the 
Department of Justice, to use your words, to improve and 
amplify the administration's proposals. You have always been 
wonderful to work with, and we have great pride in the public 
service that you have given to this country over many years. It 
is not an easy thing. You have had many late and difficult 
nights and a lot of worries. I know a little something about 
those FISA Court proceedings, so I know how burdensome that has 
been, and I know you are joined by your son and your daughter 
today, and in front of Julian and Hadley, I just wanted to say 
those words about you because I am sure that there were times 
with them that you missed because of the press of your 
responsibilities, and I am happy to take this occasion to let 
them know how important what you do for your country is.
    And now I would like to turn to the Chairman of the 
Judiciary Committee, the distinguished Senator Pat Leahy. I 
will offer him a chance to give opening remarks.

  STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE 
                        STATE OF VERMONT

    Chairman Leahy. Well, thank you very much. Incidentally, I 
concur with what you just said about Mr. Baker, and I wanted 
his family to hear that, too. You know from your own work on 
the Intelligence Committee and I from this Committee, how much 
work can go into some of those things. Some of the times you 
are going to be working, you come home and the family says, 
``What were you doing?'' you say, ``Cannot tell you.'' So I 
commend you for that.
    Chairman Whitehouse, I commend you for your work on the 
Subcommittee on Crime and Terrorism. This whole idea of 
developing a comprehensive strategy for cybersecurity--we will 
talk about nuclear weapons, we will talk about this, that, and 
the other thing--but I think this is probably one of the 
greatest challenges facing our country today.
    Look at some of the major data breaches: Sony, Epsilon, 
RSA, the International Monetary Fund, and Lockheed Martin. That 
is just naming a few. I have often talked about what happens in 
a part of the world like where I come from, in the Northeast, 
when it is the middle of January and it is 10 or 15 degrees 
below zero, and a cyber terrorist closes down all our power 
grids. I mean, these are major concerns.
    Our government computer networks have not been spared. We 
see it at the CIA. We saw it here in the Senate. The Department 
of Defense tells us they have attacks on them all the time. So 
I think protecting America's privacy but also our security and 
cyberspace is a top priority for this Committee.
    We are working with the Obama administration and others in 
Congress to develop a comprehensive national strategy for 
cybersecurity. I reintroduced my Personal Data Privacy and 
Security Act to establish a national standard for data breach 
notification and to require that companies protect our 
sensitive personal information. If somebody broke into your 
house and stole all your papers, you would want to know about 
it. Well, if they break into a company that holds all your 
medical records, your tax records, and everything else, you 
ought to know about it.
    In a few weeks, I will include this bill in the Committee's 
business agenda so we can report the legislation again. It has 
had strong bipartisan support before. I hope that it will 
again.
    Today, having the Departments of Justice, Commerce, and 
Homeland Security here, it is important that we hear from you. 
This is not a Democratic or Republican issue. It is one where 
we want to protect our own personal privacy and liberties, but 
we also want to protect the country. And I think it can be 
done, but it is going to need a lot of expertise and work.
    Senator Whitehouse, I commend you for holding the hearing, 
and I am glad we are doing this.
    [The prepared statement of Senator Patrick Leahy appears as 
a submission for the record.]
    Senator Whitehouse. Well, thank you, Chairman. I appreciate 
your leadership in this and so many other issues.
    We will now go on to our next witness, from the Department 
of Homeland Security, Greg Schaffer. He is the Acting Deputy 
Under Secretary for the National Protection and Programs 
Directorate at the Department of Homeland Security. Mr. 
Schaffer previously served as Assistant Secretary for 
Cybersecurity and Communications where he led the coordinated 
efforts of CS&C and its components, including the National 
Cybersecurity Division, the Office of Emergency Communications, 
and the National Communications System. Mr. Schaffer previously 
held positions at Alltel Communication, LLC, and 
PricewaterhouseCoopers as well as in the Computer Crime and 
Intellectual Property Section at the U.S. Department of 
Justice.
    We are glad to have you with us, Mr. Schaffer. Please 
proceed.

  STATEMENT OF GREG SCHAFFER, ACTING DEPUTY UNDER SECRETARY, 
 NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT 
              OF HOMELAND SECURITY, WASHINGTON, DC

    Mr. Schaffer. Thank you, Chairman Whitehouse, Chairman 
Leahy, and distinguished Members of the Subcommittee. I 
appreciate the opportunity to speak to you today about what we 
all seem to believe is a critically important security issue 
for our country.
    I will not reiterate the threat situation that has been 
clearly stated by Mr. Baker and the Members of the Committee, 
but I will say that the theft of intellectual property both 
from the government and from private sector entities does pose 
a serious risk to our country's economic viability and our 
security. What is worse is that the connectivity of industrial 
controls creates a situation where there is an ability to take 
things even farther. To disrupt the delivery of power, the 
delivery of transportation services, our financial services 
sector, all can be interrupted by hackers who can reach us from 
anywhere on the globe. These are national security, homeland 
security, and economic security issues that really can only be 
addressed through the efforts of our entire society. Both 
government, industry, and even individual citizens will have to 
play a role in solving these problems.
    The legislative proposal that the administration has put 
forward clarifies the authorities of various departments in a 
variety of ways. It moves to enhance the collaboration with 
industry, and it drives for outcomes and progress in reducing 
risk in a variety of ways. The proposal clarifies that the 
Department of Homeland Security leads the protection of federal 
civilian networks, and it clarifies our authority to do so with 
the private sector by providing a variety of voluntary services 
as well as capabilities that the private sector needs from 
government.
    It also presents an opportunity to modernize the Federal 
Information Security Management Act, as many bills that have 
been presented over the last several years have tried to do, to 
move away from a paper compliance exercise and in the direction 
of continuous monitoring and operational improvement and 
reduction of risk for federal departments and agencies.
    In the area of personnel authorities, the proposal is 
designed to give DHS the kind of flexibility that the 
Department of Defense already has in order to compete in a 
market that is highly competitive for a very small number of 
highly skilled individuals. While we will never in government 
pay the same as some of our competitors for staff in the 
private sector, we do need the ability to rise to the level of 
others in the Federal Government.
    With respect to protecting critical infrastructure, the 
bill has both voluntary and mandatory provisions. The 
administration's proposal clarifies the authority to provide 
assistance on request to private sector entities, including 
alerts and warnings, risk assessments, onsite technical 
support, and incident response. Our ability to provide those 
services is clarified so that we do not have any confusion by 
the private sector in terms of what we can do for them in a 
difficult moment.
    From an information-sharing perspective, the proposal 
removes many of the barriers between government and industry. 
In particular, uncertainty slows us down. When industry is 
unclear about whether or not they can share information, 
several days of working with lawyers for clarity can delay the 
ability to deliver capability and defensive measures. This 
would provide immunity when industry is sharing with government 
in order to allow that to happen much more quickly and allow us 
to do this in a way that is, nonetheless, consistent with 
robust oversight for privacy, civil liberties, and indeed 
criminal penalties in the event of a violation of procedures 
that would be established to control how that information would 
be taken in.
    Under mandatory provisions, the proposal allows through a 
rulemaking process for Government to work with industry to 
establish who is in the most critical of critical 
infrastructure and for those entities to work with us to 
establish risks that need to be mitigated and then frameworks 
that can be used to mitigate those risks.
    Through that process and the development of plans by 
industry under those frameworks, we believe using transparency 
we can significantly reduce the amount of risk within the 
private sector.
    The proposal really builds on many proposals that have 
appeared in bills that the Congress has put forward. It builds 
on those proposals over the last several years, and we are 
anxious to work with you. It is the beginning of a process in 
the discussion of these proposals and others that have been 
suggested, and the administration is very anxious to work with 
you as this moves through the Congress.
    Thank you.
    Senator Whitehouse. Thank you very much, Mr. Schaffer.
    Our final witness is Ari Schwartz. He serves as the Senior 
Internet Policy Advisor for the Information Technology 
Laboratory at the National Institute of Standards and 
Technology, which is within the Department of Commerce. He 
represents NIST on the Department of Commerce Internet Policy 
Task Force, providing input on areas such as cybersecurity, 
privacy, and identity management. Mr. Schwartz came to NIST in 
2010 after serving almost 13 years as vice president and chief 
operating officer of the Center for Democracy and Technology, 
where he focused on increasing individual control over personal 
and public information.
    Good to have you with us, Mr. Schwartz. Please proceed.

  STATEMENT OF ARI SCHWARTZ, SENIOR INTERNET POLICY ADVISOR, 
  NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST), U.S. 
             DEPARTMENT OF COMMERCE, WASHINGTON, DC

    Mr. Schwartz. Thank you, Mr. Chairman.
    Chairman Whitehouse, Chairman Leahy, Members of the 
Committee, thank you for inviting me to testify today on behalf 
of the Department of Commerce on the administration's 
cybersecurity legislative proposal.
    The main goal of this proposal is to maximize the country's 
effectiveness in protecting the security of key critical 
infrastructure networks and systems that rely on the Internet 
while also minimizing regulatory burden on the entities that it 
covers and protecting the privacy and civil liberties of the 
public.
    I will address three relevant parts of the proposal: first, 
creating security plans for covered critical infrastructure; 
second, data breach reporting; and, finally, privacy 
protections.
    First, on security plans, one important theme of the 
proposal is accountability through disclosure. In requiring 
creation of security plans, the administration is promoting use 
of private sector expertise and innovation over top-down 
government regulation. Importantly, the proposal only covers 
the core critical infrastructure as it relates to 
cybersecurity. DHS would define these sectors through an open 
public rulemaking process.
    The covered critical infrastructure entities will then take 
the lead in developing frameworks of performance standards for 
mitigating identified cybersecurity risks and could ask NIST to 
work with them to help create security frameworks. There will 
be strong incentive for both industry to build effective 
frameworks and for DHS to approve those created by industry. 
The entities involved will want the certainty of knowing that 
their approach has been approved, and DHS will benefit from 
knowing that it will not need to invest in the resource-
intensive approach of developing a government-mandated 
framework unless industry really fails to act.
    Covered critical infrastructure firms and their executives 
will then have to sign off on their cybersecurity plans, 
subject them to performance evaluation, and disclose them in 
annual reports. Rather than substituting the government's 
judgments for private firms', the plan holds the covered 
entities accountable to consumers and the market. This 
encourages innovation and mitigation strategies as well as 
improving adherence to best practices by facilitating greater 
transparency, understanding, and collaboration. The main goal 
is to create an institutional culture in which cybersecurity is 
part of the everyday practice without creating a slow-moving 
regulatory structure.
    In our recently released green paper, the Department of 
Commerce has begun to further clarify major functions and 
services that would not be considered covered critical 
infrastructure under the administration proposal. We believe 
that the non-covered entities should develop the voluntary 
equivalent of the frameworks that are in the administration 
proposal that could begin to serve as the rules of the road for 
these companies that rely on the Internet similar to those that 
the Chairman suggested in his opening remarks. We are receiving 
comments on that paper until August 1st.
    On data breach reporting, the administration has learned a 
good deal from the States, selecting and augmenting those 
strategies and practices that we felt most effective to protect 
security and privacy. The legislation will help build certainty 
and trust in the marketplace by making it easier for consumers 
to understand the data breach notices they receive and why they 
are receiving them, and as a result will better be able to take 
appropriate action.
    As Secretary Locke and others at the Commerce Department 
have heard from many of the companies in different industries, 
including in response to our notice of inquiry last year, a 
nationwide standard for data breach notification will make 
compliance much easier for the wide range of businesses that 
today must follow 47 different legal standards.
    Finally, I would like to point out that many of the new and 
augmented authorities in this package are governed by a new 
privacy framework for government that we believe would enhance 
privacy protections for information collected and shared with 
the government for cybersecurity purposes. This framework would 
be created by DHS in consultation with privacy and civil 
liberties experts and the Attorney General, subject to regular 
reports by the DOJ Privacy Office, and overseen by the 
independent Privacy and Civil Liberties Oversight Board. 
Government violations of this framework would be subject to 
both criminal and financial penalties.
    Thank you again for holding this important hearing. I look 
forward to your questions.
    [The prepared statement of Messrs. Baker, Schaffer, and 
Schwartz appears as a submission for the record.]
    Senator Whitehouse. Thank you.
    Before I get into questions, let me just make one general 
point, because we are going to spend a lot of time working 
through this together in the coming months. I am worried about 
the extent of the threat that we are facing right now and the 
time that it will take to work through some of the 
administrative procedures that are built into the 
administration's proposal. It seems to me that, to the extent 
that we can reach agreement and try to draw some of those 
bright lines forward and into legislation so that people can 
begin to rely on them and gain their protections more rapidly, 
that would be to our advantage.
    I spent three years, if I recall correctly, just trying to 
get the Drug Enforcement Administration to knock off its ban on 
prescribed pharmaceuticals being prescribed electronically, and 
I had the support of the Department of Health and Human 
Services through all of that, and ultimately of the Attorney 
General. So when that is the pace of something that the 
government agrees with, it makes me concerned about the 
prospect of delay. So that is just an overall point about the 
reliance of the proposal on the administrative process. I think 
where we find agreement we should move things up.
    In terms of defining these things, let me ask right off the 
bat: Are independent service providers on the Internet covered 
entities? And is the Internet itself and the provision of 
service across the Internet critical infrastructure within the 
definition as contemplated by the administration?
    Mr. Baker. Thank you, Senator, and I understand completely 
your first point about trying to move expeditiously through 
these things. I have been through a number of different efforts 
to write policies and procedures, and I agree, wherever 
possible, if we move them into statute, that would be fine, as 
long as we maintain the flexibility that we need to deal with 
the evolving threat.
    But with respect to critical infrastructure, I will defer 
to my colleagues here, but I think there are different 
definitions of critical infrastructure as you move through the 
proposals. And just to highlight for folks, the different 
proposals are focused on achieving different things, and in 
particular, the proposal to modify the Computer Fraud and Abuse 
Act and add a prohibition on damaging or attempting to damage 
critical infrastructure. That has got a very----
    Senator Whitehouse. I am referring to the part that Mr. 
Schwartz was discussing in which the industries defined, I 
think in the language, as covered entities that are deemed to 
have critical infrastructure have to come in, generate their 
own plans, seek their approval, and if they are adequate, then 
they go forward. And that is the process by which we protect 
our so-called critical infrastructure. Are the ISPs critical 
infrastructure within that definition?
    Mr. Schaffer. Senator, thank you for the question. I think 
that the proposal lays out some criteria and contemplates a 
rulemaking. But at the end of the day, I do think that the 
ISPs, being critical to connectivity for a wide range of 
entities and, therefore, likely to cause cascading effects if 
there is an outage within their infrastructure, would likely 
fall within critical. But, again, there would be a process in 
order to get to that under the current proposal.
    Senator Whitehouse. Well, that goes back to my opening 
problem, that we do not get around to even defining who the 
participants are in the protection of our critical 
infrastructure for some considerable period of time and some 
considerable effort in administrative rulemaking. But you all 
agree that in terms of going forward we in Congress should 
presume that the administration intends the ISPs to be in that 
process, and we can more or less deem them to be critical 
infrastructure in terms of working with them to beef up the 
security of the Internet.
    Mr. Schwartz. I would just have a little bit further of a 
discussion and discuss how we can start moving some of this 
further a little bit more quickly.
    In terms of who is covered and how they are covered, one 
thing that we focus on in our green paper is the coverage of 
functions and services. So there are some things that ISPs do, 
and certainly large ISPs, that we may all consider covered. But 
there might be other functions and services that we do not 
consider covered. Maybe they do not meet the PATRIOT Act 
definition of what critical infrastructure is, perhaps even----
    Senator Whitehouse. Let us talk for a minute about--I think 
it was your testimony--actually, I take it back. It was Mr. 
Baker's--about needing to encourage consumers to be more aware 
and to take basic steps to protect their own computers and to 
protect the computers of those they link with from having 
malware that they host propagated into other people's 
computers. That is a pretty important thing to do. We have 
heard testimony that, you know, 80 to 90 percent of the threat 
out there can be blocked with commercial off-the-shelf 
technology if it were only used by people.
    Mr. Schwartz. Correct.
    Senator Whitehouse. So the ISPs are in a unique position 
because they are aware of the traffic coming through, know that 
your computer--in a way that you would never have a reason to 
know as an ordinary consumer--is infected with malware or is 
slaved to a botnet, and the terms on which the ISPs would deal 
with the consumer, where the consumer has been determined to be 
an unwitting sponsor, if you will, of a cyber threat. Where 
does that relationship between the ISP and the consumer with 
respect to the consumer's unwitting and unwilling role as a 
vector for a cyber threat get addressed in this legislation? Is 
that part of the cyber infrastructure?
    Mr. Schwartz. I will leave it to DHS to discuss what is 
covered and what is not covered in that way, but I will say, 
just to follow up on where I was going when I was raising what 
we cover in the green paper, that there are things that we know 
today, as you said, there are strong best practices, evolving 
standards that are out there today that we know will solve, as 
you said and as many experts that we have spoken to throughout 
our processes have said, 80 percent of the problem that is out 
there today. Existing threats, we know what they are. We can 
solve them with existing standards and best practices. How do 
we get people to implement them? And the key to that is 
incentives. So some of that--and it is hard to break down 
whether--what is on the covered line and what is not on the 
covered line through the legislation process. But in some ways, 
we need to move forward today trying to get those standards 
implemented. Whether they are done by covered entities or not 
by covered entities, the key is coming up with the right 
incentives to get people to do that.
    Through the Commerce green paper proposal that we are 
promoting out there, we are trying to emphasize ways that 
people can do some of these things voluntarily today before the 
legislation gets enacted and before we would go through this 
rulemaking process. So we have tried to come up with a number 
of steps in order to do that, but I do not want to take away 
from what could be mandated in law.
    Senator Whitehouse. My time has expired on this round, 
anyway, so let me yield to Senator Blumenthal and then to 
Senator Coons, and we can follow up. We will do a second round. 
This is a matter of, I think, a lot of interest, and I have a 
lot of questions remaining.
    Senator Blumenthal.
    Senator Blumenthal. Thank you, Mr. Chairman.
    You know, in my opening I made reference to the potential 
threat to our National security from a cyber attack without in 
any way meaning to predict or even to compare what a cyber 
attack may mean to the people of the country in making 
reference to 9/11 or Pearl Harbor, as the soon-to-be Secretary 
of Defense Leon Panetta did. But it seems to me the American 
people may have insufficient awareness of the potential for 
this threat, and I wonder if all three of you, especially Mr. 
Baker and Mr. Schaffer, because you are in government now, 
might discuss ways that we can raise that awareness and whether 
you see there being a threat to the national security from a 
potential cyber attack.
    Mr. Schaffer. Thank you, Senator. There is no question that 
awareness is a critical piece of the puzzle, not just for 
everyday citizens but for all of the data owners and others who 
participate in the process. The bill--or the proposal, I 
apologize, really does have some provisions to enhance a 
national awareness campaign. We are, of course, already at the 
Department of Homeland Security working a national campaign to 
raise that awareness at the consumer level with Stop, Think, 
and Act in attempts to get consumers to really focus on what 
they are doing when they are online and whether or not they 
really ought to be doing that while encouraging them to take 
advantage of the capabilities that have been brought to all of 
us in a variety of realms.
    If we cannot get consumers to focus and industry to focus 
and academia to focus, it is much harder to be successful in 
this realm, and it has to be a shared responsibility across a 
wide range of actors that we tackle in a variety of different 
ways, including Cybersecurity Awareness Month and the campaigns 
that we have ongoing, but we would see that being enhanced 
through the proposal. I think it is 243(c)(7) where you can 
find material with respect to the awareness campaign.
    Mr. Baker. Senator, if I could just respond briefly, 
absolutely yes, this is a threat to the national security. 
Absolutely without a doubt in my mind. As I mentioned in my 
opening statement, there are many ways for malicious actors to 
get into our systems. I articulated three of them: the Zero Day 
threat, the insider threat, and the supply chain threat--all 
very big threats, all very difficult to deal with. So that is 
there.
    The important thing for people to understand, I think, is 
that when a malicious actor gets into a network system, they 
try to establish frequently a persistent presence in the 
network. In other words, they want to stay there. Even if we 
find them in some way and we eradicate them on some system or 
some subset of systems, they still want to stay there. Once 
they are in, they want to stay in. And so that is the difficult 
thing that I think we have to deal with. We have to deal with 
an environment where it is going to be a degraded cybersecurity 
environment where we are not going to be 100 percent sure all 
the time whether the adversary is still there or not.
    This is the reality I think we need to face, and I agree 
that, you know, having hearings such as this, I mean, this is 
how we educate the American people: statements, you know, the 
work that this Committee has been doing, that you all do 
individually. I think that is what we need to--we just need to 
keep at it to make sure that people have an adequate 
understanding of the threat.
    Mr. Schwartz. Senator, at the Department of Commerce, at 
NIST, we are helping to run the National Initiative on Cyber 
Education, or NICE, which is the administration's initiative to 
coordinate activity across different agencies, including DHS, 
OPM, DOD, and other major agencies. Each have educational 
programs, make sure that they are coordinated and work 
together. That is in the President's budget for 2012, and we 
hope that it will move forward.
    Senator Blumenthal. What about a private right of action 
that I mentioned earlier. I wonder if each of you could 
comment.
    Mr. Baker. Well, as you noted, that is not part of the 
current proposal, and as I said, we are not supposing that this 
proposal has the answers for everything for all time. And we 
are happy to work with the Committee and work with you to try 
to make it better.
    There are some things we want to think about, I think, with 
respect to creating a private cause of action, and I think just 
generally with respect to the data breach provision--and there 
have been a number of different suggestions--the one thing to 
remember is that the companies that have suffered the data 
breaches are victims of crime. And so we need to acknowledge 
that and not turn them somehow into criminals through a very 
heavily regulated type of regime. That is why what we are 
trying to do is simplify it and make it easier to have a 
national standard. But the consumers are the ones whose data is 
now at risk, and we need to make sure that companies that 
suffer a breach act promptly and act adequately, and we look 
forward to working with you on what is the right incentive to 
create to make sure that happens.
    Mr. Schaffer. Senator, having been a witness to these 
questions for 15 years from the time that I was with the 
Justice Department in the Computer Crime and Intellectual 
Property Section up to today and a practicing lawyer in this 
space, I think one of the challenges in cyber has always been 
that there is no real established standard of care and that 
there is so much variability in the way the networks are put 
together and in the way that the systems are protected that it 
becomes very hard to say whether or not someone has lived up to 
what they should be doing.
    One of the things that this proposal does do is it allows 
industry to participate in developing frameworks and then 
commit to those frameworks and develop plans to meet those 
frameworks in a way that will make it much easier to say, Well, 
you said you needed to do this in order to secure that network, 
did you do that? So with a standard of care, I do think it 
becomes easier, and that is one of the things that you will get 
through this process.
    Mr. Schwartz. One of the things that you heard us all 
emphasize in the administration's proposal is the role of 
transparency and the role of disclosure in the proposal on 
several different aspects. We think that this helps to provide 
a series of incentives. One of them is the public effects of 
the disclosure on cybersecurity performance; two, related 
reputation risk; third is access to government procurement and 
the related issues to that; and fourth is the perceived 
litigation risk that comes from knowing how companies are 
performing, knowing what consumers' information has been taken, 
et cetera. So that is something that we see as tied into a lot 
of the transparency pieces in this proposal. We think we can 
help to build greater incentives around that in the future, 
including perhaps, as these frameworks build and as this 
marketplace builds and transparency builds, an insurance market 
that can help address some of those issues.
    Senator Blumenthal. And I understand all of your points and 
some of your reservations about the private right of action and 
the need, for example, to define better the standard of care. 
But I am struck that some of the practices that have led to the 
breaches most recently are the equivalent of a bank leaving the 
vault open without any guards at the door: failure to encrypt, 
failure to take basic safeguards. A bank may be a victim of a 
bank robbery and claim to be a victim, but if it does not take 
certain basic steps to safeguard its depositors' money, 
presumably it should be held accountable. And right now perhaps 
it can be so by the government, but if you are not going to 
impose some basic standard and make it enforceable by citizens, 
I think you are forgoing a basic means of holding these 
institutions accountable.
    My time has expired. You have been very generous, Mr. 
Chairman. Thank you.
    Senator Whitehouse. The Chair recognizes Senator Coons.
    Senator Coons. Thank you, Mr. Chairman.
    Senator Blumenthal raises some good points I would like to 
follow up on, another avenue of concern that arises from the 
same sort of core sets of interest.
    The administration's proposal would also provide some 
criminal and civil immunity protection for entities that share 
information about cyber threats and assist DHS or other federal 
entities. And I would just be interested in whether similar 
protections are currently given to entities that share 
information with the existing information-sharing and analysis 
centers. And if not, does the lack of such an immunity or 
protection deter entities today from reporting relevant 
information to the authorities that they should? And then I 
would be interested in your response if there is legitimacy to 
a concern about good-faith reliance on this immunity and how 
that good-faith determination would be made. Who would be 
responsible for making it? Some have raised concerns that this 
immunity might lead to some recklessness or irresponsibility. 
And I have a follow-up question on a different subject.
    Mr. Schaffer. Thank you for the question, Senator. I am 
going to let Mr. Baker take the good-faith reliance issue, but 
I will start with what is the problem we are trying to solve 
here. On any given day, we have entities that are under attack 
and concerned or they have found something in their own 
infrastructure that they think is important for the government 
to know and for a larger community to be able to defend 
against. That often results in a week-long or days-long process 
of working with counsel in order to determine and to give 
comfort to a general counsel somewhere that that information 
can, in fact, be shared. And in this space, as you know, 
milliseconds count. Days and weeks are not a good measure of 
how long it should take to get things done. And the desire is 
to clear away that uncertainty and give general counsels a 
comfort level that they can share for this specific purpose 
subject to the privacy and civil liberties process that would 
be put in place, which would be extremely robust, but they can 
share this information expeditiously to protect the larger 
ecosystem.
    And so that is really the problem that we see, days of 
delay in being able to deploy defensive measures because of 
concerns around whether or not that can be shared.
    Senator Coons. I understand, having been in-house counsel 
to a company. I think our concern going forward is going to be 
the civil liberties protections which will be robust, making 
sure that we, in fact, are able to deliver on that.
    Did you have any further comment, Mr. Baker, on the good-
faith determination?
    Mr. Baker. Yes, Senator. Under the good-faith provision 
that you are referring to, I think in terms of who would decide 
or who would analyze that at the end of the day, I think it 
would be decided by a court because that is a good-faith 
defense against a civil action in certain circumstances. And so 
I think if a provider, somebody who shared information and 
somebody did not like the fact that they shared information or 
how much they shared or however it was done, if they were to 
sue this entity in court, this is how I think the good-faith 
provision would come into play. And so I think at the end of 
the day it would be a court, a finder of fact, whether it is a 
judge or a jury, that would make that kind of determination. So 
there is protection. That is not something that the government, 
I think, is going to be deciding on its own. It is going to be 
before a neutral decisionmaker.
    Senator Coons. I understand the value of immunity in terms 
of speeding up cooperation. I just wanted to flag my concern 
about how this balance is struck going forward.
    A distinct concern of mine or interest of mine, Delaware's 
National Guard happens to have a cyber warfare unit, cyber 
warfare squadron that has been stood up, and it happens to take 
advantage of the unique strengths and abilities of folks who 
spend much of their career in the private sector working in 
cybersecurity and then allows them to be double-hatted as folks 
who are connected to our Nation's national security apparatus.
    Do you see a role for the National Guard going forward as 
something that could be a useful bridge between cyber law 
enforcement needs and cyber defense needs and tap into some of 
the growing strength in terms of the civilian population in the 
private sector's resources and training, first and second? And 
then how do you think we are doing at standing up and training 
a sufficient cadre of qualified cybersecurity professionals in 
the private sector to augment the execution and delivery on the 
sorts of policies you are expecting the private sector to be 
able to act on in this proposed set of administrative policies?
    Let the record reflect Mr. Schwartz declined to comment.
    [Laughter.]
    Mr. Schaffer. Senator, thank you. Certainly, as we have 
said, there is a role for everyone to play in this space. There 
are needs for all of us to participate in buying down risk and 
making sure that we are addressing cybersecurity across a very 
large domain.
    I do think that there are opportunities both in this 
proposal where we would like to do an exchange to allow 
government and industry to be able to exchange some personnel 
so that we learn how others do this. There is some tremendous 
value for those who have gone from government into industry and 
from industry into government in terms of having us understand 
the challenges on both sides of the fence, and this proposal 
includes some of that. It also makes it easier for us to do 
some hiring. As was pointed out, there are initiatives from an 
education perspective to try to get to a higher level of 
capability across the board for cybersecurity, and there are 
several initiatives that currently attempt to do that by 
working with the universities and even with the elementary 
schools to start people thinking about cybersecurity as a 
career much earlier in the process.
    So there is a range of things that I do think need to be 
done. We very much share the notion that public awareness is 
going to be a critical part of this process, and the need to 
bring as many people into the fold as possible is certainly 
part of what we are trying to get to.
    Senator Coons. Thank you.
    Mr. Baker.
    Mr. Baker. Senator, just briefly, to echo what Mr. Schaffer 
just said, I think we really do need to adopt a whole-of-
government approach to this problem. We need to look at all the 
resources that we have, and I think it is sometimes useful--
analogies are always difficult, but if you think about how we 
have tried to deal with the threat from terrorism and how we 
have utilized all parts of the U.S. Government--from the 
transportation sector to the FBI, to the intelligence 
community, to the military--we have made sure that we have used 
all of our resources. And I think that is the kind of national 
effort that we need when dealing with the threat that we are 
facing today because I think it is that big and it is that 
multi-faceted, so we need to make sure that we are bringing all 
of our resources to bear.
    So I think your idea is worth exploring. We will have to 
give some thought to it. I do not know off the top of my head 
exactly how that would work, but, you know, everybody who has a 
skill and ability in this area needs to be utilized to the full 
extent possible.
    Senator Coons. Well, thank you, Mr. Baker.
    Thank you, Chairman, continuing to be so effectively 
engaged in this difficult issue that is important for our 
National security.
    Senator Whitehouse. Thank you, Senator.
    Let me go back to where we left off, and I think what I 
will do is I will make this a question for the record so we 
just do not bog down this hearing getting way into this. But 
what I am interested in is what elements of the ISP system are 
expected by the administration to qualify as critical 
infrastructure under its proposal for requiring approval of 
critical infrastructure protection. And this is potentially a 
related question, depending how the answers come down, but the 
related question is: Where in the administration's proposal is 
the ISP customer relationship regulated with respect to giving 
customers notice that they are the unwitting and unwilling 
bearers of viruses, malware, and other threats?
    [The information referred to appears as a submission for 
the record.]
    Senator Whitehouse. The other area that I wanted to touch 
on is with respect to reporting. Basically when is a hack not a 
breach? There is considerable emphasis in the administration's 
proposal on data breaches, particularly ones that cause the 
disclosure of significant amounts of public information. But 
the threats in various areas are not just the breach of privacy 
and the loss of public information. They are the loss of 
intellectual property by a company. They are the insertion of 
malware into critical operating systems, things like that. 
Where do you propose that things other than data breach be 
reported? And is that an area that is open to be worked on? 
Should publicly traded entities be more clear in their SEC 
filings about the risk that they face from cybersecurity? 
Clearly they are spending a lot of money on protection, but are 
they reporting what they are doing? Is there daylight into 
that? Are the key commissions--the Nuclear Regulatory 
Commission, the Federal Energy Regulatory Commission, the FAA--
obliged to assemble data about the risks that the industries 
that they regulate are at risk of suffering? And probably you 
would want to de-identify the information so that you are not 
creating competitive advantage and disadvantage, but at least 
you would want the public to know--back to the conversation 
about public awareness, you would want the public to know that 
a federal regulator has stepped out and said, oh, by the way, 
here are the major risks to the electric grid, here are the 
major risks to the air traffic safety, here are the major risks 
to nuclear facilities.
    Now, some of it is going to be classified, but I think it 
is important that we kind of bring all of that up, because my 
concern is that you can have national awareness campaigns until 
you are blue in the face, but if the actual attacks are 
classified when they had dot.gov and dot.mil and kept 
proprietary by business so as not to alarm customers and 
regulators and consumers and competitors--or I guess encourage 
competitors--when it is dot.org and dot.com, then, you know, 
you have a real information deficit and the American public is 
being denied a lot of information that they should have and 
that they could perfectly well have if it were de-identified so 
that you were not targeting a particular bank or a particular 
utility, but just letting people know this is what happened 
today, this is what happened today. And I do not see how you 
can inform the public adequately without the underlying 
information becoming more clear, and I do not know how you do 
that in this piece of legislation.
    Mr. Schaffer.
    Mr. Schaffer. Yes, Senator, thank you. There is in the 
proposal--and there are many notice provisions. There is a 
proposal that would require those who are in critical 
infrastructure to share promptly, report to the Secretary of 
Homeland Security any significant cybersecurity incident. So 
within that class that would fall into the critical 
infrastructure, you would have a notice requirement not 
dependent upon a particular PII, or personally identifiable 
information, having been accessed but just----
    Senator Whitehouse. And that is in that same critical 
infrastructure category that my first question was about, the 
one that you have taken for the record.
    Mr. Schaffer. It is.
    Senator Whitehouse. Okay. Outside of that. So you have got 
critical infrastructure, and you have got these big data 
breaches. What else?
    Mr. Schaffer. Outside of critical infrastructure this 
particular provision would not apply, but I do think that some 
of what has been happening in the last several months with 
breaches is instructive in that the structure that we have now, 
the National Cyber Incident Response Plan, and the ability to 
work through the National Cybersecurity and Communications 
Integration Center at DHS, which has representatives from 
industry who literally sit on the watch floor with DHS, with 
law enforcement authorities, with authorities from other parts 
of government, gives us the ability to share that information 
much more effectively and efficiently. And, indeed, if you look 
at some of the recent incidents, within an hour or two of an 
announcement being made, we will have assembled a cast of 
players who have an interest in the issue and will have gotten 
them engaged in discussing mitigation strategies.
    In some instances we are able to push out information to 
specific sectors even before there is a public announcement by 
the entity that is impacted, and so I think that construct is 
starting to work in the way that we had always envisioned it 
would, and that does allow us to get information out much more 
aggressively.
    Senator Whitehouse. About a specific incident to people 
interested in that specific incident as opposed to more across 
the board.
    Mr. Schaffer. Yes, certainly to government, CIOs, and CISOs 
in very short order, and to interested parties in the private 
sector. The whole construct that we have now is to try to get 
out through the Information Security Analysis Centers, get 
information out to an entire sector or segment of the economy 
as quickly as possible that information which can be most 
useful for them in deploying defensive measures.
    Senator Whitehouse. Against a particular attack. I meant 
more generally about just having there be more awareness of the 
extent of the attacks that we are under. I think that--I will 
find that. Here we go. Symantec says that it recorded over 
three billion malware attacks in 2010, and that is nearly a 100 
percent increase. That is billion with a B. There is a huge 
disjunction between what is really happening out there and what 
people know, and just letting people who might be compromised 
in a similar way by a particular attack now is important and is 
valid, and I am glad you are doing it. But it is a different 
thing than raising the general level of public consciousness 
about all of this so that people are more inclined to take 
protections, more inclined to buy the commercial off-the-shelf 
technology, more inclined to do the various steps that will 
protect them.
    Mr. Baker. Senator, on your question just very briefly.
    Senator Whitehouse. Yes, Mr. Baker.
    Mr. Baker. With respect to your reference to the SEC, I 
just would note that some companies have begun to make reports 
about intrusions that they have suffered in their filings with 
the SEC, so----
    Senator Whitehouse. And Senator Rockefeller and I and 
others have sent a letter to the SEC asking that they beef this 
up, and they are looking at it right now and will get back to 
us later.
    I am going to recognize Senator Klobuchar in a moment, but 
let me ask one more question since we are sort of on this 
subject.
    It seems to me that one of the things that we can do that 
would be very helpful would be to encourage conversation about 
threats. You talked about immunity and making sure that, you 
know, the conversation between DHS and affected businesses is 
safe conversation. But we have the defense industrial base out 
there talking to one another about cyber threats. You have the 
ISACs in different industries out there beginning to talk to 
each other about various cyber threats. I am hearing from a 
number of folks that those are processes that are both, A, very 
useful and, B, not anywhere near as robust as they could be 
because of a variety of hesitations from the participants about 
their participation in that internal industry group, that they 
might lose protected status of information, proprietary status 
or privilege, that they might face an antitrust challenge for 
what they are talking about in there. And we are sort of 
operating in a legally uncertain zone in doing this.
    The proposal of the administration is that when it is 
business to DHS, that is a protected discussion. But there is 
no protection for the B2B discussion within these industrial 
organizations or groups that are already set up to try to do 
this.
    Are those effective? Should their work be enhanced? And 
what do you think are the best ways to enhance their work in 
ways that do not require government intervention? That is just 
basically the industry circling its wagons against common 
threats and trading information and engaging in common defense, 
like the old prairie schooners of yore.
    Mr. Baker. Just very briefly, and then I will turn it over 
to Mr. Schaffer. We have spent a lot of time thinking about 
that. You are exactly right. That is an important issue. We 
recognize that. We have looked at it closely. We have looked at 
a variety of different ways to do this.
    There are some tricky legal issues in there. As you 
mentioned, the antitrust concern I think is one that is of 
particular note, and so we have to focus on that. But I think, 
you know, we are open to working on that issue. We recognize 
its importance, and you are exactly right. We need to figure 
out a better way to enhance that sharing and balance all the 
different factors that you mentioned that have to be balanced 
appropriately.
    Senator Whitehouse. And recognize that for a lot of the 
participants in these things, it is a game in which it is to 
their great advantage to be the free rider who does as little 
as possible and allows their industry colleagues to carry as 
much of the load as possible, and when everybody is looking at 
it that way, you do not get an optimal result. So there is kind 
of an economics and motivation problem built into it as well.
    Senator Klobuchar.
    Senator Klobuchar. Thank you very much, Senator Whitehouse. 
Thanks for chairing this hearing, and thank you to our 
witnesses. I am sorry I was late. We have the Commerce hearing 
for the new nominated Commerce Secretary, which also has some 
role in this cyber area, and I am actually currently working on 
a bill with Senator Hatch from this Committee on cloud 
computing, and I think updating some of our laws in light of 
the technological advances surrounding this innovative business 
model is very important. I think it has the potential, cloud 
computing does, to alleviate some of the concerns in the 
cybersecurity field by introducing economies of scale and 
making sophisticated protection available to all cloud users. 
But it also raises some unique diplomatic issues because data 
is being stored in multiple countries.
    Can you talk about the issues of international jurisdiction 
faced by your agencies when investigating cyber crime involving 
cloud computing? Does anyone have any--Mr. Baker?
    Mr. Baker. I will start Senator. Thank you. Yes, the number 
of different issues--and I have testified before the Committee 
on some of the ECPA issues that are at play with respect to 
cloud computing, so we recognize the importance of it. The 
administration wants to do everything it can to support the 
development of cloud computing industries.
    It does raise a number of security issues, as you just 
highlighted, and I think that the thing about this data and the 
thing to remember about the various structures that we have is 
that the Internet is a physical thing, and it exists in 
different places. And the data, as you mentioned, is stored in 
different places, and so it raises these different 
jurisdictional issues. But one of the things we have focused 
on, in particular, for example, at the FBI, is working with our 
international partners on these investigations, because the 
cyber criminals in particular move around to lots of different 
places and try to obscure where it is that they are coming from 
and who they are attacking and so on.
    And so the international issues are only going to get 
greater, as you highlight, but we at least, at the FBI and the 
Department of Justice, have focused extensively on trying to 
make our international cooperation better than it has been.
    Senator Klobuchar. Do you think better international 
agreements on the rules relating to data shortage against bad 
actors would help you with fighting cyber crime?
    Mr. Baker. I think depending on how they were structured, I 
think they could, certainly, yes.
    Senator Klobuchar. You would not want a bad international--
--
    Mr. Baker. Right. Exactly. Right. Exactly.
    Senator Klobuchar. Okay. Good.
    Mr. Schwartz. Senator, we completely agree with you on the 
point about the cloud and economies of scale and how it could 
end up helping security, particularly with small companies and 
small agencies that themselves have to invest a lot to protect 
security today.
    One proposal that we do have in the administration proposal 
is a piece on promoting cloud services tied to ensuring that--
preventing States from requiring companies to build the data 
centers within a particular State, except where that is 
expressly authorized by federal law. We think that that will 
help for companies to feel better that they can invest in the 
cloud and help create international norms around the cloud. We 
have seen some countries already where the provinces or states 
in those countries have passed laws saying that you must locate 
cloud storage within our jurisdiction, particularly to address 
the kinds of concerns that you are talking about. We do not 
think that is the right way to go to address those concerns. We 
think that we need to let the cloud, the marketplace for the 
cloud, flourish and then have enforcement happen through the 
channels that you are discussing with Mr. Baker.
    Senator Klobuchar. Okay, very good.
    What tools does the administration's proposed cyber 
legislation give the Department of Justice to more effectively 
investigate and prosecute the offenders both domestically and 
internationally?
    Mr. Baker. Well, there are a number of different provisions 
that would assist us, so the data breach proposal is one that 
would give us a heightened awareness of what is happening, more 
prompt notification of what is happening, and that would 
certainly enable us through the various reporting requirements 
that are part of that proposal in terms of notifying the FBI, 
that would certainly enhance our situational awareness, as we 
say, about what is going on.
    The various amendments that we have proposed with respect 
to the Computer Fraud and Abuse Act and other federal statutes, 
such as the RICO statute, to make certain violations of----
    Senator Klobuchar. Could you elaborate on that--I used to 
be a prosecutor--how amending the RICO statute would be 
helpful?
    Mr. Baker. Sure. As I mentioned in reference to the other 
questions, many of the crimes that we are facing and the 
criminals that we are facing are organized criminals, and so we 
think it is totally appropriate that we use a tool that is 
intended to deal with organized crime, the RICO statute, to 
counter some of those activities. And so it seems to make sense 
to us. It is pretty straightforward, frankly, and it is a 
powerful tool. We know people have concerns about it. We want 
to use it responsibly. We think we have in place the adequate 
administrative controls inside the Department to use it 
responsibly, but we think it is something that could benefit us 
significantly.
    Enhanced penalties for certain efforts or crimes involving 
damage to critical infrastructure computers we think would help 
us also. Also bringing some clarity to the penalty provisions 
that are part of the Computer Fraud and Abuse Act we think 
would also help us and enable--or enhance our deterrence in 
that area. It is difficult. In order to--I think as Senator 
Whitehouse was saying--in order to investigate and prosecute 
the crime, you have to find out about it. You have to have the 
resources to be able to investigate it and so on. We know that. 
That is all part of the piece. But clarifying some of the 
penalty provisions, for example, and these other things I 
mentioned-----
    Senator Klobuchar. And could you just elaborate on that? I 
have been working in the area of some of the streaming issues 
to try to come up with a way with a number of the other 
Senators to acknowledge that if someone is standing on a street 
corner and sells DVDs that are over $2,500 that we already know 
is a felony, and right now if you do it, if you have a business 
and you are illegally selling anything--movies, books, music--
and you do it maybe $1 million and you are profiting--you have 
to profit from it under our bill--it is still a misdemeanor. 
And so we are trying to fix that without, you know, hurting 
anyone's rights or teenagers that are simply trying to share 
some information. So we have a lot of issues with it. It 
reminds me a little of this as you try to look at what the 
penalties are without doing anything that would hurt innocent 
people in how you are trying to do it.
    So could you talk about that with the cybersecurity and the 
penalty issue?
    Mr. Baker. Certainly. To your point generally, we 
definitely understand concerns that folks have expressed with 
respect to some parts of the Computer Fraud and Abuse Act. We 
understand that. We get that. We are trying to use it 
appropriately under the circumstances in making prosecution 
decisions in light of the various guidelines, and in full 
knowledge that we have to justify what we are doing both to the 
Congress and to the courts that we prosecute these cases in 
front of.
    With respect to the penalties, the Computer Fraud and Abuse 
Act statute has got a lot of different features to it. There 
are a lot of things that it tries to prohibit, and it tries to 
do it in a variety of different ways, and it tries to look at 
what the intent is, what the amount of damage that is involved 
is, what the activities are that are at issue. It is not just a 
hacking statute. It is more than that. But it is a variety of 
different crimes that have to do with computers that we think 
enable us to prosecute things and crimes that the country wants 
us to prosecute.
    Senator Klobuchar. I think it is hard sometimes for people 
to understand that if someone used a crowbar and broke in and 
stole all of your DVDs, that is clearly a felony. And then they 
are stealing things off the Internet, it is also a bad crime, 
whether it is your personal identification or someone else's 
property. I just think it is a challenge of our day to make our 
laws as sophisticated as the people who are breaking them 
without doing it in a way that brings in innocent people. But I 
do not think that should make us turn away. I think we have a 
challenge of making the laws work right, but we are up for that 
challenge; otherwise, we are just basically conceding this to 
crooks on the Internet. We have to find a way to do this right, 
so I appreciate it. Thank you.
    Senator Whitehouse. Thank you, Senator Klobuchar.
    Mr. Schaffer, you said a little while ago that milliseconds 
count when you are doing this defense. You cannot wait hours or 
days for lawyers to do their thing. It is also true that 
sometimes milliseconds are too late, that if you have not pre-
positioned certain defenses, you are out of the game, or you 
are in a different game in a much worse position than you would 
have been otherwise.
    We have to be careful what we say because this is a public 
hearing, but clearly there are some capabilities that the U.S. 
Government has that would be useful if they were allowed to 
defend particularly critical infrastructure. Is there any 
vehicle for the U.S. Government to deploy classified measures 
to protect critical infrastructure in this bill without having 
to get the request and the approval and the cognizance of the 
owner of the critical infrastructure? Is it not the case that 
you would basically have to read into any classified program 
that was used the operator of the critical infrastructure or 
not use the program to defend the critical infrastructure? I 
think we need to bridge that gap, and I do not see how the bill 
does that.
    Mr. Schaffer. Senator, there is not a provision in the 
current proposal that would provide for that. We do have 
capability that is coming along with respect to Federal 
Government critical infrastructure, that which is owned by 
departments and agencies or managed by departments and 
agencies, through the intrusion prevention programs that we 
have intrusion detection widely deployed now for federal 
departments and agencies. We are in the process of building out 
intrusion--we have intrusion detection, excuse me. We are 
working toward intrusion prevention, and----
    Senator Whitehouse. And you have the advantage in all of 
that where it is the Federal Government involved that you have 
by definition single-party consent to the methods that are used 
to protect that infrastructure. Once you get outside of the 
government and you now have critical American infrastructure 
that is privately owned, it is very hard to deal with that 
consent issue, particularly if it is a classified program. In 
that regard, I would be interested in your thoughts on what the 
former head of NSA and others have suggested about having a 
secure domain into which critical infrastructure could be 
located that would, by its very existence, be a signal to 
anybody going there that the very best capabilities of the U.S. 
Government are being deployed in this area in the same way that 
people going to dot.gov and dot.mil are signaled in that exact 
way right now. It seems to me that we have critical 
infrastructure that is far more important than some of the 
things that are protected by dot.gov and dot.mil. Not 
everything but some. And yet the standard of what we do to 
protect dot.gov and dot.mil is much higher than even critical 
infrastructure in the open Internet.
    The second thing that that would do is it would also tell 
you where that was not going on, and it would provide the 
public assurance that they are not having their communications 
scanned or screened or swept in any way by the government if 
they are just on eBay or if they are in a chat room or if they 
want to do the sort of ordinary noncritical commerce and 
information exchange that the Internet supports.
    What are your thoughts about that idea?
    Mr. Baker. I will just add the legal question for a minute 
and then turn it over to my colleagues for more of the 
operational things.
    Having said that, let me just say at the outset the sharing 
of classified information in many ways is more of an 
operational issue as opposed to a legal issue, I think, if the 
government is sharing with the private sector.
    Senator Whitehouse. Right.
    Mr. Baker. That has to do with the confidence that we have 
in sharing the information that it is not going to get out and 
be disclosed in some way. But having said that, in terms of the 
type of secure environment that you are talking about, you 
would have to do the type of legal analysis that would look at 
all the various surveillance statutes that would apply in this 
area, because they apply not only to the government, they apply 
to the private sector as well. You have to think about and look 
at the extent to which the government, in fact, is doing this 
through some type of agency relationship with the private 
sector, depending upon the nature and scope of the relationship 
that we have with these various entities and how that all 
evolves, and that----
    Senator Whitehouse. Depending on the agency relationship, 
it could easily become a government act.
    Mr. Baker. Exactly.
    Senator Whitehouse. Giving rise to all of the Fourth 
Amendment concerns that pertain here.
    Mr. Baker. That is exactly right. That is exactly where I 
was going. So we have to think about all those things. Can you 
get through that analysis? Yes, you----
    Senator Whitehouse. But a domain clears that issue, does it 
not, by making people aware so that there is consent before you 
enter it?
    Mr. Baker. That is a tricky question, I think. You may not 
need consent in every instance in this type of situation if 
there was some type of special need for the government with 
respect to the cybersecurity activity that is at play. Whether 
the special needs doctrine applies and whether we meet the 
requirements of it is going to be a fact-specific inquiry, I 
think. But it is something that is worth looking at, and we 
understand these ideas. We have heard about them, obviously, 
and we are working on developing these types of ideas. And so 
it is something that we definitely want to look at.
    Senator Whitehouse. The fact of the matter, it seems, is 
that unless you are willing to disclose certain highly 
classified programs that are kept away from a lot of people we 
trust, even in the military, even in the government, because of 
their--you know, classifying is what is necessary to keep them 
secure. Unless we are willing to share those with fairly large 
sectors of the private industry, because it is hard to pick 
winners and losers and say, Okay, we are going to protect you 
because we trust you, but this other utility that has a CIO who 
comes from Estonia and we are not sure about their cousin and 
so we are not--you know, I am making all that up, but you can 
imagine the complications that you get into when you start 
making those choices.
    I think the bottom line is that we have--there are 
resources that could protect private sector critical 
infrastructure but will not without declassification to a 
degree or without a risk of declassification that we may not be 
willing to face. And it seems to me we solve that problem if we 
make it more clear and overt, what we are doing. And there is 
no real magic to it. You just say, okay, look, if you want to 
go and look at these electric grid things, you have got to be 
aware that the government is going to be keeping an eye on what 
goes in and out of there in order to protect the electric grid. 
I do not think people mind that. And then they know it is not 
somewhere else as well.
    Mr. Schaffer.
    Mr. Schaffer. Senator, for reasons that you alluded to at 
the beginning of the question, I think we would like to come 
and talk to you about this further, perhaps in another forum 
where we can go into a more fulsome discussion about all of the 
parameters. But suffice it to say there is, as you point out, 
quite a lot of complexity both from a legal perspective, a 
technical perspective, and other perspectives----
    Senator Whitehouse. A security perspective.
    Mr. Schaffer [continuing] In terms of how you would address 
this issue, and so I would suggest that perhaps we make 
arrangements to give you a more full briefing at another time.
    Senator Whitehouse. That is fine. You will agree with me 
that there is an issue that is worth pursuing, though.
    Mr. Schaffer. Certainly worth having the conversation.
    Mr. Schwartz. I will say that it is an issue that is under 
great discussion among the interagency groups that work on 
these issues. We are continuing a discussion about that, and we 
look forward to working with you on it.
    Senator Whitehouse. I have to assume that the interagency 
process is sort of an ongoing thing and that there remain 
discussions going on within the administration on these 
subjects. That would be only logical, and I assume that that is 
the case. Correct?
    Mr. Schwartz. Many, many, many meetings.
    Senator Whitehouse. Good. Another topic I wanted to raise 
is the issue of prosecution and investigative resources. I will 
direct this more to you, Mr. Baker, since I think the 
Department of Justice is going to be the primary actor here. 
This is a new area. It is a growing area. It is an area of, as 
each of you have indicated in your testimony, intense concern 
both from an economic, from a criminal, and from a national 
security perspective. In the past, when we have had grave 
concerns, whether it was things like alcohol, tobacco, 
firearms, and munitions, entire agencies have been stood up to 
deal with it. When it was narcotics, the entire Drug 
Enforcement Administration was stood up to deal with it.
    By contrast, what we have addressing the cyber crime and 
cybersecurity threat is considerably smaller, which does not 
necessarily by itself mean that you have got to blow it up, but 
these are also very, very significant cases in terms of 
resource intensiveness. You are dealing with highly specialized 
electronic information about how the Internet works. You are 
dealing with players who are located in foreign countries. You 
have immense complexity trying to investigate across foreign 
borders to find these folks and to work through the different 
treaties that permit all of that. You have not only the need to 
make criminal prosecutions but very often to build civil cases 
in order to shut off certain things, as you all did so well in 
the Coreflood Botnet and as Microsoft did in the Waledac 
botnet.
    This is a lot tougher than your ordinary drug case. This is 
a lot tougher even than your ordinary RICO case. This is 
international RICO-type investigations with a huge technical 
overlay to them. So with all of that, what do we do to resource 
up enough so that we can address these cases as aggressively as 
many of us believe we should? Are you satisfied that the 
existing resources will do the trick, or do we need to think 
about scaling up to meet this threat?
    Mr. Baker. Thank you, Senator. I think from the Justice 
Department's perspective, obviously we can always use more 
resources in this kind of area. We are trying to--we know there 
are limited resources available, and so we are trying to use 
them very judiciously and effectively and not just chasing 
everything that sort of pops on the radar screen. We are trying 
to be thoughtful about this, and the NCIJTF, National Cyber 
Investigative Joint Task Force, is focused very much on trying 
to get the most bang for the buck, if you will, on the 
resources that we have available.
    I will say--and I would imagine that my colleagues would 
echo this--you cannot just grow good cyber investigators and 
prosecutors overnight, and so we need to have a long-term view 
of this and grow our resources properly and effectively 
because, as you mentioned, we need experts, we need people who 
really know how to work these cases. This is not a problem you 
can just throw bodies at and just pull people in and have them 
start working these cyber cases.
    Senator Whitehouse. But that said, you do believe that, as 
time goes forward, this is going to be an increasing threat for 
the country, an increasing responsibility for law enforcement, 
and we are going to need increasing resources in order to meet 
that threat.
    Mr. Baker. Absolutely, and I think that the projections 
that I have seen in terms of the budgets going forward have a 
steady increase, so far that I have seen at least, in terms of 
the folks that we have to devote to this, not only the 
investigators but the prosecutors that can bring these cases to 
court as well, who understand what is happening and who can 
come up with the kinds of ideas, as you mentioned, that the 
prosecutors and investigators came up with with respect to the 
Coreflood activity.
    Senator Whitehouse. Mr. Schaffer, did you want to comment?
    Mr. Schaffer. Yes, Senator, thank you. I think that what 
you have seen in DHS' space is that we indeed have been growing 
dramatically, tripling the size of our National Cybersecurity 
Division in 2009 in terms of federal employees, doubling again 
in 2010, or nearly doubling, and continuing to grow and 
projected to grow in the 2012 budget as well. So we are on a 
trajectory to bring additional resources on, as pointed out in 
the proposal. There are some challenges in getting access to 
the very best people, which is what we want, but we are moving 
forward to grow the program. And, of course, cybersecurity as 
an issue area has been elevated to one of the top five mission 
areas for DHS in the Quadrennial Homeland Security Review.
    So we certainly have tremendous focus on this at DHS. I 
think that is echoed throughout the administration. All of the 
departments and agencies recognize this as a very significant 
area and an area where attention is going to have to be paid 
for an extended period of time.
    Senator Whitehouse. The last topic I would just like to ask 
each of you on--I know I have kept you a long time, and I 
appreciate it--is the question about the supply chain. On the 
one hand, we have a very well-developed and very efficient 
international, global supply chain for electronics in 
particular. And by and large, as we have seen from the 
development of these products, it has served American consumers 
and people around the world very well. And the products that 
have been launched and the services that have been launched, I 
think, have served humankind very well. The Arab Spring is 
largely the product of that technology.
    All that said, it is increasingly a threat to the country 
that foreign governments working with foreign suppliers could 
go about planting into our supply chain not just defective 
products or counterfeit products of the nature that I have just 
done a military counterfeit bill on, but products that actually 
allowed for infiltration and access into the other computer or 
the system that it is connected to. And you do not want to shut 
down the very vibrant global supply chain that supports the 
industry. On the other hand, we have got to protect against 
that kind of a risk, particularly with the United States as the 
primary target, both as a national security target around the 
country and around the world and as the biggest user and the 
economy that is most dependent on the Internet.
    What is your advice with respect to supply chain security? 
And where does this bill begin us on that discussion?
    Mr. Schaffer.
    Mr. Schaffer. Mr. Chairman, I think that the supply chain 
issue is one of the most challenging and complex issues in 
cybersecurity today. Because the supply chain is so robust, 
because U.S. suppliers and foreign suppliers are very much 
intertwined, both in terms of products that U.S. companies are 
putting in the market, that U.S. companies are developing in 
other parts of the world, that foreign companies are using U.S. 
equipment in their equipment, it becomes very challenging.
    And so the administration is very aware that there are 
challenges here and is focused on that. There is an 
administration task force that is led by DHS and the Department 
of Defense to think about those issues and to try to develop 
methodologies to mitigate risks associated with supply chain 
and to identify long-term solutions that can maintain U.S. 
industry in a robust way and also have a level playing field 
for products and services as we go forward.
    So that is a challenge that I think we will be addressing 
and thinking about for some time, and I do not know that we 
have----
    Senator Whitehouse. So it is nothing specific to this 
legislation. We will just have to keep working on that one.
    Mr. Schwartz. Mr. Chairman, we look forward to working with 
you on this extremely important issue. One thing that I think 
is worth noting as well--I think Mr. Schaffer did a great job 
at laying out the basic outline of the kind of work that is 
going into this in an interagency context, but one thing that 
is important in all these issues but it comes out more clearly 
in supply chain, is this idea that whatever we put on companies 
through trade, we also have to be willing to accept 
internationally. We have to think about this in a global way, 
that our companies in the U.S. have to work internationally as 
well. We have to come up with policies that work 
internationally both for imports and exports. What will be 
expected of companies that are importing we have to also expect 
for the companies that are exporting may have to live by those 
same rules, and we should expect that to be the case.
    So we think that we can come up with global solutions in 
this space and in the cybersecurity realm in general, and that 
is one of our targets as well.
    Senator Whitehouse. Very good. Well, let me thank you all. 
You have taken a lot of time this afternoon. I appreciate it.
    I want to close by referencing some of the private sector 
conclusions that have been drawn in this area. On the Senate 
floor, I have already spoken about the McAfee Night Dragon 
report, but I just want to quote it here.
    ``In 2010,'' McAfee says, ``we entered a new decade in the 
world of cybersecurity. . . . This decade is setting up to be 
the exponential jumping-off point. The adversaries are rapidly 
leveraging productized malware toolkits that let them develop 
more malware than in all prior years combined, and they have 
matured from the prior decade to release the most insidious and 
persistent cyberthreats ever known.''
    Focusing on the Night Dragon attacks, it says, they worked 
``by methodical and progressive intrusions into the targeted 
infrastructure. . . . While Night Dragon attacks focused 
specifically on the energy sector, the tools and techniques of 
this kind can be highly successful when targeting any industry. 
Our experience has shown that many other industries are 
currently vulnerable and are under continuous and persistent 
cyberespionage attacks of this type.'' That is McAfee.
    Symantec, very similar, the overall conclusion: ``several 
significant events in 2010 suggest that advanced and persistent 
cyberspace threats have leapt to a new evolutionary stage. . . 
. This evolutionary leap leaves public-sector cyberspace 
defenders scrambling to address technological, operational, and 
procedural gaps in the wake of their adversary's rapid 
maturation. . . . The defense of critical operations requires 
cybersecurity personnel to assume that netwoked systems can be 
compromised.''
    And they describe an operation called Operation Aurora: 
``the sheer scope of Operation Aurora differentiates it from 
previous attacks of this nature. . . . The operational scope 
implies that the threat actors were highly organized and their 
goals extremely focused. It also reflects [that]. . .it is no 
longer a question of whether or not adversaries will use 
cyberspace to assist espionage--they will--and it must be part 
of the basic assumptions made by security practitioners, 
whether practicing in the public or private sector.''
    It is compelling when two of the largest and most renowned 
security providers say virtually the same thing in reports 
about the exponential jumping-off nature of the threat that we 
face, and I appreciate immensely the work that you all are 
doing to try to protect us from that, to try to keep up with 
the threat as it metamorphoses. And I think that in the areas 
that we have discussed today, the areas of broader reporting so 
that the public is more aware of these concerns, in the area of 
the ISP responsibilities toward their consumers to let them 
know about when they are unwitting and unwilling bearers of 
malware and viruses, including these particularly threatening 
new ones, potentially, in the business-to-business 
relationship, the ISACs, the DIB, and the other areas where we 
want to encourage those communications, with respect to advance 
positioning of some of our most critical defense around our 
critical infrastructure, with respect to adequately resourcing 
the law enforcement side of this, and with respect to 
protecting particularly our military, defense, and critical 
infrastructure supply chain, we have quite a lot of work to do.
    I look forward to working with all of you as the 
administration's proposal goes forward and is amended and 
amplified through the legislative process. And thank you for 
the work that you have done on behalf of our country.
    The hearing will remain open for another week for any 
testimony that may come in. I would be delighted to get the QFR 
responses from you within a couple of weeks, if that is 
possible. And there is a statement from the Financial Services 
Roundtable that we will put into the record of this proceeding 
as well as the complete statement of Representative Langevin of 
Rhode Island.
    [The statement appears as a submission for the record.]
    Senator Whitehouse. And I will add also a report from the 
Center for Democracy and Technology entitled ``Cybersecurity: 
Evaluating the Administration's Proposals,'' dated June 21, 
2011.
    [The report appears as a submission for the record.]
    Senator Whitehouse. That completes the record of the 
proceeding. Again, I thank the witnesses, and we will be 
adjourned.
    [Whereupon, at 4:26 p.m., the Subcommittee was adjourned.]
    [Questions and answers and submissions for the record 
follow.]







                            A P P E N D I X

              Additional Material Submitted for the Record



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



              Prepared Statement of Chairman Patrick Leahy



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


 Prepared Statement of Hon. James R. Langevin, a Congressman from the 
                         State of Rhode Island



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


Prepared Joint Statement of James A. Baker, Department of Justice; Greg 
Schaffer, Department of Homeland Security; and Ari Schwartz, Department 
                              of Commerce



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



 Questions Submitted by Senator Sheldon Whitehouse for James A. Baker, 
                    Greg Schaffer, and Ari Schwartz



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



 Responses Submitted by James A. Baker, Greg Schaffer, and Ari Schwartz



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                Miscellaneous Submissions for the Record



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                               [all]

