b'<html>\n<title> - CYBERSECURITY RESEARCH AND DEVELOPMENT: CHALLENGES AND SOLUTIONS</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n                         CYBERSECURITY RESEARCH\n                            AND DEVELOPMENT:\n                        CHALLENGES AND SOLUTIONS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                      SUBCOMMITTEE ON TECHNOLOGY &\n                        SUBCOMMITTEE ON RESEARCH\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                       TUESDAY, FEBRUARY 26, 2013\n\n                               __________\n\n                            Serial No. 113-6\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n\n       Available via the World Wide Web: http://science.house.gov\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n79-926                    WASHINGTON : 2013\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c5a2b5aa85a6b0b6b1ada0a9b5eba6aaa8eb">[email&#160;protected]</a>  \n\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nDANA ROHRABACHER, California         EDDIE BERNICE JOHNSON, Texas\nRALPH M. HALL, Texas                 ZOE LOFGREN, California\nF. JAMES SENSENBRENNER, JR.,         DANIEL LIPINSKI, Illinois\n    Wisconsin                        DONNA F. EDWARDS, Maryland\nFRANK D. LUCAS, Oklahoma             FREDERICA S. WILSON, Florida\nRANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon\nMICHAEL T. McCAUL, Texas             ERIC SWALWELL, California\nPAUL C. BROUN, Georgia               DAN MAFFEI, New York\nSTEVEN M. PALAZZO, Mississippi       ALAN GRAYSON, Florida\nMO BROOKS, Alabama                   JOSEPH KENNEDY III, Massachusetts\nRANDY HULTGREN, Illinois             SCOTT PETERS, California\nLARRY BUCSHON, Indiana               DEREK KILMER, Washington\nSTEVE STOCKMAN, Texas                AMI BERA, California\nBILL POSEY, Florida                  ELIZABETH ESTY, Connecticut\nCYNTHIA LUMMIS, Wyoming              MARC VEASEY, Texas\nDAVID SCHWEIKERT, Arizona            JULIA BROWNLEY, California\nTHOMAS MASSIE, Kentucky              MARK TAKANO, California\nKEVIN CRAMER, North Dakota           VACANCY\nJIM BRIDENSTINE, Oklahoma\nRANDY WEBER, Texas\nCHRIS STEWART, Utah\nVACANCY\n                                 ------                                \n\n                       Subcommittee on Technology\n\n                  HON. THOMAS MASSIE, Kentucky, Chair\nJIM BRIDENSTINE, Oklahoma            FREDERICA S. WILSON, Florida\nRANDY HULTGREN, Illinois             SCOTT PETERS, California\nDAVID SCHWEIKERT, Arizona            DEREK KILMER, Washington\n                                     EDDIE BERNICE JOHNSON, Texas\nLAMAR S. SMITH, Texas\n                                 ------                                \n\n                        Subcommittee on Research\n\n                   HON. LARRY BUCSHON, Indiana, Chair\nSTEVEN M. PALAZZO, Mississippi       DANIEL LIPINSKI, Illinois\nMO BROOKS, Alabama                   ZOE LOFGREN, California\nSTEVE STOCKMAN, Texas                AMI BERA, California\nCYNTHIA LUMMIS, Wyoming              ELIZABETH ESTY, Connecticut\nJIM BRIDENSTINE, Oklahoma            EDDIE BERNICE JOHNSON, Texas\nLAMAR S. SMITH, Texas\n\n\n                            C O N T E N T S\n\n                       Tuesday, February 26, 2013\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Thomas Massie, Chairman, Subcommittee \n  on Technology, Committee on Science, Space, and Technology, \n  U.S. House of Representatives..................................     6\n    Written Statement............................................     6\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................     7\n    Written Statement............................................     7\n\nStatement by Representative Frederica S. Wilson, Ranking Minority \n  Member, Subcommittee on Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........     9\n    Written Statement............................................    10\n\nStatement by Representative Larry Bucshon, Chairman, Subcommittee \n  on Research, Committee on Science, Space, and Technology, U.S. \n  House of Representatives.......................................    11\n    Written Statement............................................    11\n\nStatement by Representative Daniel Lipinski, Ranking Minority \n  Member, Subcommittee on Research, Committee on Science, Space, \n  and Technology, U.S. House of Representatives..................    13\n    Written Statement............................................    15\n\n                               Witnesses:\n\nMr. Michael Barrett, Chief Information Security Officer, PayPal, \n  Inc.\n    Oral Statement...............................................    17\n    Written Statement............................................    19\n\nDr. Frederick R. Chang, President and Chief Operating Officer, \n  21CT, Inc.\n    Oral Statement...............................................    34\n    Written Statement............................................    36\n\nMs. Terry Benzel, Deputy Director, Cyber Networks and Cyber \n  Security, USC Information Sciences Institute\n    Oral Statement...............................................    46\n    Written Statement............................................    48\n\nDiscussion.......................................................    62\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMr. Michael Barrett, Chief Information Security Officer, PayPal, \n  Inc............................................................    80\n\nDr. Frederick R. Chang, President and Chief Operating Officer, \n  21CT, Inc......................................................    81\n\nMs. Terry Benzel, Deputy Director Cyber Networks and Cyber \n  Security, USC Information Sciences Institute...................    83\n\n            Appendix II: Additional Material for the Record\n\nDepartment of Homeland Security letter submitted by \n  Representative Frederica S. Wilson, Ranking Minority Member, \n  Subcommittee on Technology, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................    88\n\nNational Science Foundation letter submitted by Representative \n  Frederica S. Wilson, Ranking Minority Member, Subcommittee on \n  Technology, Committee on Science, Space, and Technology, U.S. \n  House of Representatives.......................................    91\n\n\n                CYBERSECURITY RESEARCH AND DEVELOPMENT:\n                        CHALLENGES AND SOLUTIONS\n\n                              ----------                              \n\n\n                       TUESDAY, FEBRUARY 26, 2013\n\n                  House of Representatives,\n                                   Subcommittee on Research\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittees met, pursuant to call, at 10:01 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Thomas \nMassie [Chairman of the Subcommittee on Technology] presiding.\n\n[GRAPHIC] [TIFF OMITTED] T9926.001\n\n[GRAPHIC] [TIFF OMITTED] T9926.002\n\n[GRAPHIC] [TIFF OMITTED] T9926.003\n\n[GRAPHIC] [TIFF OMITTED] T9926.004\n\n    Chairman Massie. This joint hearing of the Subcommittee on \nTechnology and the Subcommittee on Research will come to order.\n    Good morning. Welcome to today\'s joint hearing entitled \n``Cybersecurity Research and Development: Challenges and \nSolutions.\'\' In front of you are packets containing the written \ntestimony, biographies, and truth-in-testimony disclosures for \ntoday\'s witnesses. Before we get started, since this is a joint \nhearing involving two Subcommittees, I want to explain how we \nwill operate procedurally so all Members will understand how \nthe question-and-answer period will be handled.\n    As always, we will alternate between the majority and \nminority Members and allow all Members an opportunity for \nquestioning before recognizing a Member for a second round of \nquestions. We will recognize those Members present at the gavel \nin order of seniority on the full Committee, and those coming \nin after the gavel will be recognized in order of arrival. I \nnow recognize myself for five minutes for my opening statement.\n    We convene the first hearing of the Technology Subcommittee \nand the 113th Congress held jointly with my colleagues on the \nResearch Subcommittee. This Subcommittee sits at the \nintersection of technology and innovation and is uniquely \npositioned to address topics affecting competitiveness of \nemerging high-growth industries. I look forward to learning \nfrom our witnesses today about cybersecurity research and \ndevelopment challenges, and I look forward to working with my \ncolleagues to determine how we can eliminate barriers to \nentrepreneurship in our country going forward. In these \ndifficult times, it is important that we continue to empower \nour Nation\'s innovators to maintain our economic \ncompetitiveness.\n    I now yield two minutes of my time to the Chairman of the \nfull Committee, Mr. Smith of Texas.\n    [The prepared statement of Mr. Massie follows:]\n\n            Prepared Statement of Subcommittee on Technology\n                         Chairman Thomas Massie\n\n    We convene the first hearing of the Technology Subcommittee in the \n113th Congress, held jointly with my colleagues on the Research \nSubcommittee. This Subcommittee sits at the intersection of technology \nand innovation, and is uniquely positioned to address topics affecting \ncompetitiveness of emerging high-growth industries. I look forward to \nlearning from our witnesses today about cybersecurity research and \ndevelopment challenges, and I look forward to working with my \ncolleagues to determine how we can eliminate barriers to \nentrepreneurship in our country going forward. In these difficult \ntimes, it is important that we continue to empower our nation\'s \ninnovators to maintain our economic competitiveness.\n    Chairman Smith. Thank you, Mr. Chairman, for yielding me \nthe balance of your time.\n    Mr. Chairman, the Preamble to the Constitution states that \none of the primary responsibilities of our Federal Government \nis to provide for the common defense. More than 200 years \nlater, the meaning has changed but the task remains the same. \nNational defense in the digital age no longer just means \nprotecting ourselves with arms against enemies who attack with \ntraditional weapons. It now means protecting America from \nenemies who launch cyber attacks against our computers and \nnetworks.\n    Cyber attacks against U.S. Government and private sector \nnetworks are on the rise. In the last few weeks, some of \nAmerica\'s largest companies have been hacked. Even the most \nsophisticated companies can be vulnerable to cyber attacks. \nRecent targets include Apple, Facebook, Yahoo!, the New York \nTimes, and the Wall Street Journal. Various agencies of the \nFederal Government also have been the target of attacks and \nattempted attacks. Unfortunately, evidence suggests that \nforeign governments may be among those responsible.\n    Protecting America\'s cyber systems is critical to our \neconomic and national security. Americans deserve better \nprotection, and the Federal Government can help make sensitive \ninformation more secure. This challenge requires a thorough and \ncomprehensive effort in both the public and private sectors. \nPrivate companies are increasing their investment in \ncybersecurity. Congress should support those efforts. Only \nCongress can provide the incentives and protections that would \npermit necessary information-sharing among companies, and more \nimportantly, between private companies and the Federal \nGovernment.\n    Today\'s hearing examines an important step that we can take \nto foster the kind of cooperation that this challenge requires. \nThe Cybersecurity Enhancement Act introduced by Committee \nMembers Michael McCaul and Daniel Lipinski coordinates research \nand development activities to better address evolving cyber \nthreats. The legislation promotes much-needed research and \ndevelopment to help create new technologies and standards that \nbetter protect America\'s information technology systems.\n    Cyber attacks threaten our national and economic security. \nTo solve this problem, America needs a solution that involves a \ncooperation of many public and private sector entities. The \nMcCaul/Lipinski legislation helps foster such an effort, which \nwill make our computer systems more secure.\n    I hope we can learn how to improve the bill today and \nquickly advance it through this Committee.\n    Thank you, Mr. Chairman. I yield back the balance of your \ntime.\n    [The prepared statement of Mr. Smith follows:]\n\n        Prepared Statement of Committee Chairman Lamar S. Smith\n\n    The preamble to the Constitution states that one of the primary \nresponsibilities of our federal government is to ``provide for the \ncommon defense.\'\' More than two hundred years later, the meaning has \nchanged but the task remains the same.\n    National defense in the digital age no longer just means protecting \nourselves with arms against enemies who attack with traditional \nweapons. It now means protecting America from enemies who launch cyber \nattacks against our computers and networks.\n    Cyber attacks against U.S. government and private sector networks \nare on the rise. In the last few weeks, some of America\'s largest \ncompanies have been hacked. Even the most sophisticated companies can \nbe vulnerable to cyber attacks. Recent targets include Apple, Facebook, \nYahoo! the New York Times and the Wall Street Journal.\n    Various agencies of the federal government also have been the \ntarget of attacks and attempted attacks. Unfortunately, evidence \nsuggests that foreign governments may be among those responsible.\n    Protecting America\'s cyber systems is critical to our economic and \nnational security. Americans deserve better protection and the federal \ngovernment can help make sensitive information more secure.\n    This challenge requires a thorough and comprehensive effort in both \nthe public and private sectors. Private companies are increasing their \ninvestment in cybersecurity. Congress should support those efforts.\n    Only Congress can provide the incentives and protections that would \npermit necessary information sharing among companies, and more \nimportantly, between private companies and the federal government.\n    Today\'s hearing examines an important step that we can take to \nfoster the kind of cooperation that this challenge requires. The \nCybersecurity Enhancement Act, introduced by Committee Members Michael \nMcCaul and Daniel Lipinski, coordinates research and development \nactivities to better address evolving cyber threats. The legislation \npromotes much-needed research and development to help create new \ntechnologies and standards that better protect America\'s information \ntechnology systems.\n    Cyber attacks threaten our national and economic security. To solve \nthis problem, America needs a solution that involves the cooperation of \nmany public and private sector entities. The McCaul-Lipinski \nlegislation helps foster such an effort, which will make our computer \nsystems more secure.\n    I hope we can learn how to improve the bill today and quickly \nadvance it through this Committee.\n    Chairman Massie. Thank you. The Chair now recognizes Ms. \nWilson for her opening statement.\n    Ms. Wilson. Thank you, Chairman Massie, for holding this \njoint hearing on cybersecurity, and thank you to our witnesses \nfor being here today.\n    Before I begin, I would like to say that I am pleased to be \nthe new Ranking Member of the Technology Subcommittee. As a \nlongtime educator, principal, teacher, I am a big believer in \nthe power of scientific innovation. Mr. Chairman, I am looking \nforward to working with you this Congress to help enable \ninnovation that creates jobs and makes our Nation more secure.\n    Today\'s hearing is a perfect example of the work this \nSubcommittee can do to bolster national security. Cyber crimes \nare ever increasing. In fact, the number of attacks reported by \nfederal agencies increased by 782 percent between 2006 and \n2012. The threats to federal systems in our critical \ninfrastructure are not only growing in number but in the level \nof sophistication. Over the last month alone, the New York \nTimes, the Wall Street Journal, the Washington Post, Twitter, \nand Facebook have all confirmed that they have been the target \nof sophisticated cyber attacks. These crimes may include \nidentity theft, intellectual property theft, service \ndisruptions, and even espionage.\n    We are beginning to suffer the cost of cybercrime. A recent \nstudy found that cybercrime now costs a U.S. business 8.9 \nmillion on average per year. The problem is so pervasive that \nsecurity experts now joke that there are only two types of \nAmerican companies these days: those that have been hacked and \nthose that don\'t know they have been hacked.\n    Earlier this month, the President signed an Executive Order \nthat begins the process of strengthening our networks of \ncritical infrastructure against cyber attacks by increasing \ninformation-sharing and establishing a framework for the \ndevelopment of standards and best practices. But the President \nalso acknowledged that Congress must act to pass comprehensive \ncybersecurity legislation.\n    The bipartisan legislation introduced by our colleagues, \nMr. McCaul and Mr. Lipinski, and under consideration today \nshould be a part of this comprehensive package. I am looking \nforward to hearing any recommendations our witnesses might have \nabout how to improve the legislation.\n    Additionally, I hope to hear more from our witnesses about \ntheir thoughts on the role the Executive Order outlines for \nNIST. In the past, Congress has asked NIST to bring the private \nsector together to accelerate the development of voluntary \nstandards. It seems appropriate that NIST be tasked with the \nsimilar role in cybersecurity, especially in light of their \nexpertise in this field.\n    Finally, I would be remiss if I did not mention the \npotential impact sequestration will have on our ability to \ndeter, defend, and recover from cyber attacks. In a letter to \nAppropriations, the National Science Foundation indicated that \nvital investments in research and development would be \njeopardized, and that one of the areas that could be impacted \nby sequestration is research into advances in cybersecurity.\n    The Department of Homeland Security Science and Technology \nDirectorate plays a large role in the development and \ndeployment of cybersecurity technologies. The Directorate has \nindicated that under sequestration, they will have to cut their \ncybersecurity research by 30 percent, eliminating research and \ndata, privacy, identity management, cybersecurity forensics, \nand security for cloud-based systems. The need to invest in \nresearch and development is critical as cyber threats continue \nto grow and involve. I hope we will not let sequestration delay \nand derail these essential investments.\n    Thank you, Mr. Chairman, and I yield back the balance of my \ntime.\n    [The prepared statement of Ms. Wilson follows:]\n\n            Prepared Statement of Subcommittee on Technology\n              Ranking Minority Member Frederica S. Wilson\n\n    Thank you, Chairman Massie for holding this joint hearing on \ncybersecurity, and thank you to our witnesses for being here today. \nBefore I begin, I\'d like to say that I am pleased to be the new Ranking \nMember of the Technology Subcommittee. As a longtime educator, I am a \nbig believer in the power of scientific innovation. Mr. Chairman, I am \nlooking forward to working with you this Congress to help enable \ninnovation that creates jobs and makes our nation more secure.\n    Today\'s hearing is a perfect example of the work this Subcommittee \ncan do to bolster national security. Cyber crimes are ever-increasing. \nIn fact, the number of attacks reported by federal agencies increased \nby 782 percent between 2006 and 2012. The threats to federal systems \nand our critical infrastructure are not only growing in number, but in \nthe level of sophistication.\n    Over the last month alone, The New York Times, The Wall Street \nJournal, The Washington Post, Twitter, and Facebook have all confirmed \nthat they have been the target of sophisticated cyber attacks. These \ncrimes may include identity theft, intellectual property theft, service \ndisruptions, and even espionage.\n    We\'re beginning to suffer the costs of cybercrime. A recent study \nfound that cybercrime now costs a U.S. business $8.9 million on average \nper year. The problem is so pervasive that security experts now joke \nthat there are only two types of American companies these days: those \nthat have been hacked and those that don\'t know they\'ve been hacked.\n    Earlier this month, the President signed an executive order that \nbegins the process of strengthening our networks and critical \ninfrastructure against cyber attack by increasing information sharing \nand establishing a framework for the development of standards and best \npractices. But the President also acknowledged that Congress must act \nto pass comprehensive cybersecurity legislation.\n    The bipartisan legislation introduced by our colleagues Mr. McCaul \nand Mr. Lipiniski, and under consideration today, should be part of \nthis comprehensive package. I am looking forward to hearing any \nrecommendations our witnesses might have about how to improve the \nlegislation. Additionally, I hope to hear more from our witnesses about \ntheir thoughts on the role the executive order outlines for NIST. In \nthe past, Congress has asked NIST to bring the private sector together \nto accelerate the development of voluntary standards. It seems \nappropriate that NIST be tasked with a similar role in cybersecurity--\nespecially in light of their expertise in this field.\n    Finally, I\'d be remiss if I did not mention the potential impact \nsequestration will have on our ability to deter, defend, and recover \nfrom cyber attacks. In a letter to appropriators, the National Science \nFoundation indicated that ``vital investments in research and \ndevelopment would be jeopardized\'\' and that one of the areas that could \nbe impacted by sequestration is research into advances in \ncybersecurity.\n    The Department of Homeland Security\'s Science and Technology \nDirectorate plays a large role in the development and deployment of \ncybersecurity technologies. The Directorate has indicated that under \nsequestration they will have to cut their cybersecurity research by 30 \npercent, eliminating research in data privacy, identity management, \ncybersecurity forensics, and security for cloud based systems.\n    The need to invest in research and development is critical as cyber \nthreats continue to grow and evolve. I hope we will not let \nsequestration delay and derail these essential investments.\n    Chairman Massie. Thank you, Ms. Wilson. I look forward to \nworking with you as well on this Committee.\n    The Chair now recognizes the Chairman of the Subcommittee \non Research, Mr. Bucshon, for his opening statement.\n    Mr. Bucshon. Thank you, Mr. Chairman. And good morning to \neveryone. I am pleased that we are holding a hearing today on \nsuch an important topic.\n    According to a recent report published by the Government \nAccountability Office, there were nearly 50,000 cybersecurity \nincidents reported by federal agencies in 2012. Considering \nthat number was 5,500 in 2006, there is no doubt that \naddressing cybersecurity needs is critical to global economic \ncompetitiveness and national security interests of our Nation.\n    In December 2012, the Center for Applied Cybersecurity \nResearch at Indiana University held a roundtable on cyber \nthreats, objectives, and responses. This issue impacts everyone \nfrom children using the Internet in their homes to government \nand industry officials trying to ensure our domestic \ninfrastructure is protected from cyber terrorists.\n    During the Research Subcommittee hearing on February 14 on \nNetworking and Information Technology Research and Development, \nor NITRD, witnesses testified about the cybersecurity threats \nour Nation faces and emphasized that cooperation is required \nfor stakeholders to research and design ways in which to build \nand maintain safer computer network infrastructures. The NITRD \nprogram, which was the primary subject of that hearing, is the \ncoordinating body which the McCaul/Lipinski Cybersecurity \nEnhancement Act appropriately utilizes to establish a strategic \nplan for specific cybersecurity research.\n    I am encouraged that the legislation we are discussing \ntoday enhances the education and development of information \ntechnology professionals, including those who work in the areas \nof computer systems, computer security, and cybersecurity.\n    I look forward to hearing from our witnesses about their \nexperiences and their recommendations on addressing America\'s \ncybersecurity challenges.\n    I now yield the balance of my time to Chairman McCaul.\n    [The prepared statement of Mr. Bucshon follows:]\n\n Prepared Statement of Subcommittee on Research Chairman Larry Bucshon\n\n    According to a recent report published by the Government \nAccountability Office, there were nearly 50,000 cybersecurity incidents \nreported by federal agencies in 2012. Considering that number was 5,500 \nin 2006, there is no doubt that addressing cybersecurity needs is \ncritical to global economic competitiveness and national security \ninterests of our nation.\n    In December of 2012, the Center for Applied Cybersecurity Research \nat Indiana University held a ``Roundtable on Cyber Threats, Objectives, \nand Responses.\'\' This issue impacts everyone: from children using the \nInternet in their homes to government and industry officials trying to \nensure our domestic infrastructure is protected from cyber terrorists.\n    During the Research Subcommittee hearing on February 14 on \nNetworking and Information Technology Research and Development (NITRD), \nwitnesses testified about the cybersecurity threats our nation faces \nand emphasized that cooperation is required for stakeholders to \nresearch and design ways in which to build and maintain safer computer \nnetwork infrastructures. The NITRD program, which was the primary \nsubject of that hearing, is the coordinating body which the McCaul-\nLipinski Cybersecurity Enhancement Act appropriately utilizes to \nestablish a strategic plan for specific cyber security research.\n    I am encouraged that the legislation we are discussing today \nenhances the education and development of information technology \nprofessionals, including those who work in the areas of computer \nsystems, computer security, and cybersecurity.\n    I look forward to hearing from our witnesses about their \nexperiences and their recommendations on addressing America\'s \ncybersecurity challenges.\n    Mr. McCaul. Thank you, Chairman Bucshon.\n    I want to thank Chairman Massie, Chairman Smith, Ranking \nMembers Lipinski and Wilson for allowing me to introduce this \nbill once again. Again, I believe this is the third time we \nhave introduced this. Hopefully, the third time is a charm and \nwe will get this important legislation passed. It passed \noverwhelmingly in two Congresses. I do believe this is the \nCongress where we will get cybersecurity legislation passed \nthrough the House, the Senate, and signed by the White House.\n    It is imperative as we hear reports almost every day of \nhackings taking place not only within the critical \ninfrastructures but within our Federal Government. The report \nabout the Chinese military hacking into our military systems, \nstealing our military secrets, the attacks recently from Iran \nagainst Aramco in the Persian Gulf and against our financial \ninstitutions in the United States, and of course Russia, one of \nthe most sophisticated countries that continue to hack this \ncountry on a daily basis.\n    Whether it is criminal, whether it is espionage, or whether \nit cyber warfare, we cannot afford to wait any longer. The \nWhite House has acted through an Executive Order. I think it is \nimperative now that the Congress act and legislate as we are \nsupposed to be doing. It is not a question of if, but when the \nnext--or when a cyber Pearl Harbor will occur. And that is why \nI have worked very closely with my good friend Congressman \nLipinski to bolster our Nation\'s cybersecurity research and \ndevelopment.\n    On February the 15th, we introduced this bill once again, \nH.R. 756, the Cybersecurity Enhancement Act, which is identical \nto the legislation passed overwhelmingly by the House last \nCongress. It improves the coordination in government providing \nfor a strategic plan to assess the cybersecurity risk and guide \nthe overall direction of the federal cyber research and \ndevelopment. It updates--and this responsibility is to develop \nsecurity standards for Federal computer systems and processes \nfor agencies to follow.\n    Our bill also establishes a federal university private \nsector task force to coordinate research and development, \nimproving the training of cybersecurity professionals, and \ncontinues much-needed cybersecurity research and development \nprograms at the National Science Foundation and the National \nInstitute of Standards and Technology.\n    Again, I would like to thank my colleague Chairman Smith \nfor allowing me to introduce this bill once again. I appreciate \nyour support for this bill, my colleague from Texas. And I look \nforward to working with my colleagues on this Committee to find \nsolutions to the challenges of cyber research and development.\n    And with that, I yield back.\n    Chairman Massie. Thank you, Mr.----\n    Mr. Bucshon. I yield back.\n    Chairman Massie. Okay. Thank you, Mr. McCaul. And thank \nyou, Mr. Bucshon.\n    The Chair now recognizes Mr. Lipinski for his opening \nstatement.\n    Mr. Lipinski. Thank you, Chairman Massie.\n    I want to thank you, Chairman Smith and Chairman Bucshon, \nfor holding this hearing to examine the serious cybersecurity \nchallenges faced by our Nation and what we can do to facilitate \nsolutions, including the Cybersecurity Enhancement Act that Mr. \nMcCaul said we recently reintroduced and I know that we have \npassed this overwhelmingly in a Democratic House. In a \nRepublican House, hopefully, this time we can get it all the \nway through because our country especially needs it as the \nthreats grow every year.\n    Now, I want to echo my colleague\'s remarks about the nature \nand severity of the challenges we face in cybersecurity in both \nthe public and private sectors. Four years ago, when we began \nworking on this legislation, I said I had no doubt that our use \nof the Internet and other communication networks would continue \nto grow and evolve, and that threats from individual hackers, \ncriminal syndicates, and even other governments would grow and \nevolve, too. Today, it remains difficult to imagine just how \nmuch more we will simultaneously benefit from and be made more \nvulnerable by information technology.\n    Hacking is no longer just a realm of computer whizzes. \nToday, anyone can rent a botnet or gain access to other \nsophisticated hacking tools with just a few keystrokes and less \nthan $100.\n    Cybercrime threatens our national security, our critical \ninfrastructure, businesses of all sizes, and every single \nAmerican. As such, reducing our risk and improving the security \nof cyberspace will take the collective effort of both the \nFederal Government and the private sector, as well as \nscientists, engineers, and the general public.\n    With respect to that collective effort, I need to emphasize \nthe importance of research into the social and behavioral \naspects of cybersecurity. People are perhaps the most \nsignificant part of our IT infrastructure, but they are also \nthe weakest link. Many cyber attacks are successful because of \nhuman error, bad cyber hygiene such as unwittingly opening a \nmalicious email. Having the most sophisticated security systems \navailable won\'t make any difference if users don\'t change \nfactory sets of all passwords or if they set easy-to-crack \npasswords. Understanding the human element and educating users \nto practice good cyber hygiene is necessary to combating \nthreats and reducing risk.\n    Mr. McCaul and I are hopeful that our R&D bill will be part \nof a comprehensive bipartisan cybersecurity bill. Previous \nefforts to move a larger bill have stalled over some \nsignificant policy disagreements, but I am hopeful that we will \nbe able to resolve our differences and I look forward to \nworking with both my colleagues and the Administration to \nensure the development of a strong cybersecurity strategy this \nCongress.\n    However, I am also concerned that top-line cuts to our \nfederal R&D budgets will have a negative impact on any long-\nterm cybersecurity strategy. So we must also take actions to \nmitigate the impact of those cuts.\n    Today, we will hear from witnesses who are actively engaged \nin efforts to improve the security of our digital \ninfrastructure. I look forward to their valuable insights and \nthe challenges we face in tackling this complex issue and the \nrole of cybersecurity R&D and education in any comprehensive \nsolutions.\n    I thank you, Mr. Chairman. I yield back the balance of my \ntime.\n    [The prepared statement of Mr. Lipinski follows:]\n\n             Prepared Statement of Subcommittee on Research\n                Ranking Minority Member Daniel Lipinski\n\n    I want to thank both Chairman Massie and Chairman Bucshon for \nholding this hearing to examine the serious cybersecurity challenges \nfaced by our nation. In particular, I look forward to hearing feedback \nfrom our witnesses on H.R. 756, The Cybersecurity Enhancement Act, that \nI recently reintroduced along with Mr. McCaul.\n    I echo my colleagues\' remarks about the nature and severity of the \nchallenges we face in cybersecurity in both the public and private \nsectors. Four years ago when I began working on this legislation I said \nthat I had no doubt that our use of the Internet and other \ncommunication networks would continue to grow and evolve, and that \nthreats from individual hackers, criminal syndicates, and even other \ngovernments would grow and evolve too.\n    Today it remains difficult to imagine just how much more we will \nsimultaneously benefit from, and be made more vulnerable by, \ninformation technology. Hacking is no longer just the realm of computer \nwhizzes. Today, anyone can ``rent\'\' a botnet or gain access to other \nsophisticated hacking tools with just a few key strokes and less than a \nhundred dollars.\n    Cybercrime threatens our national security, our critical \ninfrastructure, businesses of all sizes, and every single American. As \nsuch, reducing our risk and improving the security of cyberspace will \ntake the collective effort of both the Federal government and the \nprivate sector, as well as scientists, engineers, and the general \npublic.\n    With respect to that collective effort, I need to emphasize the \nimportance of research into the social and behavioral aspects of \ncybersecurity. People are perhaps the most significant part of our IT \ninfrastructure, but they are also the `weakest link.\' Many cyber \nattacks are successful because of human error--bad cyber hygiene--such \nas unwittingly opening a malicious email. Having the most sophisticated \nsecurity systems available won\'t make any difference if users don\'t \nchange factory-set default passwords or they set easy to crack \npasswords. Understanding the human element and educating users to \npractice good cyber hygiene is necessary to combating threats and \nreducing risk.\n    Mr. McCaul and I are hopeful that our R&D bill will be part of a \ncomprehensive, bipartisan cybersecurity bill. Previous efforts to move \na larger bill have stalled over some significant policy disagreements, \nbut I am hopeful that we will be able to resolve our differences and I \nlook forward to working with both my colleagues and the Administration \nto ensure the development of a strong cybersecurity strategy this \nCongress.\n    However, I am also concerned that top line cuts to our federal R&D \nbudgets will have a negative impact on any long-term cybersecurity \nstrategy. So we must also take actions to mitigate the impact of those \ncuts.\n    Today, we will hear from witnesses who are actively engaged in \nefforts to improve the security of our digital infrastructure. I look \nforward to their valuable insight into the challenges we face in \ntackling this complex issue and the role of cybersecurity R&D and \neducation in any comprehensive solution.\n    Chairman Massie. Thank you, Mr. Lipinski.\n    If there are Members who wish to submit additional opening \nstatements, your statements will be added to the record at this \npoint.\n    It is now time to introduce our panel of witnesses. I yield \nto Ms. Lofgren of California, who will introduce our first \nwitness.\n    Ms. Lofgren. Well, thank you very much, Mr. Chairman. And \nit is indeed an honor to introduce Michael Barrett, who is the \nChief Information Security Officer for PayPal, located in San \nJose, California. He is the, as I say, the Chief Information \nSecurity Officer for PayPal, and in his role, he is responsible \nfor ensuring the security of PayPal\'s 113 million users \nworldwide.\n    Prior to joining PayPal, he was Vice President of Security \nand Utility Strategy at American Express, where he helped \ndefined the company\'s Information Security Program, and in \nprior years, he was President of the Liberty Alliance, an Open \nStandards Consortium focused on identity management standards \nand guidelines. He was the driving force behind the \nintroduction and standardization of the Alliance\'s federated \nidentity concepts, and he also co-chaired its Identity Threat \nPrevention Working Group.\n    He was twice named one of the 50 most powerful people in \nnetworking by Network World magazine, and it is wonderful that \nhe is testifying today about our bill that focuses on NIST and \nNSF, but I am also pleased that he has identified in his \ntestimony certain outdated statutes like EPCA, the Electronic \nCommunications Privacy Act, that have prevented anti-\ncybercrime-related programs, which is also an important service \nthat he is performing for the Committee today.\n    So thank you for letting me introduce this important \nwitness who comes from back home.\n    And I yield back.\n    Chairman Massie. Thank you, Ms. Lofgren.\n    I recognize Chairman Smith to introduce our second witness.\n    Chairman Smith. Thank you, Mr. Chairman.\n    Chairman, our second witness, Dr. Frederick Chang, is a \nPresident and Chief Operating Officer of 21CT. 21CT \nappropriately is headquartered within Texas\' 21st Congressional \nDistrict, which is home to Cyber City USA, otherwise known as \nSan Antonio, thanks in part to technology organizations like \nDr. Chang\'s.\n    Dr. Chang brings to us today with 30 years of public and \nprivate sector cybersecurity knowledge serving as the Director \nof Research at the National Security Agency and then in an \nexecutive role at SBC Communications. Additionally, he has \nserved in academia at both the University of Texas in San \nAntonio and the University of Texas in Austin. He received his \nB.A. degree from the University of California San Diego and \nboth his M.A. and Ph.D. degrees from the University of Oregon.\n    We welcome you, Dr. Chang.\n    And I yield back, Mr. Chairman.\n    Chairman Massie. Thank you, Chairman Smith.\n    Our final witness is Ms. Terry Benzel, the Deputy Director \nof Cyber Networks and Cyber Security of the USC Information \nSciences Institute.\n    As our witnesses should know, spoken testimony is limited \nto five minutes each after which Members of the Committee have \nfive minutes each to ask questions. Your written testimony will \nbe included in the record of this hearing.\n    I now recognize our first witness, Mr. Michael Barrett, for \nfive minutes.\n\n               STATEMENT OF MR. MICHAEL BARRETT,\n\n        CHIEF INFORMATION SECURITY OFFICER, PAYPAL, INC.\n\n    Mr. Barrett. Chairman Bucshon, Chairman Massie, Ranking \nMember Lipinski, Ranking Member Wilson, and Members of the \nSubcommittee, thank you for the opportunity to testify today \nabout what PayPal and the eBay Inc. family of companies are \ndoing to protect our users from the growing cybersecurity \nchallenges facing Internet-enabled companies and what our \nNation\'s policymakers can do to assist us in tackling these \nproblems.\n    My name is Michael Barrett and I am the Chief Information \nSecurity Officer for PayPal. EBay and PayPal connects millions \nof buyers and sellers across the globe through eBay \nMarketplaces, PayPal, GSI, and other mobile-based businesses. \nAnd we believe all sustainable 21st century retail business \nmodels will use the Internet and mobile technology. However, as \nthe Internet and mobile platforms become more attractive to \nconsumers and businesses alike, they also attract criminals. \nCompanies like PayPal will continue to work to protect the \nsafety and security of our platform and our users.\n    However, we believe that the traditional technical measures \nalone cannot significantly move the trend line and that there \nare concrete steps that industry and policymakers should take \nto significantly mitigate the impact of cybercrime. For \nexample, on a daily basis Internet companies are run into sites \nwhere they have been compromised and they are used as \n``phishing\'\' or ``spoof sites.\'\'\n    Recognizing the growing threat, PayPal launched an industry \nstandards program called DMARC, which is intended to increase \ntrust and combat email deception and fraud. DMARC allows \nsenders to experience consistent authentication results for \ntheir messages at AOL, Gmail, Hotmail, Yahoo!, and any other \nemail receiver implementing DMARC. The program removes the \nguesswork from the receiver\'s handling of any failed messages, \nlimiting or eliminating the user\'s exposure to potentially \nfraudulent and harmful messages. In its first year, DMARC \nprotected 60 percent of the world\'s email inboxes and rejected \nhundreds of millions of potentially fraudulent messages.\n    In addition to email authentication, we have also been \nengaged in efforts to create a reliable identity management \nsystem. We have participated in two different programs: the \nNational Strategy for Trusted Identities in Cyberspace (NSTIC) \nand the Fast Identity Online Alliance, or FIDO.\n    NSTIC is a White House initiative led by the National \nInstitute of Standards and Technology, which is intended to \nwork collaboratively with all interested stakeholders to \nimprove the privacy, security, and convenience of sensitive \nonline transactions. PayPal will be offering more services to \nour customers over the coming months that directly support both \nthe NSTIC vision, which we expect will result in many new \nbenefits to both our customers and the Internet overall.\n    PayPal was also one of the cofounders of the FIDO Alliance, \nwhich is intended to address the lack of interoperability among \nstrong authentication solutions, as well as the problems users \nface with creating and remembering multiple usernames and \npasswords. By giving the option to replace passwords with \nauthentication methods embedded in hardware, it can be used in \nbiometric tools such as fingerprint scanners, voice and facial \nrecognition, or more traditional security methods. Our goal is \nto provide an easier and safer solution to every company, \nvendor, and organization that needs to verify a user\'s \nidentity.\n    Although it is the responsibility of industry leaders like \nPayPal to ensure the safety and security of our platforms and \nour users, federal policymakers have an important role to play \nin creating a secure Internet and mobile ecosystem. What we \nhave found from our years of combating cybercrime is that \nquantifying the forecast is difficult, if not impossible, \nbecause many incidents are not reported. Estimates of the \nmagnitude and scope of cybercrime vary widely, making it \ndifficult for policymakers and industry to fully understand the \nproblem and the level of effort that will be needed to combat \nit.\n    We recommend that policymakers fund some research that \nhelps fill some of the information gaps that currently exist as \nit relates to cybercrime. We believe that this research will be \na critical tool in arming policymakers, law enforcement, and \nindustry against the growing threat of cybercrime.\n    In addition, PayPal appreciates the bipartisan efforts of \nthe Committee to create a legislative framework that creates \ninnovative solutions to issues such as cybersecurity R&D, \neducation and workforce training, and standards development. \nImportantly, it achieves these ends without creating undesired \nside effects, and we welcome the opportunity to work with the \nCommittee on these priorities.\n    To conclude, it is our hope that in the years to come the \nchallenges we face today from cybercrime will be a faint \nmemory. But until then, PayPal is committed to partnering with \npolicymakers and private and public stakeholders to ensure that \neverything we do in our power to create an ecosystem that is \nsafe and secure.\n    I appreciate the opportunity to testify before the \nCommittee and I look forward to your questions.\n    [The prepared statement of Mr. Barrett follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9926.005\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.006\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.007\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.008\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.009\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.010\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.011\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.012\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.013\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.014\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.015\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.016\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.017\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.018\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.019\n    \n    Chairman Massie. I now recognize our next witness, Dr. \nFrederick Chang.\n\n              STATEMENT OF DR. FREDERICK R. CHANG,\n\n       PRESIDENT AND CHIEF OPERATING OFFICER, 21CT, INC.\n\n    Dr. Chang. Chairman Massie, Chairman Bucshon, Chairman \nSmith, Ranking Member Wilson, Ranking Member Lipinski, Members \nof the Subcommittees, thank you for the opportunity to testify \nbefore you today on the hearing on the topic of cyber R&D \nchallenges and solutions.\n    My name is Frederick R. Chang and I am currently the \nPresident and COO of 21CT, Inc., a small high-tech company in \nAustin, Texas. In prior positions, I have served as the \nDirector of Research at the National Security Agency, in \nacademia at the University of Texas--at both the San Antonio \nand Austin campuses, and in the telecommunications industry.\n    I would also mention that I have served as a member of the \nCSIS Commission on Cybersecurity for the 44th Presidency, and I \nam currently a member of the Texas Cybersecurity Education and \nEconomic Development Council.\n    I do not have to tell you that we are under attack in \ncyberspace. Those of us in the field of security have known \nabout it for some time now, but now the problem has broadened \nand deepened its scope. Our friends know, our neighbors know, \nour kids know.\n    The field of cybersecurity is too reactive and after-the-\nfact. We wait for something bad to happen and then we respond. \nWe lack the fundamental scientific understanding of causes, of \nsolutions, of countermeasures. Science uses words like \nevidence, metrics, repeatability, predictability. In \ncybersecurity these words are not used often enough. Indeed, \nwhen it comes to predictability, about the only thing we can \npredict with a high degree of confidence is that a determined \nhacker will be able to compromise the target system.\n    At the turn of the 20th century, life expectancy in the \nUnited States was a little over 47 years. A century later, it \nwas nearly 77 years. Why did this happen? A large part of the \nimprovement can be traced to advances in public health and an \nimproved understanding of the science of infectious diseases. \nAfter World War II, scientists isolated causes and developed \nsolutions for diseases like polio, measles, and chickenpox. I \nam not arguing that the cybersecurity problem today is as bad \nas polio was in the \'40s and \'50s, but I am suggesting that we \nknow how to make a dent in the problem.\n    It won\'t be easy because the problem is truly a daunting \none against a highly adaptive adversary. I believe that a broad \nand interdisciplinary approach will be necessary. I offered a \nfew ideas in my written testimony.\n    One of the major obstacles to more progress in \ncybersecurity is a lack of qualified and well-trained \nprofessionals in the field. Just as a generation of students \nbecame fascinated by and intellectually curious about space, \nscience, and engineering after the launch of Sputnik, we need \nfor that to happen now for a new generation of students about \ncyberspace science and engineering.\n    The skills gap comes up time and time again. It was a key \nissue in our work on the CSIS Cybersecurity Commission co-\nchaired by Congressman McCaul and Congressman Langevin, and it \nwas a key issue in our work on the Texas Cybersecurity Council.\n    And representing a small company with ongoing demand for \nhighly technical cyber hires, it is a constant challenge for us \nto identify and recruit the necessary expertise. Not only do we \nneed a long-term pipeline of well-trained students to fill the \nmany jobs that will be necessary, but the demand is \nparticularly acute with respect to the requirement for the \nextremely deep technical skills needed to operate at the very \nhighest levels.\n    In a CSIS Commission report from 2010, there was an \nestimate that we have about 1,000 deeply technical people in \nthe United States who can operate at the most elite levels but \nthat we need something like 10,000 to 30,000. The report went \non to say we not only have a shortage of the highly technically \nskilled people required to operate in support systems already \ndeployed, but also and even more desperate--a more desperate \ncharge of people who can design secure systems, write safe \ncomputer code, and create the evermore sophisticated tools to \nprevent, detect, mitigate, and reconstitute from damage due to \nsystem failures and malicious acts.\n    The legislation in H.R. 2096 places front and center two of \nthe items I believe are central to making more progress in \nimproving the Nation\'s cybersecurity posture: research and \ndevelopment and cybersecurity workforce development.\n    Let me close by saying that I have suggested some things in \nmy testimony that will take a long time to implement. For \nexample, producing a long-term, robust, and deeply technical \ncybersecurity workforce or creating a science of cybersecurity \ncould take decades.\n    I am reminded of an old proverb. The best time to plant a \ntree was 20 years ago. The second best time is now. It is my \nsincere hope that 20 years from now we can look back at this \ntime and say that this is when we began to turn the tables on \nour cyber adversaries and took the advantage back.\n    Thank you again for the opportunity to speak with you \ntoday.\n    [The prepared statement of Dr. Chang follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9926.020\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.021\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.022\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.023\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.024\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.025\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.026\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.027\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.028\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.029\n    \n    Chairman Massie. Thank you, Dr. Chang.\n    I now recognize our final witness, Ms. Terry Benzel.\n\n                 STATEMENT OF MS. TERRY BENZEL,\n\n       DEPUTY DIRECTOR CYBER NETWORKS AND CYBER SECURITY,\n\n               USC INFORMATION SCIENCES INSTITUTE\n\n    Ms. Benzel. Thank you, Chairman Massie, Ranking Member \nWilson, Chairman Bucshon, Ranking Member Lipinski, and Members \nof the Subcommittees. I am pleased to offer my perspective on \ncyber R&D challenges and solutions based on 30 years in the \ncybersecurity community.\n    I bring an interesting perspective stemming from Principal \nat a startup company, Vice President at McAfee Software, and \nnow the Deputy Director of our Cyber Networks and Cyber \nSecurity Division at the Information Sciences Institute, a \nresearch lab with the University of Southern California\'s \nViterbi School where I direct the DETER project, a \ncybersecurity research, experimentation, and test facility.\n    I would like to address four key points today: one, the \nimportance of broadening the purview of cybersecurity R&D; two, \nthe importance of research infrastructure for experimental \ncybersecurity R&D; three, the importance of new models for \ntechnology transfer from university research into commercial \npractices and products; and four, the importance of higher \neducation for developing next-generation cybersecurity \nresearchers and technologies.\n    Let me start with the importance of broadening the purview \nof cybersecurity R&D. All too often our research is narrowly \nfocused on single topics. For example, we have many people \nconducting excellent research in distributed denial of service, \nworms, botnets, and Internet routing, each studied individually \nand deeply. But believe me, our adversaries are not looking \nnarrowly. In fact, they are looking at the combinations of \nthese different kinds of threats and vulnerabilities, as well \nas combining that with cyber physical systems and social \nengineering.\n    We can no longer afford to look narrowly at the hard \nproblems. Even more so, cybersecurity is no longer solely an \nengineering discipline. We must involve economists, \nsociologists, anthropologists, and other disciplines. While \nthere has been some progress in these areas by the National \nScience Foundation, DHS S&T, and others, my first \nrecommendation is we must increase the breadth and scope of \nstrategic cyber R&D and increase opportunities for \nmultidisciplinary research.\n    Let me next address the need for research infrastructure \nfor cyber R&D. Historically, we have struggled to prove the \nvalue of security technologies. Security is often viewed as the \nabsence of something bad happening. I didn\'t get broken into, \nso I must be secure. When I was a Vice President at McAfee \nSoftware, I visited large customers--banking, manufacturing, \nand retail--and I was always asked about return on investment, \nhow much to spend and how best to leverage cybersecurity \ninvestments. The truth is we had no easy answers except, of \ncourse, to buy our products.\n    We need to be able to conduct science-based cyber \nexperimentation and tests just as in other scientific \ndisciplines, real hypothesis-based testing, what-if scenarios, \nrepeatable, demonstrable results. We provide this in the DHS- \nand NSF-funded DETER project where we provide tools and \nmethodologies for researchers to live in the future creating \nnew capabilities not yet imaginable. We must as a Nation create \na paradigm shift in experimental cybersecurity. While NSF, DHS \nS&T, DOE, and DARPA have all invested in cyber testbeds and \nranges, the results are uneven and not widely available.\n    And this brings me to my second recommendation. Formulate a \nresearch strategy agenda to develop a broad multi-\norganizational cybersecurity experimentation and testing \ncapability.\n    Let me now address technology transfer. We have had major \ninvestments over the last 20 to 30 years, yet we are still \ninadequately prepared. Much research fails to see the light of \nday. While historically we have had insufficient awareness of \nthe complexity of cybersecurity tech transfer, we have had \nscattershot approaches to cyber R&D, and a mismatch between \nmarkets and threats. To address these growing demands, it is \nimperative we create new models of technology transfer where \nthe government-funded efforts help steer strategic \ncybersecurity R&D and their new university public partnerships.\n    As I have said already, we need to finally have education. \nMore than just training, we need to educate the next generation \nof researchers and technologists and we need to do this by \noffering hands-on exercises and educational opportunities.\n    Let me summarize. We are beginning to see progress in all \nof these areas. NSF, DHS, and others deserve recognition for \nthe focus they have brought to strategic programs. However, the \ncurrent steps are not enough. We are lacking by orders of \nmagnitude. In order to shift the dynamic in the battlefield, \nthe Security Enhancement Act of 2013 includes provisions for \nthese recommendations. Taken together, the four recommendations \nI have outlined today form a basis for multipronged, \nsustainable, national projects to address R&D challenges, and I \nurge you to take action now. Thank you for your time.\n    [The prepared statement of Ms. Benzel follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9926.030\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.031\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.032\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.033\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.034\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.035\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.036\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.037\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.038\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.039\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.040\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.041\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.042\n    \n    [GRAPHIC] [TIFF OMITTED] T9926.043\n    \n    Chairman Massie. Thank you, Ms. Benzel.\n    I thank all the witnesses for their testimony today. \nReminding Members that Committee rules limit questioning to \nfive minutes, the Chair will at this point open the round of \nquestions. And I now recognize myself for five minutes.\n    Mr. Barrett, as a representative of private industry, it \nwas good to hear you acknowledge that it is PayPal\'s \nresponsibility to ensure security for PayPal\'s customers. But \nyou alluded to some gaps in the research that exists and that \nthere might be a role for the Federal Government to fund \nresearch in these gaps. Can you motivate the need for federal \nfunding in this area and then also talk about what some of \nthose gaps are?\n    Mr. Barrett. Yes, I alluded to this problem a little bit in \nmy oral testimony. Essentially, we have a problem at the moment \nwhich is we actually don\'t know how bad the problem is. We--it \nsounds perverse to say it that way, but essentially, there are \nhugely disparate estimates that you see flying around in \nvarious publications of the scale of the problem. Everybody \nagrees it is getting worse, but I have three rhetorical \nquestions that I would like to ask and they are significant \nones. And actually, at the moment, I defy anybody to answer \nthem.\n    So again, I am purely talking about cybercrime, not cyber \nterrorism or cyber warfare. So I work for a commercial \nenterprise so we have a narrow worldview.\n    So the questions are these: how much money is lost to \ncybercrime on an annual basis in the United States alone? And I \nam not talking about how much money people like me spend on \nrunning a defensive team. I am actually talking about dollars \nthat our customers--and therefore we--lose. So that is question \none.\n    Question two is where does it go? Is it all going back into \nthe United States or is it going overseas? And what are the \ndistributions of country? Now, various people in my industry \nhave various hypotheses about where it is going, and certainly, \nmy team has all sorts of interesting hypotheses. But \nfundamentally, it is unsupported by large-scale data.\n    And then finally, do those countries actually have good \nprograms themselves to manage cybersecurity, and do they in \nfact prosecute cyber criminals? Do they even recognize \ncybercrime violations as being violations of law or are they \njust oh, well? It is kind of the equivalent of doing some \nantisocial act and there are no consequences.\n    We have no answers to those questions today and they are \nreally important ones that I think are at the heart of what the \nFederal Government could do to help understand the problem \nbetter.\n    Chairman Massie. Thank you.\n    My next question is for Ms. Benzel.\n    In this bill we are contemplating expanding funding at \nuniversities which are typically open universities where \nsharing is encouraged. And you mentioned the DeterLab at your \ninstitution, which is funded by DHS and DOD I think. Can you \ntell us or give us some level of comfort that we wouldn\'t be \nfunding efforts that could then be used by our adversaries? \nThank you.\n    Ms. Benzel. Being part of a major university and having a \ndeep faith in the need for education, we do run an open \nfacility. It is funded, as I said, by Department of Homeland \nSecurity. And so the DeterLab is a national--and yes--it is an \ninternational resource that is available for anyone to be able \nto use. Obviously, we vet our users. Our approach within the \nDETER system is to be looking at defenses. And defenses need to \nbe something that can be openly developed. Looking at security \nby obscurity is sure to get us into trouble.\n    Now, having said that, I am being a deep believer in being \nable to educate our next generation and to do publications, et \ncetera, there are opportunities to do research in other \nenvironments which might be more closed and might be providing \nsome classified support for. But we advocate an openness in \neducating the next generation. Thank you.\n    Chairman Massie. Thank you very much. DeterLab makes a lot \nmore sense than DeterLab.\n    Ms. Benzel. We do try and deter the attackers as we say. \nThank you.\n    Chairman Massie. Okay. I now recognize Ranking Member Ms. \nWilson for five minutes.\n    Ms. Wilson. Thank you, Mr. Chairman. Mr. Chairman, as \noutlined in my opening statement, a few of the agencies within \nour Committee\'s jurisdiction have indicated that sequestration \ncould impact their cybersecurity research and development \nportfolios. I would like to place two letters in the record, \none from NSF and one from DHS, detailing those potential \nimpacts.\n    To all, in his testimony, Dr. Chang recommends that the \nlegislation raise the trajectory of cybersecurity research and \ndevelopment spending from its historical levels because it \nwould create long-term benefits in our effort to improve the \nNation\'s cybersecurity posture. As you are all likely aware, \nsequestration is set to take effect on Friday. Sequestration \nwill cut federal R&D budgets by 8.2 percent, and agencies like \nNSF and DHS have indicated that research in cybersecurity may \nbe affected.\n    How would the security posture of the United States be \nimpacted if sequestration were to take effect and cybersecurity \nresearch and development was significantly cut? Dr. Chang?\n    Dr. Chang. In the 2010 CSIS report, we reported a number of \nabout 2/10 of one percent of the federal R&D budget was spent \non cybersecurity. And I looked recently. That number is just a \nlittle bit larger now. If you think about the priorities that \nthe Nation is now placing on cybersecurity, the fact that it is \nsomething less than one percent seems to be a small number. It \nis not for me to determine what the priorities are but that \njust strikes me as a sort of a low number.\n    I guess I am suggesting that it needs to be a long-term \nprospect. I mentioned this analogy with planting trees. I am \nsuggesting that we need to plant a few trees to place some bets \non some research issues that are going to build over time. \nResearch certainly won\'t guarantee answers, but as I mentioned \nas related to infectious diseases, we need to understand \ncauses. We need to understand solutions. We need to understand \ncountermeasures. We know how to do it. We have done it before. \nWe have gone after large public programs before. And my \nsuggestion is research is required to make some long-term bets \nand begin changing the vector on what the defensive posture \nlooks like.\n    Ms. Wilson. Ms. Benzel?\n    Ms. Benzel. Yes, I think that we have begun to see some \nprogress in the funding, of course, at a very small level as \nDr. Chang says in being strategic about our cybersecurity R&D. \nIf we are to slow that down as a result of funding cuts with \nsequestration, then we have set ourselves back. We are already \non the losing end of an asymmetric battle. And giving our \nadversaries another year to gain a leg up while we fight our \nown internal budget is only going to make the situation much \nworse.\n    You know, as it is with funding cycles with places like the \nNational Science Foundation it takes close to a year from the \ntime I, as a researcher, have an idea, submit that idea, and \nget a contract. And so again introducing another delay as a \nresult of the budget battles is only going to set us back. And \nin particular, a point in time when these agencies have become \nmuch more strategic, better coordinated, and better focused in \ntheir research. We have researchers in the pipeline. We have \nprojects that are happening today, and we can\'t afford to stop \nthem, slow them down, or lessen and weaken their effects while \nthe adversaries are on a dramatic increase as we have seen \nrecently.\n    The change that we see in the adversarial landscape in the \nlast year is ten times what we saw in the ten years before. And \nso any gap in funding is going to be extremely detrimental. \nThank you.\n    Ms. Wilson. Thank you, Mr. Chair.\n    Chairman Massie. On the gentlelady\'s request to include two \nletters in the record?\n    Ms. Wilson. I have them.\n    Chairman Massie. Without objection, so ordered.\n    [The information appears in Appendix II]\n    Chairman Massie. I now recognize Chairman Bucshon for five \nminutes.\n    Mr. Bucshon. Thank you, Mr. Chairman.\n    And there has been some emphasis on the importance of \nsocial science research and cybersecurity, among other areas, \npartly because so much security has to do with human behavior. \nAnd the Cybersecurity Enhancement Act supports this type of \nwork in Section 104 of the legislation.\n    The question is--I will direct this to Mr. Barrett first--\nis--let me say a couple of things that have been funded \nrecently--$1.2 million to pay seniors to play video games, \n$764,825 to study how college students use mobile devices for \nsocial networking. So with these type of things being funded, \nhow should we prioritize social science research conducted by \nthe National Science Foundation to ensure that such work is \nfocused on critical national needs such as cybersecurity?\n    Mr. Barrett. I am not sure whether it is necessarily proper \nfor me to have an opinion on how Congress should prioritize the \nwork of the National Science Foundation, but I do think there \nare key research gaps, and certainly, in a number of areas in \npart about cybersecurity education, which is woefully lacking \nacross the spectrum from young kids up through college-level \ncurricula and various different levels. As Dr. Chang alluded \nearlier, we don\'t frankly have enough information security \nprofessionals in the field. There is essentially a major skills \nshortage there. There was basically zero unemployment in my \nfield throughout the recession. And that in its own right is \nsaying something.\n    Very clearly, there is a lot of work that can be done in \nunderstanding behavior around how people interact with \ncomputers from a security perspective. And that certainly is a \ntopic worthy of research. Because if you don\'t understand how \npeople use the computers, especially for security tasks, then \nit is very hard to see what you can do with them. But I \nshould----\n    Mr. Bucshon. Yes, thank you very much. And again, the \nCybersecurity Enhancement Act supports this type of work.\n    Dr. Chang, do you have anything to add?\n    Dr. Chang. I do. Thank you. I mention in my written \ntestimony that cybersecurity is a wicked problem, wicked not \nmeaning evil but wicked being resilient to solution. A \ncharacteristic of the wicked problem is that what you believe \nis a solution may actually make things worse. As it relates to \nthat kind of the human component, I am reminded of a concept \nknown as risk homeostasis, and that is basically the idea that \npeople have sort of a risk level that they generally operate \nat, and if they believe that something is now more safe, they \nwill actually act riskier.\n    There are some classic experiments showing that when taxi \ndrivers are given better safety on their taxicabs, let us say \nantilock brakes, you would think that the incidents of \naccidents would actually go down because the cars are safer, \nyou can steer better and stuff at high speeds. It turns out \nthat the level of accidents might actually go up a little bit \nbecause the taxi driver started thinking they were safe and \nstarted driving faster and causing more accidents.\n    Same thing might be happening in cybersecurity such that \nyou are actually making--you are telling the user that they are \nactually now more safe. When they think now I am more safe, and \nnow I am going to start doing riskier things. And so it is just \na sort of very complex thing where you have the best intention \nthat a solution is making something better but it actually \nmakes it worse.\n    Mr. Bucshon. Thank you. And this will be directed at Ms. \nBenzel. I am a parent. I have kids. And I know how my kids \nalmost shut down one of my computers, essentially a black \nscreen. I had to get a computer guy to come out and get it \nback, and there were literally hundreds of viruses and Trojans \nand everything else. So I mean I am amazed at what children can \ndo on a computer. And however, there are threats that are \ndirected at all of us through children. Does the current \nparental control technology adequately protect minors against \nthis type of threat if used properly or are there areas of \nresearch and developmental efforts to address this?\n    Ms. Benzel. Yes, I would have to say I am not a particular \nexpert in the current set of parental control technology that \nis out there. I believe that looking at how we model the human \nbehavior and understanding, as Dr. Chang said, the relationship \nbetween the way people use their computers. And I am just as \nconcerned about our children as we are to the seniors or the \nuneducated users. And so I believe that we do need to advance \nthat technology, but I would have to get back to you on the \nstate-of-the-art in the current parental technology.\n    Mr. Bucshon. Thank you. I yield back.\n    Chairman Massie. Thank you. I now recognize Mr. Lipinski \nfor five minutes.\n    Mr. Lipinski. Thank you, Mr. Chairman.\n    As many people here know, I am a--used to be--maybe I still \nam--a political scientist, and I know that there is--I have \nseen plenty of bad social science research in my time. But I \nthink it is important--and I am not trying to start a fight \nhere on this but I know that the--I pay attention--I look to \nsee what is going on and what is being said about some of the \nsupposedly bad research that is being funded. And my \nunderstanding is--was the $1.2 million videogame claim was \ngiven a pants-on-fire by PolitiFact because it was helping to \nstudy how to keep seniors sharp and keep their cognitive skills \nup as they are getting older.\n    But that said, I mean there is some bad research but we \nneed to be doing good research. Obviously, there are--as all of \nyou have pointed out--social science research and how people \ninteract is key because it is one of the weakest links that we \nhave right now in cybersecurity.\n    I wanted to ask about technology transfer. Ms. Benzel had \nmentioned barrier technology transfer in your testimony. I have \na great deal of interest in this, particularly in areas like \ncybersecurity. It is vital that we translate as much federal \nresearch as possible to new products and new companies that we \ncan help keep our cyber infrastructure secure, and also it has \nthe added benefit of creating new jobs so long as we can also \naddress the workforce and education issues that our witnesses \nhave raised.\n    But I just want to ask the panel, what steps can Federal \nGovernment take the best partner with industry in encouraging \ntechnology transfer in the cybersecurity sector? Ms. Benzel?\n    Ms. Benzel. Yes, thank you very much for your question. It \nis an important area.\n    So we do need Federal Government to help us fill the gap \nbetween the university research and industry. And I think I can \nspeak somewhat authoritatively to that having spent much time \nin a university, as well as being a Vice President of Research \nat McAfee. We have all heard about the Valley of Death.\n    So we really do have some models that are broken between \nexpecting that industry can just pick up and take research \nprototypes that have been developed in a university kind of \nsetting. So we need strategic funding which pushes us in a \nparticular direction with an awareness. The DHS S&T program run \nby Dr. Doug Maughan has introduced new efforts to work with VCs \nto its signet organization to be able to get venture \ncapitalists and to have the researchers be aware of technology \ntransfer from the day that they write their proposals.\n    The National Science Foundation had introduced its \nTransition to Practice. I am arguing that we need a lot more of \nthese sorts of things where we have very early-on awareness of \nwhere we want to go. And as a researcher, we want to do the \nfundamental basic research, and that is absolutely necessary. \nBut as researchers, we also want to see our work have an \nimpact. And we need help in working with the different types of \norganizations. And that is where we call for, as the bill \ncurrently does, industry partnerships with venture capitalists, \nwith different kinds of technology organizations. There is \nreally nothing currently in that middle to help fill the gap \nbetween the research dollars and the product dollars. And I \nhave to say, unfortunately, it is not realistic to believe that \nindustry can simply pick up and do it. Industry is focused on \nits near-term market, next quarter features, and are totally \nmarket-driven and sales driven, particularly in today\'s \neconomy. And so we need some bridging dollars which should come \nfrom combinations of university, public/private partnerships, \nand federal funding in that new area.\n    Thank you very much.\n    Mr. Lipinski. Dr. Chang, do you want to add something?\n    Dr. Chang. Sure. I will just support what Terry mentioned.\n    There is this model I like to use: technology transfer is a \ncontact sport. So it is not uncommon for the private sector to \nestablish sort of I guess what you might call lab-lets or sort \nof mini-labs with the university. And the folks in the private \nsector would work sort of shoulder-to-shoulder with the folks \nat the university such that when an innovation is developed, it \nisn\'t sort of tossed over the cubicle wall and you would like \nfor the private sector company to incorporate it. But rather, \nthey are generated together.\n    To the extent that this kind of notion, of kind of, working \nhand-in-hand between the government, between the private sector \nand academia would be representative of this notion of let us \ndevelop the technologies together. Technology transfer is a \ncontact sport. Let us have them work together. I think that is \na useful concept here.\n    Mr. Lipinski. Thank you.\n    A quick question. Mr. Barrett mentioned NSTIC. I just want \nto know when will we be able to do--instead of having \npasswords, have a thumbprint that we use to identify ourselves?\n    Chairman Massie. Very quickly, please.\n    Mr. Barrett. Yes, we are actually working on that. That is \nthe FIDO Alliance work that I mentioned at the beginning, which \nis trying to develop open standards to actually make those kind \nof technologies become much more widely used. And I think you \nwill actually see products deployed in the market before the \nend of the year that do exactly that.\n    Chairman Massie. Thank you.\n    I now recognize Mr. Hultgren.\n    Mr. Hultgren. Thank you, Chairman. Thank you all for being \nhere. I appreciate it very much.\n    This would be first addressed to all of you. My \nunderstanding is this growing mass of data that is available \nonline certainly has implications for cybersecurity. In some \nways, I know the data can be analyzed to help identify \npotential cyber threats, but I also know in another way the \ndata provides bad actors with additional opportunities to \nexploit that data.\n    I wonder can you discuss how the emerging big data \nphenomenon poses both challenges and opportunities for \ncybersecurity research and development, and also just any \nrecommendations you might have for policymakers to address this \nphenomenon in a beneficial way and not a harmful way?\n    Dr. Chang. Sure. I guess I will kind of mention the notion \nof dual use. So many of the cyber technologies are so-called \ndual use. So my company, 21CT, Inc., basically has capabilities \nto analyze big data to sort of find suspicious behaviors in an \nattempt to improve the defensive posture of somebody\'s network. \nAt the same time, an adversary could use similar technologies \nto sort of target folks similarly to look for vulnerabilities \nand so forth.\n    So it is always kind of a really important kind of \nbalancing act and kind of risk assessment proposition such that \nyou will always know that the technologies that could be used \nfor defense could potentially be flipped over. So it is \nimportant to kind of understand both sides, understand the \ntechnologies deep enough and then make sure you sort of come to \nthe right balance point.\n    Ms. Benzel. Well, as a researcher I find big data to be \nvery exciting. From the research point of view and networking \nand network cybersecurity, we have always been lacking in data. \nAnd so again, DHS has its PREDICT program and some of the \nresearchers in my organization have done some really \ngroundbreaking work at analyzing the data, mapping the \nInternet, the first Internet census to give us information both \nabout the known spaces and the dark spaces.\n    Clearly, in all of our research, there are two sides to it \nand we need to be very understanding about how things could be \nused against us.\n    I say the other point to also bring in to this discussion \nabout big data are issues with privacy. And so as citizens, we \nneed to understand how the data is being used, stored, and \nmoved about in transit.\n    Mr. Hultgren. Mr. Barrett, before you answer, I would love \nto hear your thoughts on this as well, but I have one other \nadditional question I would like to ask you so if maybe you can \nrespond to both. We already talked a little bit about \nauthentication--online authentication and the challenges there. \nI understand many European governments issue voluntary \nelectronic identification cards combining two unique \nidentifiers to serve as a type of online passport. But for \nvarious reasons, I believe the United States is unlikely to \nendorse any sort of government-sanctioned identification \nmechanism. I understand businesses have been working for years \non providing different online identity schemes to consumers and \nthat the Administration\'s National Strategy for Trusted \nIdentities in Cyberspace, or NSTIC, intend to use that work to \nfind common standards for online identities.\n    I wondered in your view should the government be involved \nat all in this process? If so, is NIST the appropriate agency \nto coordinate the effort? How do we ensure privacy? And what \nprevents this effort from eventually resulting in regulations \nthat inhibit innovation?\n    Mr. Barrett. So we have been enthusiastic supporters of the \nNSTIC initiative ever since it was first proposed. Simply \nbecause, as Congresswoman Lofgren said when she introduced me, \na decade ago I chaired the Liberty Alliance, which is an open \nstandards organization in the identity management space. It has \nactually proven quite difficult to develop really large-scale \nidentity ecosystems on the Internet.\n    We show a lot of promise for users, and so tying that back \nto the question about breaches in big data, the silver lining \nin the cloud of all of the data that has been published in last \nfew years essentially as a byproduct of criminal activities is \nthat we now actually understand how consumers in large-scale \nuse passwords in particular. And the answer is a depressingly \nlarge number of them, something like 2/3 of them, use the same \npassword absolutely everywhere they go on the Internet, with a \nnet effect that their security of every single account they \npossess is now the security of that least secure place they \nvisited.\n    And so having an ecosystem that is built around consumers \nmanaging their own identity online and allowing the Federal \nGovernment to help kind of just appropriately nudge that but \nnot place too constricting a role is very important. And that \nis actually why a guy on my team was the first Co-Chair of the \nIdentity Ecosystem Steering Group so--\n    Mr. Hultgren. My time is expired. Thank you all very much. \nThank you, Mr. Chairman.\n    Chairman Massie. Thank you.\n    I now recognize Mr. Bera.\n    Mr. Bera. Thank you, Mr. Chairman.\n    As an academic physician who comes out of a research \nbackground, I truly appreciate the analogy with healthcare and \nwhat we do in medicine and the importance of doing research in \nour academic and research universities. The fact that we do a \nlot of experiments, that we look for solutions and we fail a \nlot, but we are constantly feeding that back into the system. \nAnd then we have that major breakthrough. Where we fall down in \nthe academic centers--and Ms. Benzel touched on it--is we don\'t \nknow how to then take those ideas to market.\n    You touched on the issue of technology transfer and how \nimportant that is. I am a firm believer that we would not be \nable to do the research that we do without the Federal \nGovernment\'s funding of our academic centers. But we do need to \ndo a better job with technology transfer.\n    What would your suggestion be as a best practice model of \ntaking idea to market given that you have worked on both sides \nof this?\n    Ms. Benzel. Well, thank you very much. You know, I agree \nwith Dr. Chang. It is a contact sport. We can\'t do the wait-\nuntil-the-end-and-throw-it-over. And so I think the best \npractice model is early engagement. Engage early and often. So \nthey say encouraging the fundamental research funding \norganizations to call out for tech transfer from day one from \nthe time you write your proposal and come up with your idea, \nopportunities for communications and meetings with a variety of \nindustry partners, opportunities to understand the needs that \nare out there and to work with different kinds of funding \nmodels both with things such as venture capital organizations \nwho might be willing to take some of the risk in early \ntechnology and also on the university side.\n    So at the University of Southern California we have the \nStevens Institute that works with our researchers early on. So \nearly and often. Thank you.\n    Mr. Bera. Absolutely.\n    Now, also as a former Associate Dean out of University of \nCalifornia Medical School, we focus a lot on the workforce \nissue recruiting the best and the brightest and then retaining \nthose individuals. You know, on the issue of cybersecurity, on \nthe issue of making sure we have the computer science \nprofessionals, we don\'t have enough engineers in this country \nand we are not graduating enough engineering students or \nprogrammers. In other sectors of IT we are certainly trying to \nget that workforce from abroad. But on the issue of \ncybersecurity, we need a homegrown workforce because this--\nthese are issues that are critical to national security.\n    Dr. Chang, you touched on this a bit. What are some models \nthat we can use to continue to recruit and retain the best and \nthe brightest to go into areas of information technology and \nthen go into both the service sector working for the Federal \nGovernment, working for our Department of Defense and \nDepartment of Homeland Security? Because they can make 10 times \nas much going off into the private sector but we need some of \nthe best and the brightest working to protect our country.\n    Dr. Chang. I was recently in a meeting with some folks in \nAustin where we talked about a very sort of broad approach that \nwould incorporate trying to recruit students of many ages in \nmany disciplines. There is a program that has recently started \nin New Jersey. It is referred to as Cybersecurity Centers, and \nthey basically have these kind of initial competitions that \nbegin attracting people from all walks of life, maybe former \nmilitary. There are 16 roles, just a whole group of folks. And \nthen depending on how they do in that initial competition--and \nit is a fun competition. It sort of capitalizes on people\'s \ninterest in just competing and sort of a person-on-person \ncompetition. And then depending on how you do with that, the \npeople who are more skillful sort of move on.\n    But it is this notion of can we come up with ideas that \nattract many, many people, and then if they have a particular \npropensity to kind of move forward, then you can kind of winnow \nthem down. I mentioned that there was this need for extremely \ntechnical deeply elite people. But you have to have a broad \nfunnel to kind of bring them in and then a way to successfully \nkind of pull out the people who operate the highest levels.\n    Mr. Bera. Wonderful. So playing off of what you just \nmentioned, I would ask our Committee to look at returning \nveterans, men and women who have already shown their patriotism \nto this country, already understand the service to our Country \nand the immediate need to protect ourselves and looking for \nstrategic ways to get those folks engaged through our modern GI \nBill and so forth to get these skills.\n    I yield back.\n    Chairman Massie. Thank you.\n    I recognize Mr. Schweikert.\n    Mr. Schweikert. Thank you, Mr. Chairman.\n    Mr. Barrett, first off, you have a bunch of PayPal folks in \nScottsdale, don\'t you? Yes, it is--when I am in-district, I \nseem to start every morning having coffee with them. We all \nattend the same Starbucks. As a company, you have been trying \nto roll out a number of different products, you know, cell \nphone billfolds or some of those types of mechanics. When we \nare talking about cybersecurity, how much is the threat on this \nsite slowing down your adoption and introduction of new \nproducts?\n    Mr. Barrett. That is a really interesting question. It is \nhard to measure. There is certainly good evidence that \nconsumers have been worried about security aspects of Internet \nsolutions ever since the beginning of the Internet. And there \nis certainly some evidence that they care in the same way about \nmobile solutions, for example, and that they want to see that \nthey are appropriately protected in those areas.\n    The difficulty, of course, is in saying how much does the \napparent lack of those features really impact their adoption? \nAnd so, for example, if you see a--one solution that has a lot \nof barriers to it, in terms of it is hard to use and has a lot \nof security features; but on the other hand, you have another \nvery similar product that was much easier to use because it \ndidn\'t have all these apparent security things that you have to \ndo. Whether or not the consumers actually believe that, the one \nwith the more security features is actually safer. And that \nties back to the initial research we were talking about a \nlittle while ago.\n    Mr. Schweikert. Well, Mr. Barrett, some of that is the \nadoption side. I am interested on your engineering side. Is it \na suppressing effect to the design, you know, studio you would \nhave on the introduction of new technologies?\n    Mr. Barrett. If I am understanding the question correctly, \nit would depend on how much overhead we impose on the \nengineering teams in terms of how much we try to partition them \nand so forth. So, if we were working on confidential projects, \nthen clearly we will partition those off as well as, yes, we do \nimpose a number of security overheads as we develop those \napplications. But it is a--it has lots of tentacles in terms \nof----\n    Mr. Schweikert. It is just having a fixation on expansion, \neconomic growth, and new technology. I have always wondered how \nmuch of a suppressing effect I have over here.\n    Mr. Chairman, Ms.--is it Benzel?\n    Do you agree with Mr. Barrett\'s earlier comments that we--\nit is hard to have a quality census of how many bad actors, bad \nevents, bad things that are actually going on in the cyber \nmarketplace?\n    Ms. Benzel. Well, most absolutely. I thought his questions \nwere very astute and exactly right on. So----\n    Mr. Schweikert. So as a Member of Congress, where would you \nsend me if I really wanted to get from your academic, sort of, \nview of the world as much data saying, look, here is what the \nbest census we have of banking attacks and this type of \nattacks? Or where would you go?\n    Ms. Benzel. I think that is a very hard question. I mean, \nclearly, some of our intelligence agencies on the dark side \nhave a good census of some of the levels of attacks that are \nhappening, particularly in nation-state and against nation \ntargets. The different industries tend to keep those things \npretty closely held. Now, some of the work that has been done \nin the past to set up the Information-Sharing and Analysis \nCenters, the ISACs, are places where that knowledge is known \nbut held close to the chest.\n    Mr. Schweikert. Okay. And so right now, you are not sure \nthere is a good collection of the census, shall we say?\n    Ms. Benzel. Oh, I don\'t believe so.\n    Mr. Schweikert. Okay. Mr. Chairman, Dr. Chang--and sorry, I \nam down to just a few, but you actually started to touch on \nsomething that I would love to have an extended discussion with \nyou. And that is, how do we finance ourselves right now? Right \nnow, we are sort of in a classic academic sort of model of \nfinance, primary research. And hopefully, there is something \nthat comes out of it.\n    But what you were describing a little while ago in your \nexperience sounds more like almost the X-prize-type mechanic of \nbringing people together, whether it be a garage engineer or an \nacademic. And the person that produces something great gets to \nmove forward. Do you think it is time we also start to wedge \nand design some other ways to finance innovation here?\n    Dr. Chang. I will answer that in--maybe in kind of in \nconnection with the question you asked to Mr. Barrett. \nBasically, security today is not where it needs to be, and \nfundamentally, somebody is going to have to pay to move \nsecurity up. It will be the government because they have to \nprosecute more criminals. It will be software companies because \nthey have to make software more secure. It will be people \nbecause people are bearing losses.\n    So overall I would love to have a longer conversation.\n    Mr. Schweikert. Mr. Chairman, thank you for your patience. \nSorry.\n    Chairman Massie. Thank you. If Dr. Chang would like to \nrespond in writing for the record, that would be fine.\n    I now recognize Ms. Esty. Oh, I am sorry. Mr. Peters. \nSorry.\n    Mr. Peters. Thank you, Mr. Chairman.\n    And I appreciate the chance to be here today. This is an \nimportant industry in my district as well in San Diego, both \nbecause we are developing a lot of the software and also \nbecause the Navy has a lot of--or the military has a lot of \ninterest in the field.\n    And Dr. Chang, I am glad you are a UCSD grad, too. I \nappreciate that.\n    My question is sort of, you know, we know that--I think it \nwas yesterday that the Global Information Security Workforce \nStudy from Booz Allen Hamilton said that 56 percent of \ncybersecurity professionals feel that security organizations \nare short-staffed and that the cybersecurity field is projected \nto grow 11 percent annually over the next five years. And so \nthere is--I think it is widely understood that there is a gap \nin the workforce. But what I am sort of interested in is what \nare the--what is the field of cybersecurity from an academic \nsense? You described it as an interdisciplinary exercise. We \nknow it is not just computer science or software. But if you \nwere trying to certify someone in cybersecurity, kind of--do \nyou have a sense--maybe you can help me understand what it is \nthat that person would need to know. And that is for anyone.\n    Dr. Chang. Sure. I can start. So there are the traditional \ndisciplines that you learn in computer science about \nprogramming, about algorithms, about discrete math and so \nforth. You would add some elements to that in order to focus \nmore specifically in cybersecurity. And so you would add more \nabout networking, perhaps more about analysis. There is this \ninteresting conversation happening at universities now where \nthey talk about--that there is a classic computer science major \nand that maybe there ought to be a cybersecurity major as well.\n    So there are many things in common but it is different \nenough such that it is worth an interesting dialogue about the \nextent that there is the creation of a specific major in \ncybersecurity.\n    Mr. Peters. Well, I guess I think it would be helpful for \nus because the intent of the legislation before us is to kind \nof secure our future in that. But if we don\'t know kind of what \nwe are educating--if you don\'t understand--if you don\'t have a \nsense or a consensus about what it is we are seeking to educate \npeople in, we are going to--I think we face some of the \nconcerns that we are not going to be or that the money is going \nto be bleeding, or we are not going to be effective?\n    So if it is anthropology or if it is law in addition to \nthese technical things, is there a way to land that plane?\n    Ms. Benzel. So first off, I think you need to make a \ndistinction between education and training. So many of the \ntraining organizations and CISSP certifications, that is one \nlevel of something that is about operations and being able to \nrun things.\n    And then there is the education challenge in terms of \ncreating new researchers and new educators and Ph.D.\'s. I think \nthat we are just as a community--as Dr. Chang said--beginning \nto put forth master\'s curriculums in cybersecurity. USC is just \nabout to introduce one starting next fall. And really, there \nare different fields. So cybersecurity is not one narrow field. \nSo there are cybersecurity researchers in defenses, in active \nsecurity, in mathematical analysis, in networking. And so even \nin a master\'s degree, there will be specializations in these \ndifferent areas drawing from primarily a computer science \ncurriculum but also some engineering, some systems kind of \nwork, networking, and then bringing in an understanding of \nhuman behavior.\n    Mr. Peters. I guess there is going to be some sense we are \ngoing to have to keep adjusting as we go.\n    Ms. Benzel. That is right. There is not one answer that \nfits all.\n    Mr. Peters. Mr. Barrett, maybe quickly, you might touch on \nthe first of your rhetorical questions which is how much money \nare we losing? Do you have a sense of how we go about answering \nthat question?\n    Mr. Barrett. I believe the answer is we need to put in \nplace more detailed reporting frameworks in order to actually \nascertain the scope of the problem. Because the estimates range \nall over the place, I mean as low as a few billion up into the \ntrillion range. My own personal view is it is probably in the \ntens of billions of range. But that would be hard to----\n    Mr. Peters. That would be something that would be done by \nindustry presumably. Is that right?\n    Mr. Barrett. I believe so, yes.\n    Mr. Peters. Okay.\n    Mr. Barrett. It certainly could be done. A reporting \nframework could be developed, but at the moment, what we have \nis entirely voluntary and it models how much money is lost with \nhow much the company spends on defenses, and those two numbers \nare quite different as well. And how much do you turn away?\n    Mr. Peters. Again, I very much appreciate your being here.\n    Thank you, Mr. Chairman.\n    Chairman Massie. Thank you.\n    I want to recognize Ms. Esty--Etsy.\n    Ms. Esty. Esty, not the crafting website. Although I would \nbe much wealthier if it were mine.\n    Thank you very much, Mr. Chairman.\n    For Dr. Chang and Ms. Benzel, both of you had talked about \nthe need to create a science of cybersecurity. And if you can \nelaborate a little bit on that, what are the metrics we would \nneed? If we don\'t know right now if a company is more secure \nthan it was a month ago, where do we even start with this? What \nsort of research do we need? What sort of metrics do we need to \ndevelop so that we even know what we are talking about?\n    Dr. Chang. Well, that is one of the key issues. We actually \ndon\'t have the right language, the right set of metrics to even \nbegin to understand this notion of whether my--the computer \nthis year is more secure than it was last year, if this \ncomputer is more secure than somebody else\'s.\n    There is kind of this idea of understanding the limits of \nwhat is possible. So that is what a science allows you to do. \nCan I understand how secure something can be? We sort of don\'t \nknow, kind of what is possible, you know, what are kind of the \ncontrol bounds. Cybersecurity is an adversarial science. And \nlike anything adversarial, we will probably never completely \neliminate it. But if we can establish some sort of control bars \nthat basically say we are going to make it harder for an \nadversary to kind of get through and maybe the difficulty that \ntheir--you know, if we make it too hard for them to get \nthrough, then, they will quit trying. But it is this motion of \nkind of setting some control bars and trying to keep it within \nthat. We certainly won\'t eliminate crime.\n    Ms. Benzel. So we advocate being able to do experimental \nscience. So in many other sciences we have workbenches and labs \nand we can go in and we can also repeat our peers\' experiments \nand be able to understand what they are. Unfortunately, in \ncomputer science and in--particularly in cybersecurity, the \nexperiments are very ad hoc. And so it might work once or it \nmight work in my lab or in my example.\n    This is one of the challenges also in technology transfer. \nIt may have worked in some researcher\'s lab under some \nconditions, but I don\'t know that it is really going to work. \nSo what we really advocate is that we need an experimental \nscience where we can create hypotheses, we can do an \nexperiment, see the results, modify some parameters, rerun the \nexperiment. And my colleagues similarly have an opportunity to \ndo that just as they would in any of the hard sciences.\n    Ms. Esty. Are there any of the federal agencies that are \nactually doing work on this notion of the metrics that we would \neven use to measure?\n    Dr. Chang. I am aware of some work that has started at \nNIST, and I would tell you I haven\'t looked at the work in more \ndetail. I probably need to. But I am recalling from some years \nago, oh, maybe 2009 or 2010 within the Computer Security \nDivision at NIST, they started up a program in metrics. It is \nsomething I would need to look at further. But I believe there \nis some activity happening.\n    Ms. Benzel. Metrics is a very difficult area in security \nand has plagued us for a long time. I would say that DARPA has \nstarted some work there and some very fundamental research. The \nNational Science Foundation and DHS S&T always include metrics \nas a research topic in their calls.\n    Ms. Esty. And one final question. As I know some colleagues \nand friends of my son who is a junior in college, if you could \nelaborate a little bit more on this adversarial science notion \nbecause I think it is different--it strikes me as different \nthan a lot of times what attracts people to science and a sense \nof the purity and how you go about thinking about recruiting \nyoung people designing programs--if they need to have this \nback-and-forth adversarial approach.\n    Dr. Chang. I would have to do some more thinking about \nthis, but the models of the human immune system strike me as a \nreasonable model. So basically, the human immune system is \nfighting off adversaries of all kinds. And it is just sort of \namazing how versatile and how flexible the human immune system \nis. The human immune system--by the way, about one percent of \nhuman cells are leukocytes, are actually defensive. So when you \nthink about the body is basically allocating about one percent \nof its cells to defense, that is a pretty substantial number. \nIf you look at the number of lines of computer code, I doubt \none percent is dedicated to defense.\n    The other model that seems to make sense to me in terms of \nthe science is in the field of actually agriculture. So \nagriculture also has pests, and the pests try to eat the crops. \nAnd you can either make the crops more resilient or you kill \nthe pests. I mean that is another sort of adversarial model \nthat seems to be relevant.\n    Chairman Massie. Thank you. I want to thank Chairman McCaul \nfor his initiative with this bill and his persistence in \nreintroducing it and especially his patience today.\n    And I recognize him now for five minutes.\n    Mr. McCaul. I thank the Chairman.\n    And Dr. Chang, let me say thank you for your service on the \nCSIS Commission and to the Nation and to the University of \nTexas in Austin.\n    And Ms. Benzel, I agree with you our adversaries are moving \nforward, moving ahead. They are attacking our federal agencies \nevery day. In support--and building a record in support of this \nlegislation, I see this bill doing several things, applying \nNIST standards to the Federal Government. It provides--it \nbolsters research and development in this area, a private-\nsector university federal task force, education and awareness \npiece and procurement standards within the Federal Government.\n    And I would like to go through each of you and if you could \ntell me how you believe--if you do--that this legislation will \nadvance the cause for enhancing cybersecurity for this Nation. \nMr. Barrett?\n    Mr. Barrett. I would give a very brief answer which is \nmaybe not quite so brief.\n    In general, philosophically, we think that cybersecurity, \nas Dr. Chang said, is a wicked problem. And as such, there is \nprobably no single bill that could be passed that will, on its \nown, materially change the trend line. But on the other hand, \nthe sort of lack of a grand unification theory shouldn\'t stop \nus from doing good work. And this bill would definitely appear \nto be falling into that place where it does no harm and it also \ndoes good work in the specific areas it has chosen.\n    Mr. McCaul. That is a very good point. I think--I served on \nthe Speaker\'s Cybersecurity Task Force, and our first action \nwas to do no harm by legislation. So I appreciate you saying \nthat.\n    Dr. Chang?\n    Dr. Chang. Thank you.\n    So in advance of reading the bill if I could have picked \ntwo things that are critical to improving the Nation\'s \ncybersecurity posture it would be research and development and \nworkforce development. And so this legislation to me is just \nright on target relative to addressing the top two problems. I \nguess I would add, as I mentioned in my spoken testimony, the \nnotion that we need to be patient about this. You know, I guess \nit would be great if we could sort of plant a forest and all \nthe trees turn into something that resulted in wonderful \nresearch. But we--I see this legislation as important in that \nit is at least planting a few trees. It allows us to plant \nsome--a few things that will grow into the future.\n    I would sure hate to be sitting here ten years from now, 20 \nyears from now still saying that we actually don\'t understand \ncauses. We don\'t understand solutions. We don\'t understand \ncountermeasures. And this legislation I believe begins planting \na few trees. Thank you.\n    Mr. McCaul. And thanks for making the point about the cyber \nworkforce in the Federal Government. I think that is very, very \nimportant as well.\n    Ms. Benzel?\n    Ms. Benzel. Yes, thank you for the opportunity and thank \nyou for your perseverance in this area.\n    I agree with my colleagues. There is no one answer. It is a \nvery difficult field. But I was quite--very impressed to see \nthis particular bill in two areas that I would call out. And \none is the technology transfer recognition of the difficulty of \nthat problem. And I have worked in a number of different \npublic-private partnerships over the years. I was part of the \nPCAST Committee back in the early 2000s. I see that the \nopportunity here to do some real planning around university \nkinds of partnerships and bringing the universities into it so \nit is a three--tri-part aspect is very exciting in the bill.\n    The other one is in the science of cybersecurity and \nunderstanding that there is a need for research and development \nkinds of testbeds and experimentation. That is called out in \nthe bill for experimental science.\n    So I think technology transfer and experimental \ncybersecurity have a chance to be fundamentally changing. And \nof course the education and training are important, too.\n    Mr. McCaul. Well, let me thank the witnesses for your \nexpertise and for appearing here today.\n    Mr. Chairman, thank you for allowing me to participate in \nthis hearing even though I don\'t sit on the Subcommittee. And I \nlook forward to the markup and hopefully overwhelmingly passage \nof the bill and signed into law by the President. Thank you. I \nyield back.\n    Chairman Massie. Thank you, Chairman McCaul.\n    In closing this joint hearing, I would like to recognize \nChairman Bucshon for a moment to say a few words.\n    Mr. Bucshon. Thank you, Mr. Chairman.\n    I just want to remind everyone about a few facts. Overall \nspending in the Federal Government has gone up 17 percent since \n2008. This year, we are on track to spend $3.6 trillion with a \ntax collection of $2.7 trillion, which, by the way, is the \nhighest amount in history that is being projected. We have 16.5 \ntrillion in national debt, over 1 trillion in annual deficits \nfor the past five years running. Recently reported, 110 billion \nin inappropriate payments the government made just last year \nacross a multitude of federal programs and the current \nsequester is 85 billion.\n    I agree that spending cuts need to be more targeted. That \nis why the House has passed two bills over the last year that \nwould target these cuts more appropriately. So I think that we \nare very well aware of research and development dollars that \nneed to be there, not only on cybersecurity but other issues. \nAnd we will work towards this--a resolution that will help with \nthat situation. Thank you. I yield back.\n    Chairman Massie. Thank you.\n    I want to thank the witnesses for traveling here today and \nfor their valuable testimony and to the Members for their \nquestions.\n    Members of the Committee may have additional questions for \nyou and we will ask you to respond to those questions in \nwriting. The record will remain open for two weeks for \nadditional comments and written questions for Members.\n    The witnesses are excused and this hearing is adjourned.\n    [Whereupon, at 11:33 a.m., the Subcommittees were \nadjourned.]\n                               Appendix I\n\n                              ----------                              \n\n\n\n                   Answers to Post-Hearing Questions\n\nResponses by Mr. Michael Barrett\n\n[GRAPHIC] [TIFF OMITTED] T9926.044\n\nResponses by Dr. Frederick R. Chang\n\n[GRAPHIC] [TIFF OMITTED] T9926.045\n\n[GRAPHIC] [TIFF OMITTED] T9926.046\n\nResponses by Ms. Terry Benzel\n\n[GRAPHIC] [TIFF OMITTED] T9926.047\n\n[GRAPHIC] [TIFF OMITTED] T9926.048\n\n[GRAPHIC] [TIFF OMITTED] T9926.049\n\n[GRAPHIC] [TIFF OMITTED] T9926.050\n\n                              Appendix II\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n\n\n          Department of Homeland Security letter submitted by\n                   Representative Frederica S. Wilson\n\n[GRAPHIC] [TIFF OMITTED] T9926.051\n\n[GRAPHIC] [TIFF OMITTED] T9926.052\n\n[GRAPHIC] [TIFF OMITTED] T9926.053\n\n            National Science Foundation letter submitted by\n                   Representative Frederica S. Wilson\n\n[GRAPHIC] [TIFF OMITTED] T9926.054\n\n[GRAPHIC] [TIFF OMITTED] T9926.055\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'