b"<html>\n<title> - CYBERSECURITY: EVALUATING THE ADMINISTRATION'S PROPOSALS</title>\n<body><pre>[Senate Hearing 112-886]\n[From the U.S. Government Publishing Office]\n\n\n\n                                                        S. Hrg. 112-886\n\n        CYBERSECURITY: EVALUATING THE ADMINISTRATION'S PROPOSALS\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                  SUBCOMMITTEE ON CRIME AND TERRORISM\n\n                                 of the\n\n                       COMMITTEE ON THE JUDICIARY\n                          UNITED STATES SENATE\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 21, 2011\n\n                               __________\n\n                          Serial No. J-112-29\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n\n\n\n\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n88-182 PDF                     WASHINGTON : 2012 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                       COMMITTEE ON THE JUDICIARY\n\n                  PATRICK J. LEAHY, Vermont, Chairman\nHERB KOHL, Wisconsin                 CHUCK GRASSLEY, Iowa\nDIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah\nCHUCK SCHUMER, New York              JON KYL, Arizona\nDICK DURBIN, Illinois                JEFF SESSIONS, Alabama\nSHELDON WHITEHOUSE, Rhode Island     LINDSEY GRAHAM, South Carolina\nAMY KLOBUCHAR, Minnesota             JOHN CORNYN, Texas\nAL FRANKEN, Minnesota                MICHAEL S. LEE, Utah\nCHRISTOPHER A. COONS, Delaware       TOM COBURN, Oklahoma\nRICHARD BLUMENTHAL, Connecticut\n            Bruce A. Cohen, Chief Counsel and Staff Director\n        Kolan Davis, Republican Chief Counsel and Staff Director\n                                 ------                                \n\n                  Subcommittee on Crime and Terrorism\n\n               SHELDON WHITEHOUSE, Rhode Island, Chairman\nHERB KOHL, Wisconsin                 JON KYL, Arizona\nDIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah\nDICK DURBIN, Illinois                JEFF SESSIONS, Alabama\nAMY KLOBUCHAR, Minnesota             LINDSEY GRAHAM, South Carolina\nCHRISTOPHER A. COONS, Delaware\n                Stephen Lilley, Democratic Chief Counsel\n               Stephen Higgins, Republican Chief Counsel\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                    STATEMENTS OF COMMITTEE MEMBERS\n\n                                                                   Page\n\nWhitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode \n  Island.........................................................     1\nBlumenthal, Hon. Richard, a U.S. Senator from the State of \n  Connecticut....................................................     3\nLeahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     9\n    prepared statement...........................................    36\n\n                               WITNESSES\n\nWitness List.....................................................    35\nLangevin, Hon. Jim, a Representative in Congress from the State \n  of Rhode Island................................................     4\n    prepared statement...........................................    38\nBaker, James A., Associate Deputy Attornery General, U.S. \n  Department of Justice, Washington, DC..........................     7\n    prepared joint statement.....................................    41\nSchaffer, Greg, Acting Deputy Under Secretary, National \n  Protection and Programs Directorate, U.S. Department of \n  Homeland Security, Washington, DC..............................    10\n    prepared joint statement.....................................    41\nSchwartz, Ari, Senior Internet Policy Advisor, National Institute \n  of Standards and Technology (NIST), U.S. Department of \n  Commerce, Washington, DC.......................................    12\n    prepared joint statement.....................................    41\n\n                               QUESTIONS\n\nQuestions submitted by Senator Sheldon Whitehouse to James A. \n  Baker, Greg Schaffer, and Ari Schwartz.........................    47\n\n                                ANSWERS\n\nResponses of James A. Baker, Greg Schaffer, and Ari Schwartz to \n  questions submitted by Senator Whitehouse......................    48\n\n                       SUBMISSIONS FOR THE RECORD\n\nCenter for Democracy & Technology (CDT), Gregory T. Nojeim, \n  Director, Project on Freedom, Security & Technology, \n  Washington, DC,................................................    50\nFinancial Services Roundtable, Washington, DC, statement.........    65\n\n \n        CYBERSECURITY: EVALUATING THE ADMINISTRATION'S PROPOSALS\n\n                              ----------                              \n\n\n                         TUESDAY, JUNE 21, 2011\n\n                                       U.S. Senate,\n                       Subcommittee on Crime and Terrorism,\n                                Committee on the Judiciary,\n                                                   Washington, D.C.\n    The Committee met, pursuant to notice, at 2:38 p.m., in \nRoom SD-226, Dirksen Senate Office Building, Hon. Sheldon \nWhitehouse, Chairman of the Subcommittee, presiding.\n    Present: Senators Whitehouse, Leahy, Klobuchar, Coons, and \nBlumenthal.\n\n OPENING STATEMENT OF HON. SHELDON WHITEHOUSE, A U.S. SENATOR \n                 FROM THE STATE OF RHODE ISLAND\n\n    Senator Whitehouse. All right. The hearing will come to \norder. I understand that Congressman Langevin is nearby, and I \nhave been waiting for him to be nearby. And what I think I will \ndo in terms of order of proceeding is to give my opening \nstatement, invite Senator Blumenthal to give an opening \nstatement, invite anybody else who joins the hearing to give an \nopening statement, and then call on Congressman Langevin, who \nby then should be here.\n    I want to note that it has been a real pleasure to work on \nthis issue with the Ranking Member, Senator Jon Kyl. He cannot \nbe here today for the best of reasons. He is up at the White \nHouse in the debt limit negotiations. As important as this \nhearing is, I do not think it tops being at the White House and \nthe debt limit negotiations. He has been great to work with, \nand this is an important issue to him, and we have worked on \nlegislation together, so I just want to make it a matter of \nrecord that he has been a thoughtful and helpful colleague in \nthese discussions.\n    The hearing that brings us together today returns to a \ntopic of vital importance: our Nation's cybersecurity. Since \nthe Subcommittee's hearing back in April, the news has been \nfull of reports of hacks and cyber intrusions. Lockheed Martin, \nSony, Epsilon, Sega, the International Monetary Fund, and the \nWeb sites of the CIA and the Senate, to name just a few, have \nbeen compromised in just a two-month period. This reflects the \nfact that our Nation's privacy, intellectual property, and \nsecurity are under constant and worsening cyber attack.\n    The Internet age has brought with it an explosion of new \ncommerce, freedom of expression, and economic opportunity. We \nsee its benefits at home and around the world. Unfortunately, \nour increased connectivity allows criminals, terrorists, and \nhostile nations to exploit cyberspace, to attack America, \ninvade our privacy, loot our intellectual property, and expose \nAmerica's core infrastructure to cyber sabotage. Whether by \ncopying source code, by industrial espionage of military \nproduct designs, by identity theft, by online piracy, or by \noutright stealing from banks, cyber crime cripples American \ninnovation and commerce, kills jobs, and undermines our \neconomic and national security.\n    Congress must act to provide the administration as well as \nprivate entities the tools and authorities they need to improve \nour Nation's cybersecurity. To that end, I am very glad that \nthe administration has weighed in with its legislative \nproposals to improve our Nation's cybersecurity. The \nadministration proposals aim at key cybersecurity challenges, \nfor instance, securing our critical infrastructure, such as our \nelectric grid, and providing for voluntary assistance and \nresponse to a cyber incident.\n    I am glad that the Subcommittee will have the opportunity \nto hear from the administration today, and I am happy to \nwelcome our witnesses from the Department of Justice, the \nDepartment of Homeland Security, and the Department of \nCommerce.\n    I am also very glad to be welcoming Congressman Jim \nLangevin of my home State--boy, his timing is good. He just \ncame through the door as I said that--to the Committee. \nCongressman Langevin is a well-regarded leader on \ncybersecurity, having served on the House Intelligence \nCommittee, led the Congressional Cybersecurity Caucus, and co-\nchaired the Center for Strategic and International Studies \nCommission on Cybersecurity for the 44th Presidency. I very \nmuch look forward to his testimony and appreciate his \nfriendship.\n    Our hearing today will focus on three elements of the \nadministration's proposals that fall within the Judiciary \nCommittee's jurisdiction and expertise: the data breach \nsection, the voluntary information-sharing proposal, and \nrecommendations for increased criminal penalties under the \nhacking statute, 18 United States Code Section 1030.\n    This Committee is well situated to consider those \nquestions, particularly in light of the longstanding leadership \nof Chairman Leahy on these issues. I look forward to working \nwith the Chairman, with Senator Kyl, and other Members of this \nCommittee as the Senate prepares cybersecurity legislation.\n    The three proposals we will focus on today are central to \nany discussion of improved cybersecurity and individual \nprivacy. The recent data breaches at Sony, Epsilon, and Sega \nreveal how determined criminals can compromise Americans' \nprivacy and economic security. Prompt and clear notification of \nsuch a breach is important to enable Americans to limit the \ndamage caused by data breaches and resulting identity theft.\n    Today a confusing patchwork of state laws provides for \ndifferent notifications to different customers across the \ncountry, delaying and raising the cost of breach notification. \nThe administration would replace this patchwork of State laws \nwith a single federal standard: requiring notification of a \nbreach to the Department of Homeland Security, which would then \npass on the information to the Federal Trade Commission, the \nSecret Service, and the FBI for appropriate enforcement \nactions.\n    Proper sharing of cybersecurity threat information also is \nvital. The administration has recommended, subject to various \nsafeguards, enhanced sharing of cybersecurity threat \ninformation between private industry and the government. The \nadministration also has recommended enhancing criminal \npenalties for hackers. Our current laws have proven to lack \nappropriate deterrent effect.\n    This hearing will consider the need for stiffer penalties \nfor hackers who harm our privacy, our National security, and \nour economic well-being. Stiffer penalties, I would note, are \nof little use without adequate law enforcement resources to \nimpose them. I would note further that this is an area where \ncivil actions by the government to protect the public, such as \nthe government's recent action in the Coreflood Botnet, are \nparticularly important.\n    I am glad that we have the opportunity to evaluate the \nadministration's proposals today. We have witnesses joining us \nfrom the Department of Justice, the Department of Homeland \nSecurity, and the Department of Commerce. I thank them for \nbeing with us today and for their ongoing work to secure \ncyberspace.\n    I would also briefly note that I believe that the Senate \nshould consider issues beyond the current scope of the \nadministration's proposals, such as increasing public awareness \nof cybersecurity threats, improving industry self-defense, \ndeveloping rules of the road for our information highways, \nimproving supply chain security, considering secure domains for \ncritical infrastructure like the electric grid, increasing \ncyber resources within the Government, and strengthening cyber \nresearch and development.\n    I look forward to working with the administration and my \ncolleagues on each of these important issues as we strive to \nstrengthen our Nation's cybersecurity.\n    Before I recognize Congressman Langevin, Senator \nBlumenthal, would you like to make a statement?\n\n STATEMENT OF HON. RICHARD BLUMENTHAL, A U.S. SENATOR FROM THE \n                      STATE OF CONNECTICUT\n\n    Senator Blumenthal. A very brief statement. Thank you, \nSenator Whitehouse, Mr. Chairman. Thank you for your work on \nthis issue, which has been continuing not only in hearings but \nin many other arenas and forums, and thank you to the Chairman \nof the Judiciary Committee, Senator Leahy, for his leadership. \nAnd welcome, Congressman. Thank you for being here. And to the \nadministration, I appreciate not only your being here but the \nvery constructive and important proposals that you have made in \nmany of these areas.\n    Senator Whitehouse has articulated many of my own concerns \nthat arise from the real and present danger that cyber attack \nreflects. My own view is that America's next 9/11 may well be a \ncyber attack, and I am paraphrasing when I say that the soon-\nto-be-confirmed Secretary of Defense, Leon Panetta, who in the \nhearing said America's next Pearl Harbor is likely to be a \ncyber attack.\n    For consumers, of course, the danger is very much real and \npresent because they entrust companies like Sony or Citigroup \nwith very sensitive and personal information, which could do \ngrave harm to them if it is hacked or improperly used or lost, \nand we have seen all occur in recent months and years.\n    Let me just say that I appreciate the administration's \nproposal that notification occur in the case of breaches that \ncarry, and I am quoting, ``a significant risk of harm.'' I \nbelieve the notification has to be broader, and I believe that \nthere are principles that have to be included: notification as \nsoon as possible by mail, phone, or email, or all of them; a \nsecond notification that clearly indicates whether the breach \ncompromised any consumer information; third, notification that \nis provided without unreasonable delay so long a law \nenforcement authorities do not require that notification--and I \nmean explicitly require that notification--be delayed for \ninvestigative purposes. And I will be interested to know \nwhether the witnesses agree with those principles.\n    I also believe, as Senator Whitehouse articulated very \nwell, both of being former law enforcement officials, that \nindeed law enforcement is critical here and that the government \ncannot be expected or relied upon to do it all. I happen to \nbelieve that there ought to be a private right of action, and I \nwill be interested to know whether the witnesses agree that \ncitizens who are potentially harmed, who can show damages, \nshould be able themselves to go to court and seek remedies.\n    And, finally, I believe that remedies should be greatly \nenhanced. There is a very real need for stronger, more \neffective remedies to help mitigate any ongoing damage as well \nas provide relief for people who are actually harmed.\n    So thank you, Senator Whitehouse, for giving me this \nopportunity to begin.\n    Senator Whitehouse. Thank you, Senator Blumenthal.\n    It is now my great pleasure and privilege to recognize my \nfriend and colleague, Congressman Langevin, who has represented \nthe Second Congressional District of my home State of Rhode \nIsland since 2000. During that time, he has emerged as a well-\nregarded leader on cybersecurity. He serves on the House \nIntelligence Committee. He led the Congressional Cybersecurity \nCaucus. He co-chaired the Center for Strategic and \nInternational Studies Commission on Cybersecurity for the 44th \nPresidency. He has introduced important cybersecurity \nlegislation in the House, and he has convened an important \nmeeting at our university at home, the University of Rhode \nIsland, at which General Alexander, the commander both of NSA \nand Cyber Command, attended and spoke. It is not often we get \nfour-star generals in Rhode Island, so that was a memorable day \norganized by Congressman Langevin.\n    Before being elected to the House, Congressman Langevin was \nthe secretary of state for Rhode Island and a member of the \nRhode Island House of Representatives. He is a graduate of \nRhode Island College and earned a master's degree in public \nadministration from the Kennedy School of Government at Harvard \nUniversity.\n    We are delighted to have you here, Congressman Langevin. \nPlease proceed.\n\n STATEMENT OF HON. JIM LANGEVIN, A REPRESENTATIVE IN CONGRESS \n                 FROM THE STATE OF RHODE ISLAND\n\n    Representative Langevin. Chairman Whitehouse, thank you \nvery much for the introduction, the welcome, and the \nopportunity to speak today. Before I begin my prepared remarks, \nlet me just thank you for your leadership on this very \nimportant issue of cybersecurity. Your partnership and \nleadership on this issue have been invaluable to me, deeply \nappreciated both in the work we have done on this issue back in \nRhode Island, but nationally here in the Congress, and \nparticularly your experience as a former Attorney General and \nU.S. Attorney have been very insightful and, again, invaluable, \nand especially your work when you were on the Senate \nIntelligence Committee. So, again, I could not have done a lot \nof the work I have done without your leadership and support, \nand I am very grateful for your work.\n    I would like to thank you, Chairman Whitehouse and Ranking \nMember Kyl and Senator Blumenthal, for inviting me to testify \ntoday on one of the most critical national security challenges \nfacing our contractor today. Cyber incidents have grabbed \nheadlines in recent months, with our top companies seeing \nintrusions and loss of data and our constituents are beginning \nto realize that the Internet is a highly contested space where \npersonal information is never truly secure.\n    The common thread is that these threats all take advantage \nof our strong reliance on the Internet for social \ncommunications, business, and national defense, and the damage \nwill only increase as that reliance grows.\n    The first crisis that we are facing, of course, is highly \nskilled cybersecurity professionals. Our Nation is a leader in \nInternet security technology, but we do not have enough highly \ntrained individuals to match our growing needs. In Rhode \nIsland, we are working to educate our future workforce for the \n21st century cybersecurity jobs through programs like \ndeveloping a statewide Cyber Center of Excellence that will \ncultivate cyber talent in our State while meeting the \nincreasing need for a strong public-private relationship in \ncyberspace.\n    We must also align our laws and policies with the realities \nof today's Internet, and I appreciate the administration's \nproposal to move in this direction. The foundations of trust \nand known identity upon which the Internet was built have \nenabled criminals to take advantage of those using the Internet \nfor legitimate commerce. Organized crime, of course, is fully \noperational online, stealing billions of dollars every year to \nsupport worldwide networks of crime, yet RICO laws do not apply \nin cyberspace. The administration has proposed allowing RICO to \ncover crimes committed in cyberspace as well as setting \nmandatory minimum sentences for intrusions into critical \ninfrastructure.\n    Similarly, recent incidents, such as the Sony and Citibank \nintrusions, have highlighted large discrepancies in our data \nbreach laws. Currently each State regulates when and how a \ncompany should disclose a breach of customer data and those \naffected. This regime makes little sense in cyberspace where \ncrimes and transactions take place at a national or \ninternational level. The administration's proposals, as well as \nthose introduced in the House and Senate, seek to set a federal \nstandard. As we move to this model, however, we must also take \ncare to implement the most effective, not the lowest, standard \nfor reporting.\n    Finally, we must reexamine new opportunities for voluntary \ninformation sharing to ensure that we stop new threats before \nthey reach their target. Today government, businesses, and \ncitizens all build their own digital fortifications and hope \nthey as positioned to stop the right threat.\n    Now, while the problem of attribution in cyberspace is \nalways an issue, the government has a sophisticated \nunderstanding of what the various threats look like. It also \ncurrently lacks the visibility of the private sector, \ntelecommunications in particular, which can better pinpoint the \nsource of the threat or even stop it before it reaches our \ndigital doorstep. Rather than protecting our citizens, we are \nactually losing the ability to stop attacks before they take \nplace and provide better data security for everyone.\n    To address this issue without compromising individual \nprivacy, the administration proposes allowing cyber threat \ninformation to be shared voluntarily with the Department of \nHomeland Security so that businesses, private citizens, and the \nGovernment can all benefit from and be better protected by the \nincreased capabilities and insight of an enhanced public-\nprivate partnership.\n    For this arrangement to work, of course, we must institute \nstrict oversight to ensure that no personal communications or \nsensitive data are inappropriately shared with the government \nby businesses. If done correctly, this could greatly enhance \nprivacy by stopping malicious intrusions or large data theft \nefforts and would provide a clearer picture of the health and \nthe security of the Internet.\n    Mr. Chairman, I will stop there but, of course, invite you \nto consider the longer statement that I am submitting for the \nrecord. We must implement sensible policies that enhance our \nsecurity and our privacy before a serious cyber incident leads \nto decisions that could fundamentally alter one of the most \nincredible tools of our time.\n    I want to just conclude by, again, commending you, Senator \nWhitehouse, for being a true leader on this issue. Again, as a \nformer Member of the Senate Intelligence Community and Chairman \nof this Subcommittee, I appreciate the great work that you are \ndoing. Thank you, Mr. Chairman, Ranking Member Kyl, and Senator \nBlumenthal, for this opportunity, and I certainly look forward \nto working with you to make the Internet a stronger, more \nsecure domain for all.\n    [The prepared statement of Representative Langevin appears \nas a submission for the record.]\n    Senator Whitehouse. Well, thank you, Congressman Langevin.\n    First, your longer statement will, without objection, be \npart of the record of this hearing, and I appreciate the \nthought and care that you put into it. And I look forward to \ncontinuing to work with you as this goes forward. Your interest \nand expertise in this issue, your leadership on this issue, are \nrecognized on this side of the Capitol, and clearly you have \ntaken considerable trouble to come over here and join us on the \nSenate side today. So we appreciate it very much. I know that \nimportant business calls you back to the House, so we will \nexcuse you at this time with much appreciation for your trouble \ntoday and for the content of your testimony.\n    Representative Langevin. Thank you, Mr. Chairman.\n    Senator Whitehouse. All right. We will now call up the \nadministration witnesses.\n    There is a statement that we have that is, I gather, a \njoint statement. Do the three of you adopt it as your testimony \nto this Committee?\n    Mr. Baker. That is correct, Senator, yes. We ask that it be \nmade part of the record.\n    Senator Whitehouse. Okay, so that is yes, yes, and yes for \nthe three witnesses, may the record reflect. And I understand \nthat each of you would like to make a separate oral statement \nbefore we get into questions and answers. Is that correct? All \nright. Well, why don't we proceed across the line. It turns out \nto be alphabetical order as well, but we will start with Jim \nBaker.\n    Jim Baker currently serves as an Associate Deputy Attorney \nGeneral at the U.S. Department of Justice where he is \nresponsible for a wide range of national security, \ncybersecurity, and other matters. Mr. Baker previously served \nas Counsel for Intelligence Policy at the Department from 2001 \nto 2007 where, among other things, he was in charge of \nrepresenting the United States before the Foreign Intelligence \nSurveillance Court. From 2008 to 2009, Mr. Baker was assistant \ngeneral counsel for National Security at Verizon Business. He \nhas also taught national security law at Harvard Law School and \nbeen a fellow at the Institute of Politics at Harvard's Kennedy \nSchool of Government.\n    Mr. Baker, please proceed.\n\nSTATEMENT OF JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY GENERAL, \n           U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC\n\n    Mr. Baker. Thank you, Mr. Chairman, Members of the \nCommittee. Thank you for the opportunity to testify today \nbefore you today on the administration's cyber legislative \nproposal.\n    Mr. Chairman, as you have noted and as everyone else has \nnoted so far today, the Nation faces a dangerous and persistent \ncyber threat. As we all know, we rely heavily on the Internet \nto conduct our most important activities. Information \ntechnology has become the nervous system of the country, and \ntoday that system is highly vulnerable to exploitation and \nattack.\n    More importantly, malicious actors know this. Recent \npublicly disclosed cyber intrusions reflect the breadth and \nintensity of the efforts by malicious actors to exploit \nexisting vulnerabilities and infiltrate and compromise our \nnetworks. Such actions threaten those networks, the data they \ncontain, and the critical infrastructure systems that rely upon \nthem. Every day information systems in the United States are \ncompromised, and criminals and other malicious actors steal \nsignificant quantities of intellectual property and money.\n    Over the past several years, the Federal Government has \nworked to improve the security of its own networks by, for \nexample, reducing the number of Internet connections that the \ndepartments and agencies use, implementing the EINSTEIN \nprogram, and enhancing information sharing and coordination \nwith our international partners.\n    In addition, we recently launched a pilot program to \nimprove the security of key defense industrial base companies. \nWe have also urged private citizens to improve the security of \ntheir own computers by installing software updates promptly and \nusing updated anti-virus programs.\n    As we go forward, it is critical that the American people \nunderstand that when our cyber defenses are not successful at \npreventing an intrusion, many of the mechanisms that malicious \nactors use to steal from us could allow them to disrupt or \ndamage our data and our infrastructure. Malicious actors could, \nfor example, interfere with our ability to communicate \neffectively by misrouting emails; they could also divert \naircraft containing passengers and military equipment; they \ncould delete medical information on hospital computers; and \nthey could shut down transportation systems and the electric \ngrid.\n    Malicious actors attempt to exploit the vulnerabilities of \nour information systems to compromise them at the hardware, \nsoftware, and firmware levels. They try to establish a \npersistent presence in our networks, using system \nadministrators' authorities that they have purloined, in a \nmanner that makes them difficult to detect and virtually \nimpossible to eradicate. Even if we build firewalls and have \nair gaps around networks to protect those systems from known \nmalware, there are still ways to get in.\n    Anti-virus and other perimeter-based malware detection and \nprevention systems cannot detect and stop malware that no one \nhas seen before, and malicious actors develop new malware \ncontinually. This is known as the Zero Day threat.\n    Moreover, firewalls and air gaps do not protect against the \ninsider threat. Employees or other insiders could, \nintentionally or inadvertently, introduce malware into our \nnetworks using a compromised thumb drive, for example, on a \nprotected network or connecting a computer from a protected \nnetwork to the Internet. In addition, our adversaries \ncompromise our information by installing software, hardware, \nand firmware already containing vulnerabilities in the products \nthat we use while those products are being manufactured. This \nis the supply chain threat.\n    All of this emphasizes the need for us to develop effective \ncybersecurity solutions that account for the fact that \nfrequently we will have to use networks that may be \ncompromised. We will have to learn how to operate successfully \nin a degraded cybersecurity environment.\n    Mr. Chairman, we must be candid about these risks. For \nexample, private entities must do a better job of informing \ntheir customers and their shareholders about the losses they \nsuffer and the vulnerabilities that they face, including the \nproblems that exist with the products that they bring to \nmarket. Government must, for example, act purposefully and with \ndispatch to improve the security of its own networks.\n    Several of the administration's legislative proposals are \nintended to enhance our ability to protect the American people. \nOur data breach proposal, for example, as several have noted, \nwould establish a uniform national standard for certain \nentities that suffer a data breach to require them to timely \nreport such breaches to the customers and to law enforcement. \nOther proposals would enhance and harmonize penalties for cyber \noffenses such as causing damage to critical infrastructure \ncomputers. The administration's proposal is a first step in \naddressing these challenges. We look forward to working with \nCongress on a bipartisan basis to improve and amplify this \nproposal.\n    As we move forward, whatever we do to enhance security, we \nmust ensure that we establish adequate oversight mechanisms and \nappropriate privacy protections to safeguard the civil \nliberties of all Americans. We must also ensure that we foster \ninnovation in this vibrant sector of our economy.\n    Thank you, Mr. Chairman.\n    Senator Whitehouse. Thank you, Associate Deputy Attorney \nGeneral Baker. We, too, look forward to working with the \nDepartment of Justice, to use your words, to improve and \namplify the administration's proposals. You have always been \nwonderful to work with, and we have great pride in the public \nservice that you have given to this country over many years. It \nis not an easy thing. You have had many late and difficult \nnights and a lot of worries. I know a little something about \nthose FISA Court proceedings, so I know how burdensome that has \nbeen, and I know you are joined by your son and your daughter \ntoday, and in front of Julian and Hadley, I just wanted to say \nthose words about you because I am sure that there were times \nwith them that you missed because of the press of your \nresponsibilities, and I am happy to take this occasion to let \nthem know how important what you do for your country is.\n    And now I would like to turn to the Chairman of the \nJudiciary Committee, the distinguished Senator Pat Leahy. I \nwill offer him a chance to give opening remarks.\n\n  STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE \n                        STATE OF VERMONT\n\n    Chairman Leahy. Well, thank you very much. Incidentally, I \nconcur with what you just said about Mr. Baker, and I wanted \nhis family to hear that, too. You know from your own work on \nthe Intelligence Committee and I from this Committee, how much \nwork can go into some of those things. Some of the times you \nare going to be working, you come home and the family says, \n``What were you doing?'' you say, ``Cannot tell you.'' So I \ncommend you for that.\n    Chairman Whitehouse, I commend you for your work on the \nSubcommittee on Crime and Terrorism. This whole idea of \ndeveloping a comprehensive strategy for cybersecurity--we will \ntalk about nuclear weapons, we will talk about this, that, and \nthe other thing--but I think this is probably one of the \ngreatest challenges facing our country today.\n    Look at some of the major data breaches: Sony, Epsilon, \nRSA, the International Monetary Fund, and Lockheed Martin. That \nis just naming a few. I have often talked about what happens in \na part of the world like where I come from, in the Northeast, \nwhen it is the middle of January and it is 10 or 15 degrees \nbelow zero, and a cyber terrorist closes down all our power \ngrids. I mean, these are major concerns.\n    Our government computer networks have not been spared. We \nsee it at the CIA. We saw it here in the Senate. The Department \nof Defense tells us they have attacks on them all the time. So \nI think protecting America's privacy but also our security and \ncyberspace is a top priority for this Committee.\n    We are working with the Obama administration and others in \nCongress to develop a comprehensive national strategy for \ncybersecurity. I reintroduced my Personal Data Privacy and \nSecurity Act to establish a national standard for data breach \nnotification and to require that companies protect our \nsensitive personal information. If somebody broke into your \nhouse and stole all your papers, you would want to know about \nit. Well, if they break into a company that holds all your \nmedical records, your tax records, and everything else, you \nought to know about it.\n    In a few weeks, I will include this bill in the Committee's \nbusiness agenda so we can report the legislation again. It has \nhad strong bipartisan support before. I hope that it will \nagain.\n    Today, having the Departments of Justice, Commerce, and \nHomeland Security here, it is important that we hear from you. \nThis is not a Democratic or Republican issue. It is one where \nwe want to protect our own personal privacy and liberties, but \nwe also want to protect the country. And I think it can be \ndone, but it is going to need a lot of expertise and work.\n    Senator Whitehouse, I commend you for holding the hearing, \nand I am glad we are doing this.\n    [The prepared statement of Senator Patrick Leahy appears as \na submission for the record.]\n    Senator Whitehouse. Well, thank you, Chairman. I appreciate \nyour leadership in this and so many other issues.\n    We will now go on to our next witness, from the Department \nof Homeland Security, Greg Schaffer. He is the Acting Deputy \nUnder Secretary for the National Protection and Programs \nDirectorate at the Department of Homeland Security. Mr. \nSchaffer previously served as Assistant Secretary for \nCybersecurity and Communications where he led the coordinated \nefforts of CS&C and its components, including the National \nCybersecurity Division, the Office of Emergency Communications, \nand the National Communications System. Mr. Schaffer previously \nheld positions at Alltel Communication, LLC, and \nPricewaterhouseCoopers as well as in the Computer Crime and \nIntellectual Property Section at the U.S. Department of \nJustice.\n    We are glad to have you with us, Mr. Schaffer. Please \nproceed.\n\n  STATEMENT OF GREG SCHAFFER, ACTING DEPUTY UNDER SECRETARY, \n NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT \n              OF HOMELAND SECURITY, WASHINGTON, DC\n\n    Mr. Schaffer. Thank you, Chairman Whitehouse, Chairman \nLeahy, and distinguished Members of the Subcommittee. I \nappreciate the opportunity to speak to you today about what we \nall seem to believe is a critically important security issue \nfor our country.\n    I will not reiterate the threat situation that has been \nclearly stated by Mr. Baker and the Members of the Committee, \nbut I will say that the theft of intellectual property both \nfrom the government and from private sector entities does pose \na serious risk to our country's economic viability and our \nsecurity. What is worse is that the connectivity of industrial \ncontrols creates a situation where there is an ability to take \nthings even farther. To disrupt the delivery of power, the \ndelivery of transportation services, our financial services \nsector, all can be interrupted by hackers who can reach us from \nanywhere on the globe. These are national security, homeland \nsecurity, and economic security issues that really can only be \naddressed through the efforts of our entire society. Both \ngovernment, industry, and even individual citizens will have to \nplay a role in solving these problems.\n    The legislative proposal that the administration has put \nforward clarifies the authorities of various departments in a \nvariety of ways. It moves to enhance the collaboration with \nindustry, and it drives for outcomes and progress in reducing \nrisk in a variety of ways. The proposal clarifies that the \nDepartment of Homeland Security leads the protection of federal \ncivilian networks, and it clarifies our authority to do so with \nthe private sector by providing a variety of voluntary services \nas well as capabilities that the private sector needs from \ngovernment.\n    It also presents an opportunity to modernize the Federal \nInformation Security Management Act, as many bills that have \nbeen presented over the last several years have tried to do, to \nmove away from a paper compliance exercise and in the direction \nof continuous monitoring and operational improvement and \nreduction of risk for federal departments and agencies.\n    In the area of personnel authorities, the proposal is \ndesigned to give DHS the kind of flexibility that the \nDepartment of Defense already has in order to compete in a \nmarket that is highly competitive for a very small number of \nhighly skilled individuals. While we will never in government \npay the same as some of our competitors for staff in the \nprivate sector, we do need the ability to rise to the level of \nothers in the Federal Government.\n    With respect to protecting critical infrastructure, the \nbill has both voluntary and mandatory provisions. The \nadministration's proposal clarifies the authority to provide \nassistance on request to private sector entities, including \nalerts and warnings, risk assessments, onsite technical \nsupport, and incident response. Our ability to provide those \nservices is clarified so that we do not have any confusion by \nthe private sector in terms of what we can do for them in a \ndifficult moment.\n    From an information-sharing perspective, the proposal \nremoves many of the barriers between government and industry. \nIn particular, uncertainty slows us down. When industry is \nunclear about whether or not they can share information, \nseveral days of working with lawyers for clarity can delay the \nability to deliver capability and defensive measures. This \nwould provide immunity when industry is sharing with government \nin order to allow that to happen much more quickly and allow us \nto do this in a way that is, nonetheless, consistent with \nrobust oversight for privacy, civil liberties, and indeed \ncriminal penalties in the event of a violation of procedures \nthat would be established to control how that information would \nbe taken in.\n    Under mandatory provisions, the proposal allows through a \nrulemaking process for Government to work with industry to \nestablish who is in the most critical of critical \ninfrastructure and for those entities to work with us to \nestablish risks that need to be mitigated and then frameworks \nthat can be used to mitigate those risks.\n    Through that process and the development of plans by \nindustry under those frameworks, we believe using transparency \nwe can significantly reduce the amount of risk within the \nprivate sector.\n    The proposal really builds on many proposals that have \nappeared in bills that the Congress has put forward. It builds \non those proposals over the last several years, and we are \nanxious to work with you. It is the beginning of a process in \nthe discussion of these proposals and others that have been \nsuggested, and the administration is very anxious to work with \nyou as this moves through the Congress.\n    Thank you.\n    Senator Whitehouse. Thank you very much, Mr. Schaffer.\n    Our final witness is Ari Schwartz. He serves as the Senior \nInternet Policy Advisor for the Information Technology \nLaboratory at the National Institute of Standards and \nTechnology, which is within the Department of Commerce. He \nrepresents NIST on the Department of Commerce Internet Policy \nTask Force, providing input on areas such as cybersecurity, \nprivacy, and identity management. Mr. Schwartz came to NIST in \n2010 after serving almost 13 years as vice president and chief \noperating officer of the Center for Democracy and Technology, \nwhere he focused on increasing individual control over personal \nand public information.\n    Good to have you with us, Mr. Schwartz. Please proceed.\n\n  STATEMENT OF ARI SCHWARTZ, SENIOR INTERNET POLICY ADVISOR, \n  NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST), U.S. \n             DEPARTMENT OF COMMERCE, WASHINGTON, DC\n\n    Mr. Schwartz. Thank you, Mr. Chairman.\n    Chairman Whitehouse, Chairman Leahy, Members of the \nCommittee, thank you for inviting me to testify today on behalf \nof the Department of Commerce on the administration's \ncybersecurity legislative proposal.\n    The main goal of this proposal is to maximize the country's \neffectiveness in protecting the security of key critical \ninfrastructure networks and systems that rely on the Internet \nwhile also minimizing regulatory burden on the entities that it \ncovers and protecting the privacy and civil liberties of the \npublic.\n    I will address three relevant parts of the proposal: first, \ncreating security plans for covered critical infrastructure; \nsecond, data breach reporting; and, finally, privacy \nprotections.\n    First, on security plans, one important theme of the \nproposal is accountability through disclosure. In requiring \ncreation of security plans, the administration is promoting use \nof private sector expertise and innovation over top-down \ngovernment regulation. Importantly, the proposal only covers \nthe core critical infrastructure as it relates to \ncybersecurity. DHS would define these sectors through an open \npublic rulemaking process.\n    The covered critical infrastructure entities will then take \nthe lead in developing frameworks of performance standards for \nmitigating identified cybersecurity risks and could ask NIST to \nwork with them to help create security frameworks. There will \nbe strong incentive for both industry to build effective \nframeworks and for DHS to approve those created by industry. \nThe entities involved will want the certainty of knowing that \ntheir approach has been approved, and DHS will benefit from \nknowing that it will not need to invest in the resource-\nintensive approach of developing a government-mandated \nframework unless industry really fails to act.\n    Covered critical infrastructure firms and their executives \nwill then have to sign off on their cybersecurity plans, \nsubject them to performance evaluation, and disclose them in \nannual reports. Rather than substituting the government's \njudgments for private firms', the plan holds the covered \nentities accountable to consumers and the market. This \nencourages innovation and mitigation strategies as well as \nimproving adherence to best practices by facilitating greater \ntransparency, understanding, and collaboration. The main goal \nis to create an institutional culture in which cybersecurity is \npart of the everyday practice without creating a slow-moving \nregulatory structure.\n    In our recently released green paper, the Department of \nCommerce has begun to further clarify major functions and \nservices that would not be considered covered critical \ninfrastructure under the administration proposal. We believe \nthat the non-covered entities should develop the voluntary \nequivalent of the frameworks that are in the administration \nproposal that could begin to serve as the rules of the road for \nthese companies that rely on the Internet similar to those that \nthe Chairman suggested in his opening remarks. We are receiving \ncomments on that paper until August 1st.\n    On data breach reporting, the administration has learned a \ngood deal from the States, selecting and augmenting those \nstrategies and practices that we felt most effective to protect \nsecurity and privacy. The legislation will help build certainty \nand trust in the marketplace by making it easier for consumers \nto understand the data breach notices they receive and why they \nare receiving them, and as a result will better be able to take \nappropriate action.\n    As Secretary Locke and others at the Commerce Department \nhave heard from many of the companies in different industries, \nincluding in response to our notice of inquiry last year, a \nnationwide standard for data breach notification will make \ncompliance much easier for the wide range of businesses that \ntoday must follow 47 different legal standards.\n    Finally, I would like to point out that many of the new and \naugmented authorities in this package are governed by a new \nprivacy framework for government that we believe would enhance \nprivacy protections for information collected and shared with \nthe government for cybersecurity purposes. This framework would \nbe created by DHS in consultation with privacy and civil \nliberties experts and the Attorney General, subject to regular \nreports by the DOJ Privacy Office, and overseen by the \nindependent Privacy and Civil Liberties Oversight Board. \nGovernment violations of this framework would be subject to \nboth criminal and financial penalties.\n    Thank you again for holding this important hearing. I look \nforward to your questions.\n    [The prepared statement of Messrs. Baker, Schaffer, and \nSchwartz appears as a submission for the record.]\n    Senator Whitehouse. Thank you.\n    Before I get into questions, let me just make one general \npoint, because we are going to spend a lot of time working \nthrough this together in the coming months. I am worried about \nthe extent of the threat that we are facing right now and the \ntime that it will take to work through some of the \nadministrative procedures that are built into the \nadministration's proposal. It seems to me that, to the extent \nthat we can reach agreement and try to draw some of those \nbright lines forward and into legislation so that people can \nbegin to rely on them and gain their protections more rapidly, \nthat would be to our advantage.\n    I spent three years, if I recall correctly, just trying to \nget the Drug Enforcement Administration to knock off its ban on \nprescribed pharmaceuticals being prescribed electronically, and \nI had the support of the Department of Health and Human \nServices through all of that, and ultimately of the Attorney \nGeneral. So when that is the pace of something that the \ngovernment agrees with, it makes me concerned about the \nprospect of delay. So that is just an overall point about the \nreliance of the proposal on the administrative process. I think \nwhere we find agreement we should move things up.\n    In terms of defining these things, let me ask right off the \nbat: Are independent service providers on the Internet covered \nentities? And is the Internet itself and the provision of \nservice across the Internet critical infrastructure within the \ndefinition as contemplated by the administration?\n    Mr. Baker. Thank you, Senator, and I understand completely \nyour first point about trying to move expeditiously through \nthese things. I have been through a number of different efforts \nto write policies and procedures, and I agree, wherever \npossible, if we move them into statute, that would be fine, as \nlong as we maintain the flexibility that we need to deal with \nthe evolving threat.\n    But with respect to critical infrastructure, I will defer \nto my colleagues here, but I think there are different \ndefinitions of critical infrastructure as you move through the \nproposals. And just to highlight for folks, the different \nproposals are focused on achieving different things, and in \nparticular, the proposal to modify the Computer Fraud and Abuse \nAct and add a prohibition on damaging or attempting to damage \ncritical infrastructure. That has got a very----\n    Senator Whitehouse. I am referring to the part that Mr. \nSchwartz was discussing in which the industries defined, I \nthink in the language, as covered entities that are deemed to \nhave critical infrastructure have to come in, generate their \nown plans, seek their approval, and if they are adequate, then \nthey go forward. And that is the process by which we protect \nour so-called critical infrastructure. Are the ISPs critical \ninfrastructure within that definition?\n    Mr. Schaffer. Senator, thank you for the question. I think \nthat the proposal lays out some criteria and contemplates a \nrulemaking. But at the end of the day, I do think that the \nISPs, being critical to connectivity for a wide range of \nentities and, therefore, likely to cause cascading effects if \nthere is an outage within their infrastructure, would likely \nfall within critical. But, again, there would be a process in \norder to get to that under the current proposal.\n    Senator Whitehouse. Well, that goes back to my opening \nproblem, that we do not get around to even defining who the \nparticipants are in the protection of our critical \ninfrastructure for some considerable period of time and some \nconsiderable effort in administrative rulemaking. But you all \nagree that in terms of going forward we in Congress should \npresume that the administration intends the ISPs to be in that \nprocess, and we can more or less deem them to be critical \ninfrastructure in terms of working with them to beef up the \nsecurity of the Internet.\n    Mr. Schwartz. I would just have a little bit further of a \ndiscussion and discuss how we can start moving some of this \nfurther a little bit more quickly.\n    In terms of who is covered and how they are covered, one \nthing that we focus on in our green paper is the coverage of \nfunctions and services. So there are some things that ISPs do, \nand certainly large ISPs, that we may all consider covered. But \nthere might be other functions and services that we do not \nconsider covered. Maybe they do not meet the PATRIOT Act \ndefinition of what critical infrastructure is, perhaps even----\n    Senator Whitehouse. Let us talk for a minute about--I think \nit was your testimony--actually, I take it back. It was Mr. \nBaker's--about needing to encourage consumers to be more aware \nand to take basic steps to protect their own computers and to \nprotect the computers of those they link with from having \nmalware that they host propagated into other people's \ncomputers. That is a pretty important thing to do. We have \nheard testimony that, you know, 80 to 90 percent of the threat \nout there can be blocked with commercial off-the-shelf \ntechnology if it were only used by people.\n    Mr. Schwartz. Correct.\n    Senator Whitehouse. So the ISPs are in a unique position \nbecause they are aware of the traffic coming through, know that \nyour computer--in a way that you would never have a reason to \nknow as an ordinary consumer--is infected with malware or is \nslaved to a botnet, and the terms on which the ISPs would deal \nwith the consumer, where the consumer has been determined to be \nan unwitting sponsor, if you will, of a cyber threat. Where \ndoes that relationship between the ISP and the consumer with \nrespect to the consumer's unwitting and unwilling role as a \nvector for a cyber threat get addressed in this legislation? Is \nthat part of the cyber infrastructure?\n    Mr. Schwartz. I will leave it to DHS to discuss what is \ncovered and what is not covered in that way, but I will say, \njust to follow up on where I was going when I was raising what \nwe cover in the green paper, that there are things that we know \ntoday, as you said, there are strong best practices, evolving \nstandards that are out there today that we know will solve, as \nyou said and as many experts that we have spoken to throughout \nour processes have said, 80 percent of the problem that is out \nthere today. Existing threats, we know what they are. We can \nsolve them with existing standards and best practices. How do \nwe get people to implement them? And the key to that is \nincentives. So some of that--and it is hard to break down \nwhether--what is on the covered line and what is not on the \ncovered line through the legislation process. But in some ways, \nwe need to move forward today trying to get those standards \nimplemented. Whether they are done by covered entities or not \nby covered entities, the key is coming up with the right \nincentives to get people to do that.\n    Through the Commerce green paper proposal that we are \npromoting out there, we are trying to emphasize ways that \npeople can do some of these things voluntarily today before the \nlegislation gets enacted and before we would go through this \nrulemaking process. So we have tried to come up with a number \nof steps in order to do that, but I do not want to take away \nfrom what could be mandated in law.\n    Senator Whitehouse. My time has expired on this round, \nanyway, so let me yield to Senator Blumenthal and then to \nSenator Coons, and we can follow up. We will do a second round. \nThis is a matter of, I think, a lot of interest, and I have a \nlot of questions remaining.\n    Senator Blumenthal.\n    Senator Blumenthal. Thank you, Mr. Chairman.\n    You know, in my opening I made reference to the potential \nthreat to our National security from a cyber attack without in \nany way meaning to predict or even to compare what a cyber \nattack may mean to the people of the country in making \nreference to 9/11 or Pearl Harbor, as the soon-to-be Secretary \nof Defense Leon Panetta did. But it seems to me the American \npeople may have insufficient awareness of the potential for \nthis threat, and I wonder if all three of you, especially Mr. \nBaker and Mr. Schaffer, because you are in government now, \nmight discuss ways that we can raise that awareness and whether \nyou see there being a threat to the national security from a \npotential cyber attack.\n    Mr. Schaffer. Thank you, Senator. There is no question that \nawareness is a critical piece of the puzzle, not just for \neveryday citizens but for all of the data owners and others who \nparticipate in the process. The bill--or the proposal, I \napologize, really does have some provisions to enhance a \nnational awareness campaign. We are, of course, already at the \nDepartment of Homeland Security working a national campaign to \nraise that awareness at the consumer level with Stop, Think, \nand Act in attempts to get consumers to really focus on what \nthey are doing when they are online and whether or not they \nreally ought to be doing that while encouraging them to take \nadvantage of the capabilities that have been brought to all of \nus in a variety of realms.\n    If we cannot get consumers to focus and industry to focus \nand academia to focus, it is much harder to be successful in \nthis realm, and it has to be a shared responsibility across a \nwide range of actors that we tackle in a variety of different \nways, including Cybersecurity Awareness Month and the campaigns \nthat we have ongoing, but we would see that being enhanced \nthrough the proposal. I think it is 243(c)(7) where you can \nfind material with respect to the awareness campaign.\n    Mr. Baker. Senator, if I could just respond briefly, \nabsolutely yes, this is a threat to the national security. \nAbsolutely without a doubt in my mind. As I mentioned in my \nopening statement, there are many ways for malicious actors to \nget into our systems. I articulated three of them: the Zero Day \nthreat, the insider threat, and the supply chain threat--all \nvery big threats, all very difficult to deal with. So that is \nthere.\n    The important thing for people to understand, I think, is \nthat when a malicious actor gets into a network system, they \ntry to establish frequently a persistent presence in the \nnetwork. In other words, they want to stay there. Even if we \nfind them in some way and we eradicate them on some system or \nsome subset of systems, they still want to stay there. Once \nthey are in, they want to stay in. And so that is the difficult \nthing that I think we have to deal with. We have to deal with \nan environment where it is going to be a degraded cybersecurity \nenvironment where we are not going to be 100 percent sure all \nthe time whether the adversary is still there or not.\n    This is the reality I think we need to face, and I agree \nthat, you know, having hearings such as this, I mean, this is \nhow we educate the American people: statements, you know, the \nwork that this Committee has been doing, that you all do \nindividually. I think that is what we need to--we just need to \nkeep at it to make sure that people have an adequate \nunderstanding of the threat.\n    Mr. Schwartz. Senator, at the Department of Commerce, at \nNIST, we are helping to run the National Initiative on Cyber \nEducation, or NICE, which is the administration's initiative to \ncoordinate activity across different agencies, including DHS, \nOPM, DOD, and other major agencies. Each have educational \nprograms, make sure that they are coordinated and work \ntogether. That is in the President's budget for 2012, and we \nhope that it will move forward.\n    Senator Blumenthal. What about a private right of action \nthat I mentioned earlier. I wonder if each of you could \ncomment.\n    Mr. Baker. Well, as you noted, that is not part of the \ncurrent proposal, and as I said, we are not supposing that this \nproposal has the answers for everything for all time. And we \nare happy to work with the Committee and work with you to try \nto make it better.\n    There are some things we want to think about, I think, with \nrespect to creating a private cause of action, and I think just \ngenerally with respect to the data breach provision--and there \nhave been a number of different suggestions--the one thing to \nremember is that the companies that have suffered the data \nbreaches are victims of crime. And so we need to acknowledge \nthat and not turn them somehow into criminals through a very \nheavily regulated type of regime. That is why what we are \ntrying to do is simplify it and make it easier to have a \nnational standard. But the consumers are the ones whose data is \nnow at risk, and we need to make sure that companies that \nsuffer a breach act promptly and act adequately, and we look \nforward to working with you on what is the right incentive to \ncreate to make sure that happens.\n    Mr. Schaffer. Senator, having been a witness to these \nquestions for 15 years from the time that I was with the \nJustice Department in the Computer Crime and Intellectual \nProperty Section up to today and a practicing lawyer in this \nspace, I think one of the challenges in cyber has always been \nthat there is no real established standard of care and that \nthere is so much variability in the way the networks are put \ntogether and in the way that the systems are protected that it \nbecomes very hard to say whether or not someone has lived up to \nwhat they should be doing.\n    One of the things that this proposal does do is it allows \nindustry to participate in developing frameworks and then \ncommit to those frameworks and develop plans to meet those \nframeworks in a way that will make it much easier to say, Well, \nyou said you needed to do this in order to secure that network, \ndid you do that? So with a standard of care, I do think it \nbecomes easier, and that is one of the things that you will get \nthrough this process.\n    Mr. Schwartz. One of the things that you heard us all \nemphasize in the administration's proposal is the role of \ntransparency and the role of disclosure in the proposal on \nseveral different aspects. We think that this helps to provide \na series of incentives. One of them is the public effects of \nthe disclosure on cybersecurity performance; two, related \nreputation risk; third is access to government procurement and \nthe related issues to that; and fourth is the perceived \nlitigation risk that comes from knowing how companies are \nperforming, knowing what consumers' information has been taken, \net cetera. So that is something that we see as tied into a lot \nof the transparency pieces in this proposal. We think we can \nhelp to build greater incentives around that in the future, \nincluding perhaps, as these frameworks build and as this \nmarketplace builds and transparency builds, an insurance market \nthat can help address some of those issues.\n    Senator Blumenthal. And I understand all of your points and \nsome of your reservations about the private right of action and \nthe need, for example, to define better the standard of care. \nBut I am struck that some of the practices that have led to the \nbreaches most recently are the equivalent of a bank leaving the \nvault open without any guards at the door: failure to encrypt, \nfailure to take basic safeguards. A bank may be a victim of a \nbank robbery and claim to be a victim, but if it does not take \ncertain basic steps to safeguard its depositors' money, \npresumably it should be held accountable. And right now perhaps \nit can be so by the government, but if you are not going to \nimpose some basic standard and make it enforceable by citizens, \nI think you are forgoing a basic means of holding these \ninstitutions accountable.\n    My time has expired. You have been very generous, Mr. \nChairman. Thank you.\n    Senator Whitehouse. The Chair recognizes Senator Coons.\n    Senator Coons. Thank you, Mr. Chairman.\n    Senator Blumenthal raises some good points I would like to \nfollow up on, another avenue of concern that arises from the \nsame sort of core sets of interest.\n    The administration's proposal would also provide some \ncriminal and civil immunity protection for entities that share \ninformation about cyber threats and assist DHS or other federal \nentities. And I would just be interested in whether similar \nprotections are currently given to entities that share \ninformation with the existing information-sharing and analysis \ncenters. And if not, does the lack of such an immunity or \nprotection deter entities today from reporting relevant \ninformation to the authorities that they should? And then I \nwould be interested in your response if there is legitimacy to \na concern about good-faith reliance on this immunity and how \nthat good-faith determination would be made. Who would be \nresponsible for making it? Some have raised concerns that this \nimmunity might lead to some recklessness or irresponsibility. \nAnd I have a follow-up question on a different subject.\n    Mr. Schaffer. Thank you for the question, Senator. I am \ngoing to let Mr. Baker take the good-faith reliance issue, but \nI will start with what is the problem we are trying to solve \nhere. On any given day, we have entities that are under attack \nand concerned or they have found something in their own \ninfrastructure that they think is important for the government \nto know and for a larger community to be able to defend \nagainst. That often results in a week-long or days-long process \nof working with counsel in order to determine and to give \ncomfort to a general counsel somewhere that that information \ncan, in fact, be shared. And in this space, as you know, \nmilliseconds count. Days and weeks are not a good measure of \nhow long it should take to get things done. And the desire is \nto clear away that uncertainty and give general counsels a \ncomfort level that they can share for this specific purpose \nsubject to the privacy and civil liberties process that would \nbe put in place, which would be extremely robust, but they can \nshare this information expeditiously to protect the larger \necosystem.\n    And so that is really the problem that we see, days of \ndelay in being able to deploy defensive measures because of \nconcerns around whether or not that can be shared.\n    Senator Coons. I understand, having been in-house counsel \nto a company. I think our concern going forward is going to be \nthe civil liberties protections which will be robust, making \nsure that we, in fact, are able to deliver on that.\n    Did you have any further comment, Mr. Baker, on the good-\nfaith determination?\n    Mr. Baker. Yes, Senator. Under the good-faith provision \nthat you are referring to, I think in terms of who would decide \nor who would analyze that at the end of the day, I think it \nwould be decided by a court because that is a good-faith \ndefense against a civil action in certain circumstances. And so \nI think if a provider, somebody who shared information and \nsomebody did not like the fact that they shared information or \nhow much they shared or however it was done, if they were to \nsue this entity in court, this is how I think the good-faith \nprovision would come into play. And so I think at the end of \nthe day it would be a court, a finder of fact, whether it is a \njudge or a jury, that would make that kind of determination. So \nthere is protection. That is not something that the government, \nI think, is going to be deciding on its own. It is going to be \nbefore a neutral decisionmaker.\n    Senator Coons. I understand the value of immunity in terms \nof speeding up cooperation. I just wanted to flag my concern \nabout how this balance is struck going forward.\n    A distinct concern of mine or interest of mine, Delaware's \nNational Guard happens to have a cyber warfare unit, cyber \nwarfare squadron that has been stood up, and it happens to take \nadvantage of the unique strengths and abilities of folks who \nspend much of their career in the private sector working in \ncybersecurity and then allows them to be double-hatted as folks \nwho are connected to our Nation's national security apparatus.\n    Do you see a role for the National Guard going forward as \nsomething that could be a useful bridge between cyber law \nenforcement needs and cyber defense needs and tap into some of \nthe growing strength in terms of the civilian population in the \nprivate sector's resources and training, first and second? And \nthen how do you think we are doing at standing up and training \na sufficient cadre of qualified cybersecurity professionals in \nthe private sector to augment the execution and delivery on the \nsorts of policies you are expecting the private sector to be \nable to act on in this proposed set of administrative policies?\n    Let the record reflect Mr. Schwartz declined to comment.\n    [Laughter.]\n    Mr. Schaffer. Senator, thank you. Certainly, as we have \nsaid, there is a role for everyone to play in this space. There \nare needs for all of us to participate in buying down risk and \nmaking sure that we are addressing cybersecurity across a very \nlarge domain.\n    I do think that there are opportunities both in this \nproposal where we would like to do an exchange to allow \ngovernment and industry to be able to exchange some personnel \nso that we learn how others do this. There is some tremendous \nvalue for those who have gone from government into industry and \nfrom industry into government in terms of having us understand \nthe challenges on both sides of the fence, and this proposal \nincludes some of that. It also makes it easier for us to do \nsome hiring. As was pointed out, there are initiatives from an \neducation perspective to try to get to a higher level of \ncapability across the board for cybersecurity, and there are \nseveral initiatives that currently attempt to do that by \nworking with the universities and even with the elementary \nschools to start people thinking about cybersecurity as a \ncareer much earlier in the process.\n    So there is a range of things that I do think need to be \ndone. We very much share the notion that public awareness is \ngoing to be a critical part of this process, and the need to \nbring as many people into the fold as possible is certainly \npart of what we are trying to get to.\n    Senator Coons. Thank you.\n    Mr. Baker.\n    Mr. Baker. Senator, just briefly, to echo what Mr. Schaffer \njust said, I think we really do need to adopt a whole-of-\ngovernment approach to this problem. We need to look at all the \nresources that we have, and I think it is sometimes useful--\nanalogies are always difficult, but if you think about how we \nhave tried to deal with the threat from terrorism and how we \nhave utilized all parts of the U.S. Government--from the \ntransportation sector to the FBI, to the intelligence \ncommunity, to the military--we have made sure that we have used \nall of our resources. And I think that is the kind of national \neffort that we need when dealing with the threat that we are \nfacing today because I think it is that big and it is that \nmulti-faceted, so we need to make sure that we are bringing all \nof our resources to bear.\n    So I think your idea is worth exploring. We will have to \ngive some thought to it. I do not know off the top of my head \nexactly how that would work, but, you know, everybody who has a \nskill and ability in this area needs to be utilized to the full \nextent possible.\n    Senator Coons. Well, thank you, Mr. Baker.\n    Thank you, Chairman, continuing to be so effectively \nengaged in this difficult issue that is important for our \nNational security.\n    Senator Whitehouse. Thank you, Senator.\n    Let me go back to where we left off, and I think what I \nwill do is I will make this a question for the record so we \njust do not bog down this hearing getting way into this. But \nwhat I am interested in is what elements of the ISP system are \nexpected by the administration to qualify as critical \ninfrastructure under its proposal for requiring approval of \ncritical infrastructure protection. And this is potentially a \nrelated question, depending how the answers come down, but the \nrelated question is: Where in the administration's proposal is \nthe ISP customer relationship regulated with respect to giving \ncustomers notice that they are the unwitting and unwilling \nbearers of viruses, malware, and other threats?\n    [The information referred to appears as a submission for \nthe record.]\n    Senator Whitehouse. The other area that I wanted to touch \non is with respect to reporting. Basically when is a hack not a \nbreach? There is considerable emphasis in the administration's \nproposal on data breaches, particularly ones that cause the \ndisclosure of significant amounts of public information. But \nthe threats in various areas are not just the breach of privacy \nand the loss of public information. They are the loss of \nintellectual property by a company. They are the insertion of \nmalware into critical operating systems, things like that. \nWhere do you propose that things other than data breach be \nreported? And is that an area that is open to be worked on? \nShould publicly traded entities be more clear in their SEC \nfilings about the risk that they face from cybersecurity? \nClearly they are spending a lot of money on protection, but are \nthey reporting what they are doing? Is there daylight into \nthat? Are the key commissions--the Nuclear Regulatory \nCommission, the Federal Energy Regulatory Commission, the FAA--\nobliged to assemble data about the risks that the industries \nthat they regulate are at risk of suffering? And probably you \nwould want to de-identify the information so that you are not \ncreating competitive advantage and disadvantage, but at least \nyou would want the public to know--back to the conversation \nabout public awareness, you would want the public to know that \na federal regulator has stepped out and said, oh, by the way, \nhere are the major risks to the electric grid, here are the \nmajor risks to the air traffic safety, here are the major risks \nto nuclear facilities.\n    Now, some of it is going to be classified, but I think it \nis important that we kind of bring all of that up, because my \nconcern is that you can have national awareness campaigns until \nyou are blue in the face, but if the actual attacks are \nclassified when they had dot.gov and dot.mil and kept \nproprietary by business so as not to alarm customers and \nregulators and consumers and competitors--or I guess encourage \ncompetitors--when it is dot.org and dot.com, then, you know, \nyou have a real information deficit and the American public is \nbeing denied a lot of information that they should have and \nthat they could perfectly well have if it were de-identified so \nthat you were not targeting a particular bank or a particular \nutility, but just letting people know this is what happened \ntoday, this is what happened today. And I do not see how you \ncan inform the public adequately without the underlying \ninformation becoming more clear, and I do not know how you do \nthat in this piece of legislation.\n    Mr. Schaffer.\n    Mr. Schaffer. Yes, Senator, thank you. There is in the \nproposal--and there are many notice provisions. There is a \nproposal that would require those who are in critical \ninfrastructure to share promptly, report to the Secretary of \nHomeland Security any significant cybersecurity incident. So \nwithin that class that would fall into the critical \ninfrastructure, you would have a notice requirement not \ndependent upon a particular PII, or personally identifiable \ninformation, having been accessed but just----\n    Senator Whitehouse. And that is in that same critical \ninfrastructure category that my first question was about, the \none that you have taken for the record.\n    Mr. Schaffer. It is.\n    Senator Whitehouse. Okay. Outside of that. So you have got \ncritical infrastructure, and you have got these big data \nbreaches. What else?\n    Mr. Schaffer. Outside of critical infrastructure this \nparticular provision would not apply, but I do think that some \nof what has been happening in the last several months with \nbreaches is instructive in that the structure that we have now, \nthe National Cyber Incident Response Plan, and the ability to \nwork through the National Cybersecurity and Communications \nIntegration Center at DHS, which has representatives from \nindustry who literally sit on the watch floor with DHS, with \nlaw enforcement authorities, with authorities from other parts \nof government, gives us the ability to share that information \nmuch more effectively and efficiently. And, indeed, if you look \nat some of the recent incidents, within an hour or two of an \nannouncement being made, we will have assembled a cast of \nplayers who have an interest in the issue and will have gotten \nthem engaged in discussing mitigation strategies.\n    In some instances we are able to push out information to \nspecific sectors even before there is a public announcement by \nthe entity that is impacted, and so I think that construct is \nstarting to work in the way that we had always envisioned it \nwould, and that does allow us to get information out much more \naggressively.\n    Senator Whitehouse. About a specific incident to people \ninterested in that specific incident as opposed to more across \nthe board.\n    Mr. Schaffer. Yes, certainly to government, CIOs, and CISOs \nin very short order, and to interested parties in the private \nsector. The whole construct that we have now is to try to get \nout through the Information Security Analysis Centers, get \ninformation out to an entire sector or segment of the economy \nas quickly as possible that information which can be most \nuseful for them in deploying defensive measures.\n    Senator Whitehouse. Against a particular attack. I meant \nmore generally about just having there be more awareness of the \nextent of the attacks that we are under. I think that--I will \nfind that. Here we go. Symantec says that it recorded over \nthree billion malware attacks in 2010, and that is nearly a 100 \npercent increase. That is billion with a B. There is a huge \ndisjunction between what is really happening out there and what \npeople know, and just letting people who might be compromised \nin a similar way by a particular attack now is important and is \nvalid, and I am glad you are doing it. But it is a different \nthing than raising the general level of public consciousness \nabout all of this so that people are more inclined to take \nprotections, more inclined to buy the commercial off-the-shelf \ntechnology, more inclined to do the various steps that will \nprotect them.\n    Mr. Baker. Senator, on your question just very briefly.\n    Senator Whitehouse. Yes, Mr. Baker.\n    Mr. Baker. With respect to your reference to the SEC, I \njust would note that some companies have begun to make reports \nabout intrusions that they have suffered in their filings with \nthe SEC, so----\n    Senator Whitehouse. And Senator Rockefeller and I and \nothers have sent a letter to the SEC asking that they beef this \nup, and they are looking at it right now and will get back to \nus later.\n    I am going to recognize Senator Klobuchar in a moment, but \nlet me ask one more question since we are sort of on this \nsubject.\n    It seems to me that one of the things that we can do that \nwould be very helpful would be to encourage conversation about \nthreats. You talked about immunity and making sure that, you \nknow, the conversation between DHS and affected businesses is \nsafe conversation. But we have the defense industrial base out \nthere talking to one another about cyber threats. You have the \nISACs in different industries out there beginning to talk to \neach other about various cyber threats. I am hearing from a \nnumber of folks that those are processes that are both, A, very \nuseful and, B, not anywhere near as robust as they could be \nbecause of a variety of hesitations from the participants about \ntheir participation in that internal industry group, that they \nmight lose protected status of information, proprietary status \nor privilege, that they might face an antitrust challenge for \nwhat they are talking about in there. And we are sort of \noperating in a legally uncertain zone in doing this.\n    The proposal of the administration is that when it is \nbusiness to DHS, that is a protected discussion. But there is \nno protection for the B2B discussion within these industrial \norganizations or groups that are already set up to try to do \nthis.\n    Are those effective? Should their work be enhanced? And \nwhat do you think are the best ways to enhance their work in \nways that do not require government intervention? That is just \nbasically the industry circling its wagons against common \nthreats and trading information and engaging in common defense, \nlike the old prairie schooners of yore.\n    Mr. Baker. Just very briefly, and then I will turn it over \nto Mr. Schaffer. We have spent a lot of time thinking about \nthat. You are exactly right. That is an important issue. We \nrecognize that. We have looked at it closely. We have looked at \na variety of different ways to do this.\n    There are some tricky legal issues in there. As you \nmentioned, the antitrust concern I think is one that is of \nparticular note, and so we have to focus on that. But I think, \nyou know, we are open to working on that issue. We recognize \nits importance, and you are exactly right. We need to figure \nout a better way to enhance that sharing and balance all the \ndifferent factors that you mentioned that have to be balanced \nappropriately.\n    Senator Whitehouse. And recognize that for a lot of the \nparticipants in these things, it is a game in which it is to \ntheir great advantage to be the free rider who does as little \nas possible and allows their industry colleagues to carry as \nmuch of the load as possible, and when everybody is looking at \nit that way, you do not get an optimal result. So there is kind \nof an economics and motivation problem built into it as well.\n    Senator Klobuchar.\n    Senator Klobuchar. Thank you very much, Senator Whitehouse. \nThanks for chairing this hearing, and thank you to our \nwitnesses. I am sorry I was late. We have the Commerce hearing \nfor the new nominated Commerce Secretary, which also has some \nrole in this cyber area, and I am actually currently working on \na bill with Senator Hatch from this Committee on cloud \ncomputing, and I think updating some of our laws in light of \nthe technological advances surrounding this innovative business \nmodel is very important. I think it has the potential, cloud \ncomputing does, to alleviate some of the concerns in the \ncybersecurity field by introducing economies of scale and \nmaking sophisticated protection available to all cloud users. \nBut it also raises some unique diplomatic issues because data \nis being stored in multiple countries.\n    Can you talk about the issues of international jurisdiction \nfaced by your agencies when investigating cyber crime involving \ncloud computing? Does anyone have any--Mr. Baker?\n    Mr. Baker. I will start Senator. Thank you. Yes, the number \nof different issues--and I have testified before the Committee \non some of the ECPA issues that are at play with respect to \ncloud computing, so we recognize the importance of it. The \nadministration wants to do everything it can to support the \ndevelopment of cloud computing industries.\n    It does raise a number of security issues, as you just \nhighlighted, and I think that the thing about this data and the \nthing to remember about the various structures that we have is \nthat the Internet is a physical thing, and it exists in \ndifferent places. And the data, as you mentioned, is stored in \ndifferent places, and so it raises these different \njurisdictional issues. But one of the things we have focused \non, in particular, for example, at the FBI, is working with our \ninternational partners on these investigations, because the \ncyber criminals in particular move around to lots of different \nplaces and try to obscure where it is that they are coming from \nand who they are attacking and so on.\n    And so the international issues are only going to get \ngreater, as you highlight, but we at least, at the FBI and the \nDepartment of Justice, have focused extensively on trying to \nmake our international cooperation better than it has been.\n    Senator Klobuchar. Do you think better international \nagreements on the rules relating to data shortage against bad \nactors would help you with fighting cyber crime?\n    Mr. Baker. I think depending on how they were structured, I \nthink they could, certainly, yes.\n    Senator Klobuchar. You would not want a bad international--\n--\n    Mr. Baker. Right. Exactly. Right. Exactly.\n    Senator Klobuchar. Okay. Good.\n    Mr. Schwartz. Senator, we completely agree with you on the \npoint about the cloud and economies of scale and how it could \nend up helping security, particularly with small companies and \nsmall agencies that themselves have to invest a lot to protect \nsecurity today.\n    One proposal that we do have in the administration proposal \nis a piece on promoting cloud services tied to ensuring that--\npreventing States from requiring companies to build the data \ncenters within a particular State, except where that is \nexpressly authorized by federal law. We think that that will \nhelp for companies to feel better that they can invest in the \ncloud and help create international norms around the cloud. We \nhave seen some countries already where the provinces or states \nin those countries have passed laws saying that you must locate \ncloud storage within our jurisdiction, particularly to address \nthe kinds of concerns that you are talking about. We do not \nthink that is the right way to go to address those concerns. We \nthink that we need to let the cloud, the marketplace for the \ncloud, flourish and then have enforcement happen through the \nchannels that you are discussing with Mr. Baker.\n    Senator Klobuchar. Okay, very good.\n    What tools does the administration's proposed cyber \nlegislation give the Department of Justice to more effectively \ninvestigate and prosecute the offenders both domestically and \ninternationally?\n    Mr. Baker. Well, there are a number of different provisions \nthat would assist us, so the data breach proposal is one that \nwould give us a heightened awareness of what is happening, more \nprompt notification of what is happening, and that would \ncertainly enable us through the various reporting requirements \nthat are part of that proposal in terms of notifying the FBI, \nthat would certainly enhance our situational awareness, as we \nsay, about what is going on.\n    The various amendments that we have proposed with respect \nto the Computer Fraud and Abuse Act and other federal statutes, \nsuch as the RICO statute, to make certain violations of----\n    Senator Klobuchar. Could you elaborate on that--I used to \nbe a prosecutor--how amending the RICO statute would be \nhelpful?\n    Mr. Baker. Sure. As I mentioned in reference to the other \nquestions, many of the crimes that we are facing and the \ncriminals that we are facing are organized criminals, and so we \nthink it is totally appropriate that we use a tool that is \nintended to deal with organized crime, the RICO statute, to \ncounter some of those activities. And so it seems to make sense \nto us. It is pretty straightforward, frankly, and it is a \npowerful tool. We know people have concerns about it. We want \nto use it responsibly. We think we have in place the adequate \nadministrative controls inside the Department to use it \nresponsibly, but we think it is something that could benefit us \nsignificantly.\n    Enhanced penalties for certain efforts or crimes involving \ndamage to critical infrastructure computers we think would help \nus also. Also bringing some clarity to the penalty provisions \nthat are part of the Computer Fraud and Abuse Act we think \nwould also help us and enable--or enhance our deterrence in \nthat area. It is difficult. In order to--I think as Senator \nWhitehouse was saying--in order to investigate and prosecute \nthe crime, you have to find out about it. You have to have the \nresources to be able to investigate it and so on. We know that. \nThat is all part of the piece. But clarifying some of the \npenalty provisions, for example, and these other things I \nmentioned-----\n    Senator Klobuchar. And could you just elaborate on that? I \nhave been working in the area of some of the streaming issues \nto try to come up with a way with a number of the other \nSenators to acknowledge that if someone is standing on a street \ncorner and sells DVDs that are over $2,500 that we already know \nis a felony, and right now if you do it, if you have a business \nand you are illegally selling anything--movies, books, music--\nand you do it maybe $1 million and you are profiting--you have \nto profit from it under our bill--it is still a misdemeanor. \nAnd so we are trying to fix that without, you know, hurting \nanyone's rights or teenagers that are simply trying to share \nsome information. So we have a lot of issues with it. It \nreminds me a little of this as you try to look at what the \npenalties are without doing anything that would hurt innocent \npeople in how you are trying to do it.\n    So could you talk about that with the cybersecurity and the \npenalty issue?\n    Mr. Baker. Certainly. To your point generally, we \ndefinitely understand concerns that folks have expressed with \nrespect to some parts of the Computer Fraud and Abuse Act. We \nunderstand that. We get that. We are trying to use it \nappropriately under the circumstances in making prosecution \ndecisions in light of the various guidelines, and in full \nknowledge that we have to justify what we are doing both to the \nCongress and to the courts that we prosecute these cases in \nfront of.\n    With respect to the penalties, the Computer Fraud and Abuse \nAct statute has got a lot of different features to it. There \nare a lot of things that it tries to prohibit, and it tries to \ndo it in a variety of different ways, and it tries to look at \nwhat the intent is, what the amount of damage that is involved \nis, what the activities are that are at issue. It is not just a \nhacking statute. It is more than that. But it is a variety of \ndifferent crimes that have to do with computers that we think \nenable us to prosecute things and crimes that the country wants \nus to prosecute.\n    Senator Klobuchar. I think it is hard sometimes for people \nto understand that if someone used a crowbar and broke in and \nstole all of your DVDs, that is clearly a felony. And then they \nare stealing things off the Internet, it is also a bad crime, \nwhether it is your personal identification or someone else's \nproperty. I just think it is a challenge of our day to make our \nlaws as sophisticated as the people who are breaking them \nwithout doing it in a way that brings in innocent people. But I \ndo not think that should make us turn away. I think we have a \nchallenge of making the laws work right, but we are up for that \nchallenge; otherwise, we are just basically conceding this to \ncrooks on the Internet. We have to find a way to do this right, \nso I appreciate it. Thank you.\n    Senator Whitehouse. Thank you, Senator Klobuchar.\n    Mr. Schaffer, you said a little while ago that milliseconds \ncount when you are doing this defense. You cannot wait hours or \ndays for lawyers to do their thing. It is also true that \nsometimes milliseconds are too late, that if you have not pre-\npositioned certain defenses, you are out of the game, or you \nare in a different game in a much worse position than you would \nhave been otherwise.\n    We have to be careful what we say because this is a public \nhearing, but clearly there are some capabilities that the U.S. \nGovernment has that would be useful if they were allowed to \ndefend particularly critical infrastructure. Is there any \nvehicle for the U.S. Government to deploy classified measures \nto protect critical infrastructure in this bill without having \nto get the request and the approval and the cognizance of the \nowner of the critical infrastructure? Is it not the case that \nyou would basically have to read into any classified program \nthat was used the operator of the critical infrastructure or \nnot use the program to defend the critical infrastructure? I \nthink we need to bridge that gap, and I do not see how the bill \ndoes that.\n    Mr. Schaffer. Senator, there is not a provision in the \ncurrent proposal that would provide for that. We do have \ncapability that is coming along with respect to Federal \nGovernment critical infrastructure, that which is owned by \ndepartments and agencies or managed by departments and \nagencies, through the intrusion prevention programs that we \nhave intrusion detection widely deployed now for federal \ndepartments and agencies. We are in the process of building out \nintrusion--we have intrusion detection, excuse me. We are \nworking toward intrusion prevention, and----\n    Senator Whitehouse. And you have the advantage in all of \nthat where it is the Federal Government involved that you have \nby definition single-party consent to the methods that are used \nto protect that infrastructure. Once you get outside of the \ngovernment and you now have critical American infrastructure \nthat is privately owned, it is very hard to deal with that \nconsent issue, particularly if it is a classified program. In \nthat regard, I would be interested in your thoughts on what the \nformer head of NSA and others have suggested about having a \nsecure domain into which critical infrastructure could be \nlocated that would, by its very existence, be a signal to \nanybody going there that the very best capabilities of the U.S. \nGovernment are being deployed in this area in the same way that \npeople going to dot.gov and dot.mil are signaled in that exact \nway right now. It seems to me that we have critical \ninfrastructure that is far more important than some of the \nthings that are protected by dot.gov and dot.mil. Not \neverything but some. And yet the standard of what we do to \nprotect dot.gov and dot.mil is much higher than even critical \ninfrastructure in the open Internet.\n    The second thing that that would do is it would also tell \nyou where that was not going on, and it would provide the \npublic assurance that they are not having their communications \nscanned or screened or swept in any way by the government if \nthey are just on eBay or if they are in a chat room or if they \nwant to do the sort of ordinary noncritical commerce and \ninformation exchange that the Internet supports.\n    What are your thoughts about that idea?\n    Mr. Baker. I will just add the legal question for a minute \nand then turn it over to my colleagues for more of the \noperational things.\n    Having said that, let me just say at the outset the sharing \nof classified information in many ways is more of an \noperational issue as opposed to a legal issue, I think, if the \ngovernment is sharing with the private sector.\n    Senator Whitehouse. Right.\n    Mr. Baker. That has to do with the confidence that we have \nin sharing the information that it is not going to get out and \nbe disclosed in some way. But having said that, in terms of the \ntype of secure environment that you are talking about, you \nwould have to do the type of legal analysis that would look at \nall the various surveillance statutes that would apply in this \narea, because they apply not only to the government, they apply \nto the private sector as well. You have to think about and look \nat the extent to which the government, in fact, is doing this \nthrough some type of agency relationship with the private \nsector, depending upon the nature and scope of the relationship \nthat we have with these various entities and how that all \nevolves, and that----\n    Senator Whitehouse. Depending on the agency relationship, \nit could easily become a government act.\n    Mr. Baker. Exactly.\n    Senator Whitehouse. Giving rise to all of the Fourth \nAmendment concerns that pertain here.\n    Mr. Baker. That is exactly right. That is exactly where I \nwas going. So we have to think about all those things. Can you \nget through that analysis? Yes, you----\n    Senator Whitehouse. But a domain clears that issue, does it \nnot, by making people aware so that there is consent before you \nenter it?\n    Mr. Baker. That is a tricky question, I think. You may not \nneed consent in every instance in this type of situation if \nthere was some type of special need for the government with \nrespect to the cybersecurity activity that is at play. Whether \nthe special needs doctrine applies and whether we meet the \nrequirements of it is going to be a fact-specific inquiry, I \nthink. But it is something that is worth looking at, and we \nunderstand these ideas. We have heard about them, obviously, \nand we are working on developing these types of ideas. And so \nit is something that we definitely want to look at.\n    Senator Whitehouse. The fact of the matter, it seems, is \nthat unless you are willing to disclose certain highly \nclassified programs that are kept away from a lot of people we \ntrust, even in the military, even in the government, because of \ntheir--you know, classifying is what is necessary to keep them \nsecure. Unless we are willing to share those with fairly large \nsectors of the private industry, because it is hard to pick \nwinners and losers and say, Okay, we are going to protect you \nbecause we trust you, but this other utility that has a CIO who \ncomes from Estonia and we are not sure about their cousin and \nso we are not--you know, I am making all that up, but you can \nimagine the complications that you get into when you start \nmaking those choices.\n    I think the bottom line is that we have--there are \nresources that could protect private sector critical \ninfrastructure but will not without declassification to a \ndegree or without a risk of declassification that we may not be \nwilling to face. And it seems to me we solve that problem if we \nmake it more clear and overt, what we are doing. And there is \nno real magic to it. You just say, okay, look, if you want to \ngo and look at these electric grid things, you have got to be \naware that the government is going to be keeping an eye on what \ngoes in and out of there in order to protect the electric grid. \nI do not think people mind that. And then they know it is not \nsomewhere else as well.\n    Mr. Schaffer.\n    Mr. Schaffer. Senator, for reasons that you alluded to at \nthe beginning of the question, I think we would like to come \nand talk to you about this further, perhaps in another forum \nwhere we can go into a more fulsome discussion about all of the \nparameters. But suffice it to say there is, as you point out, \nquite a lot of complexity both from a legal perspective, a \ntechnical perspective, and other perspectives----\n    Senator Whitehouse. A security perspective.\n    Mr. Schaffer [continuing] In terms of how you would address \nthis issue, and so I would suggest that perhaps we make \narrangements to give you a more full briefing at another time.\n    Senator Whitehouse. That is fine. You will agree with me \nthat there is an issue that is worth pursuing, though.\n    Mr. Schaffer. Certainly worth having the conversation.\n    Mr. Schwartz. I will say that it is an issue that is under \ngreat discussion among the interagency groups that work on \nthese issues. We are continuing a discussion about that, and we \nlook forward to working with you on it.\n    Senator Whitehouse. I have to assume that the interagency \nprocess is sort of an ongoing thing and that there remain \ndiscussions going on within the administration on these \nsubjects. That would be only logical, and I assume that that is \nthe case. Correct?\n    Mr. Schwartz. Many, many, many meetings.\n    Senator Whitehouse. Good. Another topic I wanted to raise \nis the issue of prosecution and investigative resources. I will \ndirect this more to you, Mr. Baker, since I think the \nDepartment of Justice is going to be the primary actor here. \nThis is a new area. It is a growing area. It is an area of, as \neach of you have indicated in your testimony, intense concern \nboth from an economic, from a criminal, and from a national \nsecurity perspective. In the past, when we have had grave \nconcerns, whether it was things like alcohol, tobacco, \nfirearms, and munitions, entire agencies have been stood up to \ndeal with it. When it was narcotics, the entire Drug \nEnforcement Administration was stood up to deal with it.\n    By contrast, what we have addressing the cyber crime and \ncybersecurity threat is considerably smaller, which does not \nnecessarily by itself mean that you have got to blow it up, but \nthese are also very, very significant cases in terms of \nresource intensiveness. You are dealing with highly specialized \nelectronic information about how the Internet works. You are \ndealing with players who are located in foreign countries. You \nhave immense complexity trying to investigate across foreign \nborders to find these folks and to work through the different \ntreaties that permit all of that. You have not only the need to \nmake criminal prosecutions but very often to build civil cases \nin order to shut off certain things, as you all did so well in \nthe Coreflood Botnet and as Microsoft did in the Waledac \nbotnet.\n    This is a lot tougher than your ordinary drug case. This is \na lot tougher even than your ordinary RICO case. This is \ninternational RICO-type investigations with a huge technical \noverlay to them. So with all of that, what do we do to resource \nup enough so that we can address these cases as aggressively as \nmany of us believe we should? Are you satisfied that the \nexisting resources will do the trick, or do we need to think \nabout scaling up to meet this threat?\n    Mr. Baker. Thank you, Senator. I think from the Justice \nDepartment's perspective, obviously we can always use more \nresources in this kind of area. We are trying to--we know there \nare limited resources available, and so we are trying to use \nthem very judiciously and effectively and not just chasing \neverything that sort of pops on the radar screen. We are trying \nto be thoughtful about this, and the NCIJTF, National Cyber \nInvestigative Joint Task Force, is focused very much on trying \nto get the most bang for the buck, if you will, on the \nresources that we have available.\n    I will say--and I would imagine that my colleagues would \necho this--you cannot just grow good cyber investigators and \nprosecutors overnight, and so we need to have a long-term view \nof this and grow our resources properly and effectively \nbecause, as you mentioned, we need experts, we need people who \nreally know how to work these cases. This is not a problem you \ncan just throw bodies at and just pull people in and have them \nstart working these cyber cases.\n    Senator Whitehouse. But that said, you do believe that, as \ntime goes forward, this is going to be an increasing threat for \nthe country, an increasing responsibility for law enforcement, \nand we are going to need increasing resources in order to meet \nthat threat.\n    Mr. Baker. Absolutely, and I think that the projections \nthat I have seen in terms of the budgets going forward have a \nsteady increase, so far that I have seen at least, in terms of \nthe folks that we have to devote to this, not only the \ninvestigators but the prosecutors that can bring these cases to \ncourt as well, who understand what is happening and who can \ncome up with the kinds of ideas, as you mentioned, that the \nprosecutors and investigators came up with with respect to the \nCoreflood activity.\n    Senator Whitehouse. Mr. Schaffer, did you want to comment?\n    Mr. Schaffer. Yes, Senator, thank you. I think that what \nyou have seen in DHS' space is that we indeed have been growing \ndramatically, tripling the size of our National Cybersecurity \nDivision in 2009 in terms of federal employees, doubling again \nin 2010, or nearly doubling, and continuing to grow and \nprojected to grow in the 2012 budget as well. So we are on a \ntrajectory to bring additional resources on, as pointed out in \nthe proposal. There are some challenges in getting access to \nthe very best people, which is what we want, but we are moving \nforward to grow the program. And, of course, cybersecurity as \nan issue area has been elevated to one of the top five mission \nareas for DHS in the Quadrennial Homeland Security Review.\n    So we certainly have tremendous focus on this at DHS. I \nthink that is echoed throughout the administration. All of the \ndepartments and agencies recognize this as a very significant \narea and an area where attention is going to have to be paid \nfor an extended period of time.\n    Senator Whitehouse. The last topic I would just like to ask \neach of you on--I know I have kept you a long time, and I \nappreciate it--is the question about the supply chain. On the \none hand, we have a very well-developed and very efficient \ninternational, global supply chain for electronics in \nparticular. And by and large, as we have seen from the \ndevelopment of these products, it has served American consumers \nand people around the world very well. And the products that \nhave been launched and the services that have been launched, I \nthink, have served humankind very well. The Arab Spring is \nlargely the product of that technology.\n    All that said, it is increasingly a threat to the country \nthat foreign governments working with foreign suppliers could \ngo about planting into our supply chain not just defective \nproducts or counterfeit products of the nature that I have just \ndone a military counterfeit bill on, but products that actually \nallowed for infiltration and access into the other computer or \nthe system that it is connected to. And you do not want to shut \ndown the very vibrant global supply chain that supports the \nindustry. On the other hand, we have got to protect against \nthat kind of a risk, particularly with the United States as the \nprimary target, both as a national security target around the \ncountry and around the world and as the biggest user and the \neconomy that is most dependent on the Internet.\n    What is your advice with respect to supply chain security? \nAnd where does this bill begin us on that discussion?\n    Mr. Schaffer.\n    Mr. Schaffer. Mr. Chairman, I think that the supply chain \nissue is one of the most challenging and complex issues in \ncybersecurity today. Because the supply chain is so robust, \nbecause U.S. suppliers and foreign suppliers are very much \nintertwined, both in terms of products that U.S. companies are \nputting in the market, that U.S. companies are developing in \nother parts of the world, that foreign companies are using U.S. \nequipment in their equipment, it becomes very challenging.\n    And so the administration is very aware that there are \nchallenges here and is focused on that. There is an \nadministration task force that is led by DHS and the Department \nof Defense to think about those issues and to try to develop \nmethodologies to mitigate risks associated with supply chain \nand to identify long-term solutions that can maintain U.S. \nindustry in a robust way and also have a level playing field \nfor products and services as we go forward.\n    So that is a challenge that I think we will be addressing \nand thinking about for some time, and I do not know that we \nhave----\n    Senator Whitehouse. So it is nothing specific to this \nlegislation. We will just have to keep working on that one.\n    Mr. Schwartz. Mr. Chairman, we look forward to working with \nyou on this extremely important issue. One thing that I think \nis worth noting as well--I think Mr. Schaffer did a great job \nat laying out the basic outline of the kind of work that is \ngoing into this in an interagency context, but one thing that \nis important in all these issues but it comes out more clearly \nin supply chain, is this idea that whatever we put on companies \nthrough trade, we also have to be willing to accept \ninternationally. We have to think about this in a global way, \nthat our companies in the U.S. have to work internationally as \nwell. We have to come up with policies that work \ninternationally both for imports and exports. What will be \nexpected of companies that are importing we have to also expect \nfor the companies that are exporting may have to live by those \nsame rules, and we should expect that to be the case.\n    So we think that we can come up with global solutions in \nthis space and in the cybersecurity realm in general, and that \nis one of our targets as well.\n    Senator Whitehouse. Very good. Well, let me thank you all. \nYou have taken a lot of time this afternoon. I appreciate it.\n    I want to close by referencing some of the private sector \nconclusions that have been drawn in this area. On the Senate \nfloor, I have already spoken about the McAfee Night Dragon \nreport, but I just want to quote it here.\n    ``In 2010,'' McAfee says, ``we entered a new decade in the \nworld of cybersecurity. . . . This decade is setting up to be \nthe exponential jumping-off point. The adversaries are rapidly \nleveraging productized malware toolkits that let them develop \nmore malware than in all prior years combined, and they have \nmatured from the prior decade to release the most insidious and \npersistent cyberthreats ever known.''\n    Focusing on the Night Dragon attacks, it says, they worked \n``by methodical and progressive intrusions into the targeted \ninfrastructure. . . . While Night Dragon attacks focused \nspecifically on the energy sector, the tools and techniques of \nthis kind can be highly successful when targeting any industry. \nOur experience has shown that many other industries are \ncurrently vulnerable and are under continuous and persistent \ncyberespionage attacks of this type.'' That is McAfee.\n    Symantec, very similar, the overall conclusion: ``several \nsignificant events in 2010 suggest that advanced and persistent \ncyberspace threats have leapt to a new evolutionary stage. . . \n. This evolutionary leap leaves public-sector cyberspace \ndefenders scrambling to address technological, operational, and \nprocedural gaps in the wake of their adversary's rapid \nmaturation. . . . The defense of critical operations requires \ncybersecurity personnel to assume that netwoked systems can be \ncompromised.''\n    And they describe an operation called Operation Aurora: \n``the sheer scope of Operation Aurora differentiates it from \nprevious attacks of this nature. . . . The operational scope \nimplies that the threat actors were highly organized and their \ngoals extremely focused. It also reflects [that]. . .it is no \nlonger a question of whether or not adversaries will use \ncyberspace to assist espionage--they will--and it must be part \nof the basic assumptions made by security practitioners, \nwhether practicing in the public or private sector.''\n    It is compelling when two of the largest and most renowned \nsecurity providers say virtually the same thing in reports \nabout the exponential jumping-off nature of the threat that we \nface, and I appreciate immensely the work that you all are \ndoing to try to protect us from that, to try to keep up with \nthe threat as it metamorphoses. And I think that in the areas \nthat we have discussed today, the areas of broader reporting so \nthat the public is more aware of these concerns, in the area of \nthe ISP responsibilities toward their consumers to let them \nknow about when they are unwitting and unwilling bearers of \nmalware and viruses, including these particularly threatening \nnew ones, potentially, in the business-to-business \nrelationship, the ISACs, the DIB, and the other areas where we \nwant to encourage those communications, with respect to advance \npositioning of some of our most critical defense around our \ncritical infrastructure, with respect to adequately resourcing \nthe law enforcement side of this, and with respect to \nprotecting particularly our military, defense, and critical \ninfrastructure supply chain, we have quite a lot of work to do.\n    I look forward to working with all of you as the \nadministration's proposal goes forward and is amended and \namplified through the legislative process. And thank you for \nthe work that you have done on behalf of our country.\n    The hearing will remain open for another week for any \ntestimony that may come in. I would be delighted to get the QFR \nresponses from you within a couple of weeks, if that is \npossible. And there is a statement from the Financial Services \nRoundtable that we will put into the record of this proceeding \nas well as the complete statement of Representative Langevin of \nRhode Island.\n    [The statement appears as a submission for the record.]\n    Senator Whitehouse. And I will add also a report from the \nCenter for Democracy and Technology entitled ``Cybersecurity: \nEvaluating the Administration's Proposals,'' dated June 21, \n2011.\n    [The report appears as a submission for the record.]\n    Senator Whitehouse. That completes the record of the \nproceeding. Again, I thank the witnesses, and we will be \nadjourned.\n    [Whereupon, at 4:26 p.m., the Subcommittee was adjourned.]\n    [Questions and answers and submissions for the record \nfollow.]\n\n\n\n\n\n\n\n                            A P P E N D I X\n\n              Additional Material Submitted for the Record\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n              Prepared Statement of Chairman Patrick Leahy\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n Prepared Statement of Hon. James R. Langevin, a Congressman from the \n                         State of Rhode Island\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\nPrepared Joint Statement of James A. Baker, Department of Justice; Greg \nSchaffer, Department of Homeland Security; and Ari Schwartz, Department \n                              of Commerce\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n Questions Submitted by Senator Sheldon Whitehouse for James A. Baker, \n                    Greg Schaffer, and Ari Schwartz\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n Responses Submitted by James A. Baker, Greg Schaffer, and Ari Schwartz\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                Miscellaneous Submissions for the Record\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                               [all]\n\n\x1a\n</pre></body></html>\n"