[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
                         CYBERSECURITY RESEARCH
                            AND DEVELOPMENT:
                        CHALLENGES AND SOLUTIONS

=======================================================================

                                HEARING

                               BEFORE THE

                      SUBCOMMITTEE ON TECHNOLOGY &
                        SUBCOMMITTEE ON RESEARCH

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                       TUESDAY, FEBRUARY 26, 2013

                               __________

                            Serial No. 113-6

                               __________

 Printed for the use of the Committee on Science, Space, and Technology


       Available via the World Wide Web: http://science.house.gov



                  U.S. GOVERNMENT PRINTING OFFICE
79-926                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
DANA ROHRABACHER, California         EDDIE BERNICE JOHNSON, Texas
RALPH M. HALL, Texas                 ZOE LOFGREN, California
F. JAMES SENSENBRENNER, JR.,         DANIEL LIPINSKI, Illinois
    Wisconsin                        DONNA F. EDWARDS, Maryland
FRANK D. LUCAS, Oklahoma             FREDERICA S. WILSON, Florida
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
PAUL C. BROUN, Georgia               DAN MAFFEI, New York
STEVEN M. PALAZZO, Mississippi       ALAN GRAYSON, Florida
MO BROOKS, Alabama                   JOSEPH KENNEDY III, Massachusetts
RANDY HULTGREN, Illinois             SCOTT PETERS, California
LARRY BUCSHON, Indiana               DEREK KILMER, Washington
STEVE STOCKMAN, Texas                AMI BERA, California
BILL POSEY, Florida                  ELIZABETH ESTY, Connecticut
CYNTHIA LUMMIS, Wyoming              MARC VEASEY, Texas
DAVID SCHWEIKERT, Arizona            JULIA BROWNLEY, California
THOMAS MASSIE, Kentucky              MARK TAKANO, California
KEVIN CRAMER, North Dakota           VACANCY
JIM BRIDENSTINE, Oklahoma
RANDY WEBER, Texas
CHRIS STEWART, Utah
VACANCY
                                 ------                                

                       Subcommittee on Technology

                  HON. THOMAS MASSIE, Kentucky, Chair
JIM BRIDENSTINE, Oklahoma            FREDERICA S. WILSON, Florida
RANDY HULTGREN, Illinois             SCOTT PETERS, California
DAVID SCHWEIKERT, Arizona            DEREK KILMER, Washington
                                     EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
                                 ------                                

                        Subcommittee on Research

                   HON. LARRY BUCSHON, Indiana, Chair
STEVEN M. PALAZZO, Mississippi       DANIEL LIPINSKI, Illinois
MO BROOKS, Alabama                   ZOE LOFGREN, California
STEVE STOCKMAN, Texas                AMI BERA, California
CYNTHIA LUMMIS, Wyoming              ELIZABETH ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma            EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas


                            C O N T E N T S

                       Tuesday, February 26, 2013

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Thomas Massie, Chairman, Subcommittee 
  on Technology, Committee on Science, Space, and Technology, 
  U.S. House of Representatives..................................     6
    Written Statement............................................     6

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................     7
    Written Statement............................................     7

Statement by Representative Frederica S. Wilson, Ranking Minority 
  Member, Subcommittee on Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........     9
    Written Statement............................................    10

Statement by Representative Larry Bucshon, Chairman, Subcommittee 
  on Research, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................    11
    Written Statement............................................    11

Statement by Representative Daniel Lipinski, Ranking Minority 
  Member, Subcommittee on Research, Committee on Science, Space, 
  and Technology, U.S. House of Representatives..................    13
    Written Statement............................................    15

                               Witnesses:

Mr. Michael Barrett, Chief Information Security Officer, PayPal, 
  Inc.
    Oral Statement...............................................    17
    Written Statement............................................    19

Dr. Frederick R. Chang, President and Chief Operating Officer, 
  21CT, Inc.
    Oral Statement...............................................    34
    Written Statement............................................    36

Ms. Terry Benzel, Deputy Director, Cyber Networks and Cyber 
  Security, USC Information Sciences Institute
    Oral Statement...............................................    46
    Written Statement............................................    48

Discussion.......................................................    62

             Appendix I: Answers to Post-Hearing Questions

Mr. Michael Barrett, Chief Information Security Officer, PayPal, 
  Inc............................................................    80

Dr. Frederick R. Chang, President and Chief Operating Officer, 
  21CT, Inc......................................................    81

Ms. Terry Benzel, Deputy Director Cyber Networks and Cyber 
  Security, USC Information Sciences Institute...................    83

            Appendix II: Additional Material for the Record

Department of Homeland Security letter submitted by 
  Representative Frederica S. Wilson, Ranking Minority Member, 
  Subcommittee on Technology, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................    88

National Science Foundation letter submitted by Representative 
  Frederica S. Wilson, Ranking Minority Member, Subcommittee on 
  Technology, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................    91


                CYBERSECURITY RESEARCH AND DEVELOPMENT:
                        CHALLENGES AND SOLUTIONS

                              ----------                              


                       TUESDAY, FEBRUARY 26, 2013

                  House of Representatives,
                                   Subcommittee on Research
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittees met, pursuant to call, at 10:01 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Thomas 
Massie [Chairman of the Subcommittee on Technology] presiding.

[GRAPHIC] [TIFF OMITTED] T9926.001

[GRAPHIC] [TIFF OMITTED] T9926.002

[GRAPHIC] [TIFF OMITTED] T9926.003

[GRAPHIC] [TIFF OMITTED] T9926.004

    Chairman Massie. This joint hearing of the Subcommittee on 
Technology and the Subcommittee on Research will come to order.
    Good morning. Welcome to today's joint hearing entitled 
``Cybersecurity Research and Development: Challenges and 
Solutions.'' In front of you are packets containing the written 
testimony, biographies, and truth-in-testimony disclosures for 
today's witnesses. Before we get started, since this is a joint 
hearing involving two Subcommittees, I want to explain how we 
will operate procedurally so all Members will understand how 
the question-and-answer period will be handled.
    As always, we will alternate between the majority and 
minority Members and allow all Members an opportunity for 
questioning before recognizing a Member for a second round of 
questions. We will recognize those Members present at the gavel 
in order of seniority on the full Committee, and those coming 
in after the gavel will be recognized in order of arrival. I 
now recognize myself for five minutes for my opening statement.
    We convene the first hearing of the Technology Subcommittee 
and the 113th Congress held jointly with my colleagues on the 
Research Subcommittee. This Subcommittee sits at the 
intersection of technology and innovation and is uniquely 
positioned to address topics affecting competitiveness of 
emerging high-growth industries. I look forward to learning 
from our witnesses today about cybersecurity research and 
development challenges, and I look forward to working with my 
colleagues to determine how we can eliminate barriers to 
entrepreneurship in our country going forward. In these 
difficult times, it is important that we continue to empower 
our Nation's innovators to maintain our economic 
competitiveness.
    I now yield two minutes of my time to the Chairman of the 
full Committee, Mr. Smith of Texas.
    [The prepared statement of Mr. Massie follows:]

            Prepared Statement of Subcommittee on Technology
                         Chairman Thomas Massie

    We convene the first hearing of the Technology Subcommittee in the 
113th Congress, held jointly with my colleagues on the Research 
Subcommittee. This Subcommittee sits at the intersection of technology 
and innovation, and is uniquely positioned to address topics affecting 
competitiveness of emerging high-growth industries. I look forward to 
learning from our witnesses today about cybersecurity research and 
development challenges, and I look forward to working with my 
colleagues to determine how we can eliminate barriers to 
entrepreneurship in our country going forward. In these difficult 
times, it is important that we continue to empower our nation's 
innovators to maintain our economic competitiveness.
    Chairman Smith. Thank you, Mr. Chairman, for yielding me 
the balance of your time.
    Mr. Chairman, the Preamble to the Constitution states that 
one of the primary responsibilities of our Federal Government 
is to provide for the common defense. More than 200 years 
later, the meaning has changed but the task remains the same. 
National defense in the digital age no longer just means 
protecting ourselves with arms against enemies who attack with 
traditional weapons. It now means protecting America from 
enemies who launch cyber attacks against our computers and 
networks.
    Cyber attacks against U.S. Government and private sector 
networks are on the rise. In the last few weeks, some of 
America's largest companies have been hacked. Even the most 
sophisticated companies can be vulnerable to cyber attacks. 
Recent targets include Apple, Facebook, Yahoo!, the New York 
Times, and the Wall Street Journal. Various agencies of the 
Federal Government also have been the target of attacks and 
attempted attacks. Unfortunately, evidence suggests that 
foreign governments may be among those responsible.
    Protecting America's cyber systems is critical to our 
economic and national security. Americans deserve better 
protection, and the Federal Government can help make sensitive 
information more secure. This challenge requires a thorough and 
comprehensive effort in both the public and private sectors. 
Private companies are increasing their investment in 
cybersecurity. Congress should support those efforts. Only 
Congress can provide the incentives and protections that would 
permit necessary information-sharing among companies, and more 
importantly, between private companies and the Federal 
Government.
    Today's hearing examines an important step that we can take 
to foster the kind of cooperation that this challenge requires. 
The Cybersecurity Enhancement Act introduced by Committee 
Members Michael McCaul and Daniel Lipinski coordinates research 
and development activities to better address evolving cyber 
threats. The legislation promotes much-needed research and 
development to help create new technologies and standards that 
better protect America's information technology systems.
    Cyber attacks threaten our national and economic security. 
To solve this problem, America needs a solution that involves a 
cooperation of many public and private sector entities. The 
McCaul/Lipinski legislation helps foster such an effort, which 
will make our computer systems more secure.
    I hope we can learn how to improve the bill today and 
quickly advance it through this Committee.
    Thank you, Mr. Chairman. I yield back the balance of your 
time.
    [The prepared statement of Mr. Smith follows:]

        Prepared Statement of Committee Chairman Lamar S. Smith

    The preamble to the Constitution states that one of the primary 
responsibilities of our federal government is to ``provide for the 
common defense.'' More than two hundred years later, the meaning has 
changed but the task remains the same.
    National defense in the digital age no longer just means protecting 
ourselves with arms against enemies who attack with traditional 
weapons. It now means protecting America from enemies who launch cyber 
attacks against our computers and networks.
    Cyber attacks against U.S. government and private sector networks 
are on the rise. In the last few weeks, some of America's largest 
companies have been hacked. Even the most sophisticated companies can 
be vulnerable to cyber attacks. Recent targets include Apple, Facebook, 
Yahoo! the New York Times and the Wall Street Journal.
    Various agencies of the federal government also have been the 
target of attacks and attempted attacks. Unfortunately, evidence 
suggests that foreign governments may be among those responsible.
    Protecting America's cyber systems is critical to our economic and 
national security. Americans deserve better protection and the federal 
government can help make sensitive information more secure.
    This challenge requires a thorough and comprehensive effort in both 
the public and private sectors. Private companies are increasing their 
investment in cybersecurity. Congress should support those efforts.
    Only Congress can provide the incentives and protections that would 
permit necessary information sharing among companies, and more 
importantly, between private companies and the federal government.
    Today's hearing examines an important step that we can take to 
foster the kind of cooperation that this challenge requires. The 
Cybersecurity Enhancement Act, introduced by Committee Members Michael 
McCaul and Daniel Lipinski, coordinates research and development 
activities to better address evolving cyber threats. The legislation 
promotes much-needed research and development to help create new 
technologies and standards that better protect America's information 
technology systems.
    Cyber attacks threaten our national and economic security. To solve 
this problem, America needs a solution that involves the cooperation of 
many public and private sector entities. The McCaul-Lipinski 
legislation helps foster such an effort, which will make our computer 
systems more secure.
    I hope we can learn how to improve the bill today and quickly 
advance it through this Committee.
    Chairman Massie. Thank you. The Chair now recognizes Ms. 
Wilson for her opening statement.
    Ms. Wilson. Thank you, Chairman Massie, for holding this 
joint hearing on cybersecurity, and thank you to our witnesses 
for being here today.
    Before I begin, I would like to say that I am pleased to be 
the new Ranking Member of the Technology Subcommittee. As a 
longtime educator, principal, teacher, I am a big believer in 
the power of scientific innovation. Mr. Chairman, I am looking 
forward to working with you this Congress to help enable 
innovation that creates jobs and makes our Nation more secure.
    Today's hearing is a perfect example of the work this 
Subcommittee can do to bolster national security. Cyber crimes 
are ever increasing. In fact, the number of attacks reported by 
federal agencies increased by 782 percent between 2006 and 
2012. The threats to federal systems in our critical 
infrastructure are not only growing in number but in the level 
of sophistication. Over the last month alone, the New York 
Times, the Wall Street Journal, the Washington Post, Twitter, 
and Facebook have all confirmed that they have been the target 
of sophisticated cyber attacks. These crimes may include 
identity theft, intellectual property theft, service 
disruptions, and even espionage.
    We are beginning to suffer the cost of cybercrime. A recent 
study found that cybercrime now costs a U.S. business 8.9 
million on average per year. The problem is so pervasive that 
security experts now joke that there are only two types of 
American companies these days: those that have been hacked and 
those that don't know they have been hacked.
    Earlier this month, the President signed an Executive Order 
that begins the process of strengthening our networks of 
critical infrastructure against cyber attacks by increasing 
information-sharing and establishing a framework for the 
development of standards and best practices. But the President 
also acknowledged that Congress must act to pass comprehensive 
cybersecurity legislation.
    The bipartisan legislation introduced by our colleagues, 
Mr. McCaul and Mr. Lipinski, and under consideration today 
should be a part of this comprehensive package. I am looking 
forward to hearing any recommendations our witnesses might have 
about how to improve the legislation.
    Additionally, I hope to hear more from our witnesses about 
their thoughts on the role the Executive Order outlines for 
NIST. In the past, Congress has asked NIST to bring the private 
sector together to accelerate the development of voluntary 
standards. It seems appropriate that NIST be tasked with the 
similar role in cybersecurity, especially in light of their 
expertise in this field.
    Finally, I would be remiss if I did not mention the 
potential impact sequestration will have on our ability to 
deter, defend, and recover from cyber attacks. In a letter to 
Appropriations, the National Science Foundation indicated that 
vital investments in research and development would be 
jeopardized, and that one of the areas that could be impacted 
by sequestration is research into advances in cybersecurity.
    The Department of Homeland Security Science and Technology 
Directorate plays a large role in the development and 
deployment of cybersecurity technologies. The Directorate has 
indicated that under sequestration, they will have to cut their 
cybersecurity research by 30 percent, eliminating research and 
data, privacy, identity management, cybersecurity forensics, 
and security for cloud-based systems. The need to invest in 
research and development is critical as cyber threats continue 
to grow and involve. I hope we will not let sequestration delay 
and derail these essential investments.
    Thank you, Mr. Chairman, and I yield back the balance of my 
time.
    [The prepared statement of Ms. Wilson follows:]

            Prepared Statement of Subcommittee on Technology
              Ranking Minority Member Frederica S. Wilson

    Thank you, Chairman Massie for holding this joint hearing on 
cybersecurity, and thank you to our witnesses for being here today. 
Before I begin, I'd like to say that I am pleased to be the new Ranking 
Member of the Technology Subcommittee. As a longtime educator, I am a 
big believer in the power of scientific innovation. Mr. Chairman, I am 
looking forward to working with you this Congress to help enable 
innovation that creates jobs and makes our nation more secure.
    Today's hearing is a perfect example of the work this Subcommittee 
can do to bolster national security. Cyber crimes are ever-increasing. 
In fact, the number of attacks reported by federal agencies increased 
by 782 percent between 2006 and 2012. The threats to federal systems 
and our critical infrastructure are not only growing in number, but in 
the level of sophistication.
    Over the last month alone, The New York Times, The Wall Street 
Journal, The Washington Post, Twitter, and Facebook have all confirmed 
that they have been the target of sophisticated cyber attacks. These 
crimes may include identity theft, intellectual property theft, service 
disruptions, and even espionage.
    We're beginning to suffer the costs of cybercrime. A recent study 
found that cybercrime now costs a U.S. business $8.9 million on average 
per year. The problem is so pervasive that security experts now joke 
that there are only two types of American companies these days: those 
that have been hacked and those that don't know they've been hacked.
    Earlier this month, the President signed an executive order that 
begins the process of strengthening our networks and critical 
infrastructure against cyber attack by increasing information sharing 
and establishing a framework for the development of standards and best 
practices. But the President also acknowledged that Congress must act 
to pass comprehensive cybersecurity legislation.
    The bipartisan legislation introduced by our colleagues Mr. McCaul 
and Mr. Lipiniski, and under consideration today, should be part of 
this comprehensive package. I am looking forward to hearing any 
recommendations our witnesses might have about how to improve the 
legislation. Additionally, I hope to hear more from our witnesses about 
their thoughts on the role the executive order outlines for NIST. In 
the past, Congress has asked NIST to bring the private sector together 
to accelerate the development of voluntary standards. It seems 
appropriate that NIST be tasked with a similar role in cybersecurity--
especially in light of their expertise in this field.
    Finally, I'd be remiss if I did not mention the potential impact 
sequestration will have on our ability to deter, defend, and recover 
from cyber attacks. In a letter to appropriators, the National Science 
Foundation indicated that ``vital investments in research and 
development would be jeopardized'' and that one of the areas that could 
be impacted by sequestration is research into advances in 
cybersecurity.
    The Department of Homeland Security's Science and Technology 
Directorate plays a large role in the development and deployment of 
cybersecurity technologies. The Directorate has indicated that under 
sequestration they will have to cut their cybersecurity research by 30 
percent, eliminating research in data privacy, identity management, 
cybersecurity forensics, and security for cloud based systems.
    The need to invest in research and development is critical as cyber 
threats continue to grow and evolve. I hope we will not let 
sequestration delay and derail these essential investments.
    Chairman Massie. Thank you, Ms. Wilson. I look forward to 
working with you as well on this Committee.
    The Chair now recognizes the Chairman of the Subcommittee 
on Research, Mr. Bucshon, for his opening statement.
    Mr. Bucshon. Thank you, Mr. Chairman. And good morning to 
everyone. I am pleased that we are holding a hearing today on 
such an important topic.
    According to a recent report published by the Government 
Accountability Office, there were nearly 50,000 cybersecurity 
incidents reported by federal agencies in 2012. Considering 
that number was 5,500 in 2006, there is no doubt that 
addressing cybersecurity needs is critical to global economic 
competitiveness and national security interests of our Nation.
    In December 2012, the Center for Applied Cybersecurity 
Research at Indiana University held a roundtable on cyber 
threats, objectives, and responses. This issue impacts everyone 
from children using the Internet in their homes to government 
and industry officials trying to ensure our domestic 
infrastructure is protected from cyber terrorists.
    During the Research Subcommittee hearing on February 14 on 
Networking and Information Technology Research and Development, 
or NITRD, witnesses testified about the cybersecurity threats 
our Nation faces and emphasized that cooperation is required 
for stakeholders to research and design ways in which to build 
and maintain safer computer network infrastructures. The NITRD 
program, which was the primary subject of that hearing, is the 
coordinating body which the McCaul/Lipinski Cybersecurity 
Enhancement Act appropriately utilizes to establish a strategic 
plan for specific cybersecurity research.
    I am encouraged that the legislation we are discussing 
today enhances the education and development of information 
technology professionals, including those who work in the areas 
of computer systems, computer security, and cybersecurity.
    I look forward to hearing from our witnesses about their 
experiences and their recommendations on addressing America's 
cybersecurity challenges.
    I now yield the balance of my time to Chairman McCaul.
    [The prepared statement of Mr. Bucshon follows:]

 Prepared Statement of Subcommittee on Research Chairman Larry Bucshon

    According to a recent report published by the Government 
Accountability Office, there were nearly 50,000 cybersecurity incidents 
reported by federal agencies in 2012. Considering that number was 5,500 
in 2006, there is no doubt that addressing cybersecurity needs is 
critical to global economic competitiveness and national security 
interests of our nation.
    In December of 2012, the Center for Applied Cybersecurity Research 
at Indiana University held a ``Roundtable on Cyber Threats, Objectives, 
and Responses.'' This issue impacts everyone: from children using the 
Internet in their homes to government and industry officials trying to 
ensure our domestic infrastructure is protected from cyber terrorists.
    During the Research Subcommittee hearing on February 14 on 
Networking and Information Technology Research and Development (NITRD), 
witnesses testified about the cybersecurity threats our nation faces 
and emphasized that cooperation is required for stakeholders to 
research and design ways in which to build and maintain safer computer 
network infrastructures. The NITRD program, which was the primary 
subject of that hearing, is the coordinating body which the McCaul-
Lipinski Cybersecurity Enhancement Act appropriately utilizes to 
establish a strategic plan for specific cyber security research.
    I am encouraged that the legislation we are discussing today 
enhances the education and development of information technology 
professionals, including those who work in the areas of computer 
systems, computer security, and cybersecurity.
    I look forward to hearing from our witnesses about their 
experiences and their recommendations on addressing America's 
cybersecurity challenges.
    Mr. McCaul. Thank you, Chairman Bucshon.
    I want to thank Chairman Massie, Chairman Smith, Ranking 
Members Lipinski and Wilson for allowing me to introduce this 
bill once again. Again, I believe this is the third time we 
have introduced this. Hopefully, the third time is a charm and 
we will get this important legislation passed. It passed 
overwhelmingly in two Congresses. I do believe this is the 
Congress where we will get cybersecurity legislation passed 
through the House, the Senate, and signed by the White House.
    It is imperative as we hear reports almost every day of 
hackings taking place not only within the critical 
infrastructures but within our Federal Government. The report 
about the Chinese military hacking into our military systems, 
stealing our military secrets, the attacks recently from Iran 
against Aramco in the Persian Gulf and against our financial 
institutions in the United States, and of course Russia, one of 
the most sophisticated countries that continue to hack this 
country on a daily basis.
    Whether it is criminal, whether it is espionage, or whether 
it cyber warfare, we cannot afford to wait any longer. The 
White House has acted through an Executive Order. I think it is 
imperative now that the Congress act and legislate as we are 
supposed to be doing. It is not a question of if, but when the 
next--or when a cyber Pearl Harbor will occur. And that is why 
I have worked very closely with my good friend Congressman 
Lipinski to bolster our Nation's cybersecurity research and 
development.
    On February the 15th, we introduced this bill once again, 
H.R. 756, the Cybersecurity Enhancement Act, which is identical 
to the legislation passed overwhelmingly by the House last 
Congress. It improves the coordination in government providing 
for a strategic plan to assess the cybersecurity risk and guide 
the overall direction of the federal cyber research and 
development. It updates--and this responsibility is to develop 
security standards for Federal computer systems and processes 
for agencies to follow.
    Our bill also establishes a federal university private 
sector task force to coordinate research and development, 
improving the training of cybersecurity professionals, and 
continues much-needed cybersecurity research and development 
programs at the National Science Foundation and the National 
Institute of Standards and Technology.
    Again, I would like to thank my colleague Chairman Smith 
for allowing me to introduce this bill once again. I appreciate 
your support for this bill, my colleague from Texas. And I look 
forward to working with my colleagues on this Committee to find 
solutions to the challenges of cyber research and development.
    And with that, I yield back.
    Chairman Massie. Thank you, Mr.----
    Mr. Bucshon. I yield back.
    Chairman Massie. Okay. Thank you, Mr. McCaul. And thank 
you, Mr. Bucshon.
    The Chair now recognizes Mr. Lipinski for his opening 
statement.
    Mr. Lipinski. Thank you, Chairman Massie.
    I want to thank you, Chairman Smith and Chairman Bucshon, 
for holding this hearing to examine the serious cybersecurity 
challenges faced by our Nation and what we can do to facilitate 
solutions, including the Cybersecurity Enhancement Act that Mr. 
McCaul said we recently reintroduced and I know that we have 
passed this overwhelmingly in a Democratic House. In a 
Republican House, hopefully, this time we can get it all the 
way through because our country especially needs it as the 
threats grow every year.
    Now, I want to echo my colleague's remarks about the nature 
and severity of the challenges we face in cybersecurity in both 
the public and private sectors. Four years ago, when we began 
working on this legislation, I said I had no doubt that our use 
of the Internet and other communication networks would continue 
to grow and evolve, and that threats from individual hackers, 
criminal syndicates, and even other governments would grow and 
evolve, too. Today, it remains difficult to imagine just how 
much more we will simultaneously benefit from and be made more 
vulnerable by information technology.
    Hacking is no longer just a realm of computer whizzes. 
Today, anyone can rent a botnet or gain access to other 
sophisticated hacking tools with just a few keystrokes and less 
than $100.
    Cybercrime threatens our national security, our critical 
infrastructure, businesses of all sizes, and every single 
American. As such, reducing our risk and improving the security 
of cyberspace will take the collective effort of both the 
Federal Government and the private sector, as well as 
scientists, engineers, and the general public.
    With respect to that collective effort, I need to emphasize 
the importance of research into the social and behavioral 
aspects of cybersecurity. People are perhaps the most 
significant part of our IT infrastructure, but they are also 
the weakest link. Many cyber attacks are successful because of 
human error, bad cyber hygiene such as unwittingly opening a 
malicious email. Having the most sophisticated security systems 
available won't make any difference if users don't change 
factory sets of all passwords or if they set easy-to-crack 
passwords. Understanding the human element and educating users 
to practice good cyber hygiene is necessary to combating 
threats and reducing risk.
    Mr. McCaul and I are hopeful that our R&D bill will be part 
of a comprehensive bipartisan cybersecurity bill. Previous 
efforts to move a larger bill have stalled over some 
significant policy disagreements, but I am hopeful that we will 
be able to resolve our differences and I look forward to 
working with both my colleagues and the Administration to 
ensure the development of a strong cybersecurity strategy this 
Congress.
    However, I am also concerned that top-line cuts to our 
federal R&D budgets will have a negative impact on any long-
term cybersecurity strategy. So we must also take actions to 
mitigate the impact of those cuts.
    Today, we will hear from witnesses who are actively engaged 
in efforts to improve the security of our digital 
infrastructure. I look forward to their valuable insights and 
the challenges we face in tackling this complex issue and the 
role of cybersecurity R&D and education in any comprehensive 
solutions.
    I thank you, Mr. Chairman. I yield back the balance of my 
time.
    [The prepared statement of Mr. Lipinski follows:]

             Prepared Statement of Subcommittee on Research
                Ranking Minority Member Daniel Lipinski

    I want to thank both Chairman Massie and Chairman Bucshon for 
holding this hearing to examine the serious cybersecurity challenges 
faced by our nation. In particular, I look forward to hearing feedback 
from our witnesses on H.R. 756, The Cybersecurity Enhancement Act, that 
I recently reintroduced along with Mr. McCaul.
    I echo my colleagues' remarks about the nature and severity of the 
challenges we face in cybersecurity in both the public and private 
sectors. Four years ago when I began working on this legislation I said 
that I had no doubt that our use of the Internet and other 
communication networks would continue to grow and evolve, and that 
threats from individual hackers, criminal syndicates, and even other 
governments would grow and evolve too.
    Today it remains difficult to imagine just how much more we will 
simultaneously benefit from, and be made more vulnerable by, 
information technology. Hacking is no longer just the realm of computer 
whizzes. Today, anyone can ``rent'' a botnet or gain access to other 
sophisticated hacking tools with just a few key strokes and less than a 
hundred dollars.
    Cybercrime threatens our national security, our critical 
infrastructure, businesses of all sizes, and every single American. As 
such, reducing our risk and improving the security of cyberspace will 
take the collective effort of both the Federal government and the 
private sector, as well as scientists, engineers, and the general 
public.
    With respect to that collective effort, I need to emphasize the 
importance of research into the social and behavioral aspects of 
cybersecurity. People are perhaps the most significant part of our IT 
infrastructure, but they are also the `weakest link.' Many cyber 
attacks are successful because of human error--bad cyber hygiene--such 
as unwittingly opening a malicious email. Having the most sophisticated 
security systems available won't make any difference if users don't 
change factory-set default passwords or they set easy to crack 
passwords. Understanding the human element and educating users to 
practice good cyber hygiene is necessary to combating threats and 
reducing risk.
    Mr. McCaul and I are hopeful that our R&D bill will be part of a 
comprehensive, bipartisan cybersecurity bill. Previous efforts to move 
a larger bill have stalled over some significant policy disagreements, 
but I am hopeful that we will be able to resolve our differences and I 
look forward to working with both my colleagues and the Administration 
to ensure the development of a strong cybersecurity strategy this 
Congress.
    However, I am also concerned that top line cuts to our federal R&D 
budgets will have a negative impact on any long-term cybersecurity 
strategy. So we must also take actions to mitigate the impact of those 
cuts.
    Today, we will hear from witnesses who are actively engaged in 
efforts to improve the security of our digital infrastructure. I look 
forward to their valuable insight into the challenges we face in 
tackling this complex issue and the role of cybersecurity R&D and 
education in any comprehensive solution.
    Chairman Massie. Thank you, Mr. Lipinski.
    If there are Members who wish to submit additional opening 
statements, your statements will be added to the record at this 
point.
    It is now time to introduce our panel of witnesses. I yield 
to Ms. Lofgren of California, who will introduce our first 
witness.
    Ms. Lofgren. Well, thank you very much, Mr. Chairman. And 
it is indeed an honor to introduce Michael Barrett, who is the 
Chief Information Security Officer for PayPal, located in San 
Jose, California. He is the, as I say, the Chief Information 
Security Officer for PayPal, and in his role, he is responsible 
for ensuring the security of PayPal's 113 million users 
worldwide.
    Prior to joining PayPal, he was Vice President of Security 
and Utility Strategy at American Express, where he helped 
defined the company's Information Security Program, and in 
prior years, he was President of the Liberty Alliance, an Open 
Standards Consortium focused on identity management standards 
and guidelines. He was the driving force behind the 
introduction and standardization of the Alliance's federated 
identity concepts, and he also co-chaired its Identity Threat 
Prevention Working Group.
    He was twice named one of the 50 most powerful people in 
networking by Network World magazine, and it is wonderful that 
he is testifying today about our bill that focuses on NIST and 
NSF, but I am also pleased that he has identified in his 
testimony certain outdated statutes like EPCA, the Electronic 
Communications Privacy Act, that have prevented anti-
cybercrime-related programs, which is also an important service 
that he is performing for the Committee today.
    So thank you for letting me introduce this important 
witness who comes from back home.
    And I yield back.
    Chairman Massie. Thank you, Ms. Lofgren.
    I recognize Chairman Smith to introduce our second witness.
    Chairman Smith. Thank you, Mr. Chairman.
    Chairman, our second witness, Dr. Frederick Chang, is a 
President and Chief Operating Officer of 21CT. 21CT 
appropriately is headquartered within Texas' 21st Congressional 
District, which is home to Cyber City USA, otherwise known as 
San Antonio, thanks in part to technology organizations like 
Dr. Chang's.
    Dr. Chang brings to us today with 30 years of public and 
private sector cybersecurity knowledge serving as the Director 
of Research at the National Security Agency and then in an 
executive role at SBC Communications. Additionally, he has 
served in academia at both the University of Texas in San 
Antonio and the University of Texas in Austin. He received his 
B.A. degree from the University of California San Diego and 
both his M.A. and Ph.D. degrees from the University of Oregon.
    We welcome you, Dr. Chang.
    And I yield back, Mr. Chairman.
    Chairman Massie. Thank you, Chairman Smith.
    Our final witness is Ms. Terry Benzel, the Deputy Director 
of Cyber Networks and Cyber Security of the USC Information 
Sciences Institute.
    As our witnesses should know, spoken testimony is limited 
to five minutes each after which Members of the Committee have 
five minutes each to ask questions. Your written testimony will 
be included in the record of this hearing.
    I now recognize our first witness, Mr. Michael Barrett, for 
five minutes.

               STATEMENT OF MR. MICHAEL BARRETT,

        CHIEF INFORMATION SECURITY OFFICER, PAYPAL, INC.

    Mr. Barrett. Chairman Bucshon, Chairman Massie, Ranking 
Member Lipinski, Ranking Member Wilson, and Members of the 
Subcommittee, thank you for the opportunity to testify today 
about what PayPal and the eBay Inc. family of companies are 
doing to protect our users from the growing cybersecurity 
challenges facing Internet-enabled companies and what our 
Nation's policymakers can do to assist us in tackling these 
problems.
    My name is Michael Barrett and I am the Chief Information 
Security Officer for PayPal. EBay and PayPal connects millions 
of buyers and sellers across the globe through eBay 
Marketplaces, PayPal, GSI, and other mobile-based businesses. 
And we believe all sustainable 21st century retail business 
models will use the Internet and mobile technology. However, as 
the Internet and mobile platforms become more attractive to 
consumers and businesses alike, they also attract criminals. 
Companies like PayPal will continue to work to protect the 
safety and security of our platform and our users.
    However, we believe that the traditional technical measures 
alone cannot significantly move the trend line and that there 
are concrete steps that industry and policymakers should take 
to significantly mitigate the impact of cybercrime. For 
example, on a daily basis Internet companies are run into sites 
where they have been compromised and they are used as 
``phishing'' or ``spoof sites.''
    Recognizing the growing threat, PayPal launched an industry 
standards program called DMARC, which is intended to increase 
trust and combat email deception and fraud. DMARC allows 
senders to experience consistent authentication results for 
their messages at AOL, Gmail, Hotmail, Yahoo!, and any other 
email receiver implementing DMARC. The program removes the 
guesswork from the receiver's handling of any failed messages, 
limiting or eliminating the user's exposure to potentially 
fraudulent and harmful messages. In its first year, DMARC 
protected 60 percent of the world's email inboxes and rejected 
hundreds of millions of potentially fraudulent messages.
    In addition to email authentication, we have also been 
engaged in efforts to create a reliable identity management 
system. We have participated in two different programs: the 
National Strategy for Trusted Identities in Cyberspace (NSTIC) 
and the Fast Identity Online Alliance, or FIDO.
    NSTIC is a White House initiative led by the National 
Institute of Standards and Technology, which is intended to 
work collaboratively with all interested stakeholders to 
improve the privacy, security, and convenience of sensitive 
online transactions. PayPal will be offering more services to 
our customers over the coming months that directly support both 
the NSTIC vision, which we expect will result in many new 
benefits to both our customers and the Internet overall.
    PayPal was also one of the cofounders of the FIDO Alliance, 
which is intended to address the lack of interoperability among 
strong authentication solutions, as well as the problems users 
face with creating and remembering multiple usernames and 
passwords. By giving the option to replace passwords with 
authentication methods embedded in hardware, it can be used in 
biometric tools such as fingerprint scanners, voice and facial 
recognition, or more traditional security methods. Our goal is 
to provide an easier and safer solution to every company, 
vendor, and organization that needs to verify a user's 
identity.
    Although it is the responsibility of industry leaders like 
PayPal to ensure the safety and security of our platforms and 
our users, federal policymakers have an important role to play 
in creating a secure Internet and mobile ecosystem. What we 
have found from our years of combating cybercrime is that 
quantifying the forecast is difficult, if not impossible, 
because many incidents are not reported. Estimates of the 
magnitude and scope of cybercrime vary widely, making it 
difficult for policymakers and industry to fully understand the 
problem and the level of effort that will be needed to combat 
it.
    We recommend that policymakers fund some research that 
helps fill some of the information gaps that currently exist as 
it relates to cybercrime. We believe that this research will be 
a critical tool in arming policymakers, law enforcement, and 
industry against the growing threat of cybercrime.
    In addition, PayPal appreciates the bipartisan efforts of 
the Committee to create a legislative framework that creates 
innovative solutions to issues such as cybersecurity R&D, 
education and workforce training, and standards development. 
Importantly, it achieves these ends without creating undesired 
side effects, and we welcome the opportunity to work with the 
Committee on these priorities.
    To conclude, it is our hope that in the years to come the 
challenges we face today from cybercrime will be a faint 
memory. But until then, PayPal is committed to partnering with 
policymakers and private and public stakeholders to ensure that 
everything we do in our power to create an ecosystem that is 
safe and secure.
    I appreciate the opportunity to testify before the 
Committee and I look forward to your questions.
    [The prepared statement of Mr. Barrett follows:]

    [GRAPHIC] [TIFF OMITTED] T9926.005
    
    [GRAPHIC] [TIFF OMITTED] T9926.006
    
    [GRAPHIC] [TIFF OMITTED] T9926.007
    
    [GRAPHIC] [TIFF OMITTED] T9926.008
    
    [GRAPHIC] [TIFF OMITTED] T9926.009
    
    [GRAPHIC] [TIFF OMITTED] T9926.010
    
    [GRAPHIC] [TIFF OMITTED] T9926.011
    
    [GRAPHIC] [TIFF OMITTED] T9926.012
    
    [GRAPHIC] [TIFF OMITTED] T9926.013
    
    [GRAPHIC] [TIFF OMITTED] T9926.014
    
    [GRAPHIC] [TIFF OMITTED] T9926.015
    
    [GRAPHIC] [TIFF OMITTED] T9926.016
    
    [GRAPHIC] [TIFF OMITTED] T9926.017
    
    [GRAPHIC] [TIFF OMITTED] T9926.018
    
    [GRAPHIC] [TIFF OMITTED] T9926.019
    
    Chairman Massie. I now recognize our next witness, Dr. 
Frederick Chang.

              STATEMENT OF DR. FREDERICK R. CHANG,

       PRESIDENT AND CHIEF OPERATING OFFICER, 21CT, INC.

    Dr. Chang. Chairman Massie, Chairman Bucshon, Chairman 
Smith, Ranking Member Wilson, Ranking Member Lipinski, Members 
of the Subcommittees, thank you for the opportunity to testify 
before you today on the hearing on the topic of cyber R&D 
challenges and solutions.
    My name is Frederick R. Chang and I am currently the 
President and COO of 21CT, Inc., a small high-tech company in 
Austin, Texas. In prior positions, I have served as the 
Director of Research at the National Security Agency, in 
academia at the University of Texas--at both the San Antonio 
and Austin campuses, and in the telecommunications industry.
    I would also mention that I have served as a member of the 
CSIS Commission on Cybersecurity for the 44th Presidency, and I 
am currently a member of the Texas Cybersecurity Education and 
Economic Development Council.
    I do not have to tell you that we are under attack in 
cyberspace. Those of us in the field of security have known 
about it for some time now, but now the problem has broadened 
and deepened its scope. Our friends know, our neighbors know, 
our kids know.
    The field of cybersecurity is too reactive and after-the-
fact. We wait for something bad to happen and then we respond. 
We lack the fundamental scientific understanding of causes, of 
solutions, of countermeasures. Science uses words like 
evidence, metrics, repeatability, predictability. In 
cybersecurity these words are not used often enough. Indeed, 
when it comes to predictability, about the only thing we can 
predict with a high degree of confidence is that a determined 
hacker will be able to compromise the target system.
    At the turn of the 20th century, life expectancy in the 
United States was a little over 47 years. A century later, it 
was nearly 77 years. Why did this happen? A large part of the 
improvement can be traced to advances in public health and an 
improved understanding of the science of infectious diseases. 
After World War II, scientists isolated causes and developed 
solutions for diseases like polio, measles, and chickenpox. I 
am not arguing that the cybersecurity problem today is as bad 
as polio was in the '40s and '50s, but I am suggesting that we 
know how to make a dent in the problem.
    It won't be easy because the problem is truly a daunting 
one against a highly adaptive adversary. I believe that a broad 
and interdisciplinary approach will be necessary. I offered a 
few ideas in my written testimony.
    One of the major obstacles to more progress in 
cybersecurity is a lack of qualified and well-trained 
professionals in the field. Just as a generation of students 
became fascinated by and intellectually curious about space, 
science, and engineering after the launch of Sputnik, we need 
for that to happen now for a new generation of students about 
cyberspace science and engineering.
    The skills gap comes up time and time again. It was a key 
issue in our work on the CSIS Cybersecurity Commission co-
chaired by Congressman McCaul and Congressman Langevin, and it 
was a key issue in our work on the Texas Cybersecurity Council.
    And representing a small company with ongoing demand for 
highly technical cyber hires, it is a constant challenge for us 
to identify and recruit the necessary expertise. Not only do we 
need a long-term pipeline of well-trained students to fill the 
many jobs that will be necessary, but the demand is 
particularly acute with respect to the requirement for the 
extremely deep technical skills needed to operate at the very 
highest levels.
    In a CSIS Commission report from 2010, there was an 
estimate that we have about 1,000 deeply technical people in 
the United States who can operate at the most elite levels but 
that we need something like 10,000 to 30,000. The report went 
on to say we not only have a shortage of the highly technically 
skilled people required to operate in support systems already 
deployed, but also and even more desperate--a more desperate 
charge of people who can design secure systems, write safe 
computer code, and create the evermore sophisticated tools to 
prevent, detect, mitigate, and reconstitute from damage due to 
system failures and malicious acts.
    The legislation in H.R. 2096 places front and center two of 
the items I believe are central to making more progress in 
improving the Nation's cybersecurity posture: research and 
development and cybersecurity workforce development.
    Let me close by saying that I have suggested some things in 
my testimony that will take a long time to implement. For 
example, producing a long-term, robust, and deeply technical 
cybersecurity workforce or creating a science of cybersecurity 
could take decades.
    I am reminded of an old proverb. The best time to plant a 
tree was 20 years ago. The second best time is now. It is my 
sincere hope that 20 years from now we can look back at this 
time and say that this is when we began to turn the tables on 
our cyber adversaries and took the advantage back.
    Thank you again for the opportunity to speak with you 
today.
    [The prepared statement of Dr. Chang follows:]

    [GRAPHIC] [TIFF OMITTED] T9926.020
    
    [GRAPHIC] [TIFF OMITTED] T9926.021
    
    [GRAPHIC] [TIFF OMITTED] T9926.022
    
    [GRAPHIC] [TIFF OMITTED] T9926.023
    
    [GRAPHIC] [TIFF OMITTED] T9926.024
    
    [GRAPHIC] [TIFF OMITTED] T9926.025
    
    [GRAPHIC] [TIFF OMITTED] T9926.026
    
    [GRAPHIC] [TIFF OMITTED] T9926.027
    
    [GRAPHIC] [TIFF OMITTED] T9926.028
    
    [GRAPHIC] [TIFF OMITTED] T9926.029
    
    Chairman Massie. Thank you, Dr. Chang.
    I now recognize our final witness, Ms. Terry Benzel.

                 STATEMENT OF MS. TERRY BENZEL,

       DEPUTY DIRECTOR CYBER NETWORKS AND CYBER SECURITY,

               USC INFORMATION SCIENCES INSTITUTE

    Ms. Benzel. Thank you, Chairman Massie, Ranking Member 
Wilson, Chairman Bucshon, Ranking Member Lipinski, and Members 
of the Subcommittees. I am pleased to offer my perspective on 
cyber R&D challenges and solutions based on 30 years in the 
cybersecurity community.
    I bring an interesting perspective stemming from Principal 
at a startup company, Vice President at McAfee Software, and 
now the Deputy Director of our Cyber Networks and Cyber 
Security Division at the Information Sciences Institute, a 
research lab with the University of Southern California's 
Viterbi School where I direct the DETER project, a 
cybersecurity research, experimentation, and test facility.
    I would like to address four key points today: one, the 
importance of broadening the purview of cybersecurity R&D two, 
the importance of research infrastructure for experimental 
cybersecurity R&D three, the importance of new models for 
technology transfer from university research into commercial 
practices and products; and four, the importance of higher 
education for developing next-generation cybersecurity 
researchers and technologies.
    Let me start with the importance of broadening the purview 
of cybersecurity R&D. All too often our research is narrowly 
focused on single topics. For example, we have many people 
conducting excellent research in distributed denial of service, 
worms, botnets, and Internet routing, each studied individually 
and deeply. But believe me, our adversaries are not looking 
narrowly. In fact, they are looking at the combinations of 
these different kinds of threats and vulnerabilities, as well 
as combining that with cyber physical systems and social 
engineering.
    We can no longer afford to look narrowly at the hard 
problems. Even more so, cybersecurity is no longer solely an 
engineering discipline. We must involve economists, 
sociologists, anthropologists, and other disciplines. While 
there has been some progress in these areas by the National 
Science Foundation, DHS S&T, and others, my first 
recommendation is we must increase the breadth and scope of 
strategic cyber R&D and increase opportunities for 
multidisciplinary research.
    Let me next address the need for research infrastructure 
for cyber R&D. Historically, we have struggled to prove the 
value of security technologies. Security is often viewed as the 
absence of something bad happening. I didn't get broken into, 
so I must be secure. When I was a Vice President at McAfee 
Software, I visited large customers--banking, manufacturing, 
and retail--and I was always asked about return on investment, 
how much to spend and how best to leverage cybersecurity 
investments. The truth is we had no easy answers except, of 
course, to buy our products.
    We need to be able to conduct science-based cyber 
experimentation and tests just as in other scientific 
disciplines, real hypothesis-based testing, what-if scenarios, 
repeatable, demonstrable results. We provide this in the DHS- 
and NSF-funded DETER project where we provide tools and 
methodologies for researchers to live in the future creating 
new capabilities not yet imaginable. We must as a Nation create 
a paradigm shift in experimental cybersecurity. While NSF, DHS 
S&T, DOE, and DARPA have all invested in cyber testbeds and 
ranges, the results are uneven and not widely available.
    And this brings me to my second recommendation. Formulate a 
research strategy agenda to develop a broad multi-
organizational cybersecurity experimentation and testing 
capability.
    Let me now address technology transfer. We have had major 
investments over the last 20 to 30 years, yet we are still 
inadequately prepared. Much research fails to see the light of 
day. While historically we have had insufficient awareness of 
the complexity of cybersecurity tech transfer, we have had 
scattershot approaches to cyber R&D, and a mismatch between 
markets and threats. To address these growing demands, it is 
imperative we create new models of technology transfer where 
the government-funded efforts help steer strategic 
cybersecurity R&D and their new university public partnerships.
    As I have said already, we need to finally have education. 
More than just training, we need to educate the next generation 
of researchers and technologists and we need to do this by 
offering hands-on exercises and educational opportunities.
    Let me summarize. We are beginning to see progress in all 
of these areas. NSF, DHS, and others deserve recognition for 
the focus they have brought to strategic programs. However, the 
current steps are not enough. We are lacking by orders of 
magnitude. In order to shift the dynamic in the battlefield, 
the Security Enhancement Act of 2013 includes provisions for 
these recommendations. Taken together, the four recommendations 
I have outlined today form a basis for multipronged, 
sustainable, national projects to address R&D challenges, and I 
urge you to take action now. Thank you for your time.
    [The prepared statement of Ms. Benzel follows:]

    [GRAPHIC] [TIFF OMITTED] T9926.030
    
    [GRAPHIC] [TIFF OMITTED] T9926.031
    
    [GRAPHIC] [TIFF OMITTED] T9926.032
    
    [GRAPHIC] [TIFF OMITTED] T9926.033
    
    [GRAPHIC] [TIFF OMITTED] T9926.034
    
    [GRAPHIC] [TIFF OMITTED] T9926.035
    
    [GRAPHIC] [TIFF OMITTED] T9926.036
    
    [GRAPHIC] [TIFF OMITTED] T9926.037
    
    [GRAPHIC] [TIFF OMITTED] T9926.038
    
    [GRAPHIC] [TIFF OMITTED] T9926.039
    
    [GRAPHIC] [TIFF OMITTED] T9926.040
    
    [GRAPHIC] [TIFF OMITTED] T9926.041
    
    [GRAPHIC] [TIFF OMITTED] T9926.042
    
    [GRAPHIC] [TIFF OMITTED] T9926.043
    
    Chairman Massie. Thank you, Ms. Benzel.
    I thank all the witnesses for their testimony today. 
Reminding Members that Committee rules limit questioning to 
five minutes, the Chair will at this point open the round of 
questions. And I now recognize myself for five minutes.
    Mr. Barrett, as a representative of private industry, it 
was good to hear you acknowledge that it is PayPal's 
responsibility to ensure security for PayPal's customers. But 
you alluded to some gaps in the research that exists and that 
there might be a role for the Federal Government to fund 
research in these gaps. Can you motivate the need for federal 
funding in this area and then also talk about what some of 
those gaps are?
    Mr. Barrett. Yes, I alluded to this problem a little bit in 
my oral testimony. Essentially, we have a problem at the moment 
which is we actually don't know how bad the problem is. We--it 
sounds perverse to say it that way, but essentially, there are 
hugely disparate estimates that you see flying around in 
various publications of the scale of the problem. Everybody 
agrees it is getting worse, but I have three rhetorical 
questions that I would like to ask and they are significant 
ones. And actually, at the moment, I defy anybody to answer 
them.
    So again, I am purely talking about cybercrime, not cyber 
terrorism or cyber warfare. So I work for a commercial 
enterprise so we have a narrow worldview.
    So the questions are these: how much money is lost to 
cybercrime on an annual basis in the United States alone? And I 
am not talking about how much money people like me spend on 
running a defensive team. I am actually talking about dollars 
that our customers--and therefore we--lose. So that is question 
one.
    Question two is where does it go? Is it all going back into 
the United States or is it going overseas? And what are the 
distributions of country? Now, various people in my industry 
have various hypotheses about where it is going, and certainly, 
my team has all sorts of interesting hypotheses. But 
fundamentally, it is unsupported by large-scale data.
    And then finally, do those countries actually have good 
programs themselves to manage cybersecurity, and do they in 
fact prosecute cyber criminals? Do they even recognize 
cybercrime violations as being violations of law or are they 
just oh, well? It is kind of the equivalent of doing some 
antisocial act and there are no consequences.
    We have no answers to those questions today and they are 
really important ones that I think are at the heart of what the 
Federal Government could do to help understand the problem 
better.
    Chairman Massie. Thank you.
    My next question is for Ms. Benzel.
    In this bill we are contemplating expanding funding at 
universities which are typically open universities where 
sharing is encouraged. And you mentioned the DeterLab at your 
institution, which is funded by DHS and DOD I think. Can you 
tell us or give us some level of comfort that we wouldn't be 
funding efforts that could then be used by our adversaries? 
Thank you.
    Ms. Benzel. Being part of a major university and having a 
deep faith in the need for education, we do run an open 
facility. It is funded, as I said, by Department of Homeland 
Security. And so the DeterLab is a national--and yes--it is an 
international resource that is available for anyone to be able 
to use. Obviously, we vet our users. Our approach within the 
DETER system is to be looking at defenses. And defenses need to 
be something that can be openly developed. Looking at security 
by obscurity is sure to get us into trouble.
    Now, having said that, I am being a deep believer in being 
able to educate our next generation and to do publications, et 
cetera, there are opportunities to do research in other 
environments which might be more closed and might be providing 
some classified support for. But we advocate an openness in 
educating the next generation. Thank you.
    Chairman Massie. Thank you very much. DeterLab makes a lot 
more sense than DeterLab.
    Ms. Benzel. We do try and deter the attackers as we say. 
Thank you.
    Chairman Massie. Okay. I now recognize Ranking Member Ms. 
Wilson for five minutes.
    Ms. Wilson. Thank you, Mr. Chairman. Mr. Chairman, as 
outlined in my opening statement, a few of the agencies within 
our Committee's jurisdiction have indicated that sequestration 
could impact their cybersecurity research and development 
portfolios. I would like to place two letters in the record, 
one from NSF and one from DHS, detailing those potential 
impacts.
    To all, in his testimony, Dr. Chang recommends that the 
legislation raise the trajectory of cybersecurity research and 
development spending from its historical levels because it 
would create long-term benefits in our effort to improve the 
Nation's cybersecurity posture. As you are all likely aware, 
sequestration is set to take effect on Friday. Sequestration 
will cut federal R&D budgets by 8.2 percent, and agencies like 
NSF and DHS have indicated that research in cybersecurity may 
be affected.
    How would the security posture of the United States be 
impacted if sequestration were to take effect and cybersecurity 
research and development was significantly cut? Dr. Chang?
    Dr. Chang. In the 2010 CSIS report, we reported a number of 
about 2/10 of one percent of the federal R&D budget was spent 
on cybersecurity. And I looked recently. That number is just a 
little bit larger now. If you think about the priorities that 
the Nation is now placing on cybersecurity, the fact that it is 
something less than one percent seems to be a small number. It 
is not for me to determine what the priorities are but that 
just strikes me as a sort of a low number.
    I guess I am suggesting that it needs to be a long-term 
prospect. I mentioned this analogy with planting trees. I am 
suggesting that we need to plant a few trees to place some bets 
on some research issues that are going to build over time. 
Research certainly won't guarantee answers, but as I mentioned 
as related to infectious diseases, we need to understand 
causes. We need to understand solutions. We need to understand 
countermeasures. We know how to do it. We have done it before. 
We have gone after large public programs before. And my 
suggestion is research is required to make some long-term bets 
and begin changing the vector on what the defensive posture 
looks like.
    Ms. Wilson. Ms. Benzel?
    Ms. Benzel. Yes, I think that we have begun to see some 
progress in the funding, of course, at a very small level as 
Dr. Chang says in being strategic about our cybersecurity R&D. 
If we are to slow that down as a result of funding cuts with 
sequestration, then we have set ourselves back. We are already 
on the losing end of an asymmetric battle. And giving our 
adversaries another year to gain a leg up while we fight our 
own internal budget is only going to make the situation much 
worse.
    You know, as it is with funding cycles with places like the 
National Science Foundation it takes close to a year from the 
time I, as a researcher, have an idea, submit that idea, and 
get a contract. And so again introducing another delay as a 
result of the budget battles is only going to set us back. And 
in particular, a point in time when these agencies have become 
much more strategic, better coordinated, and better focused in 
their research. We have researchers in the pipeline. We have 
projects that are happening today, and we can't afford to stop 
them, slow them down, or lessen and weaken their effects while 
the adversaries are on a dramatic increase as we have seen 
recently.
    The change that we see in the adversarial landscape in the 
last year is ten times what we saw in the ten years before. And 
so any gap in funding is going to be extremely detrimental. 
Thank you.
    Ms. Wilson. Thank you, Mr. Chair.
    Chairman Massie. On the gentlelady's request to include two 
letters in the record?
    Ms. Wilson. I have them.
    Chairman Massie. Without objection, so ordered.
    [The information appears in Appendix II]
    Chairman Massie. I now recognize Chairman Bucshon for five 
minutes.
    Mr. Bucshon. Thank you, Mr. Chairman.
    And there has been some emphasis on the importance of 
social science research and cybersecurity, among other areas, 
partly because so much security has to do with human behavior. 
And the Cybersecurity Enhancement Act supports this type of 
work in Section 104 of the legislation.
    The question is--I will direct this to Mr. Barrett first--
is--let me say a couple of things that have been funded 
recently--$1.2 million to pay seniors to play video games, 
$764,825 to study how college students use mobile devices for 
social networking. So with these type of things being funded, 
how should we prioritize social science research conducted by 
the National Science Foundation to ensure that such work is 
focused on critical national needs such as cybersecurity?
    Mr. Barrett. I am not sure whether it is necessarily proper 
for me to have an opinion on how Congress should prioritize the 
work of the National Science Foundation, but I do think there 
are key research gaps, and certainly, in a number of areas in 
part about cybersecurity education, which is woefully lacking 
across the spectrum from young kids up through college-level 
curricula and various different levels. As Dr. Chang alluded 
earlier, we don't frankly have enough information security 
professionals in the field. There is essentially a major skills 
shortage there. There was basically zero unemployment in my 
field throughout the recession. And that in its own right is 
saying something.
    Very clearly, there is a lot of work that can be done in 
understanding behavior around how people interact with 
computers from a security perspective. And that certainly is a 
topic worthy of research. Because if you don't understand how 
people use the computers, especially for security tasks, then 
it is very hard to see what you can do with them. But I 
should----
    Mr. Bucshon. Yes, thank you very much. And again, the 
Cybersecurity Enhancement Act supports this type of work.
    Dr. Chang, do you have anything to add?
    Dr. Chang. I do. Thank you. I mention in my written 
testimony that cybersecurity is a wicked problem, wicked not 
meaning evil but wicked being resilient to solution. A 
characteristic of the wicked problem is that what you believe 
is a solution may actually make things worse. As it relates to 
that kind of the human component, I am reminded of a concept 
known as risk homeostasis, and that is basically the idea that 
people have sort of a risk level that they generally operate 
at, and if they believe that something is now more safe, they 
will actually act riskier.
    There are some classic experiments showing that when taxi 
drivers are given better safety on their taxicabs, let us say 
antilock brakes, you would think that the incidents of 
accidents would actually go down because the cars are safer, 
you can steer better and stuff at high speeds. It turns out 
that the level of accidents might actually go up a little bit 
because the taxi driver started thinking they were safe and 
started driving faster and causing more accidents.
    Same thing might be happening in cybersecurity such that 
you are actually making--you are telling the user that they are 
actually now more safe. When they think now I am more safe, and 
now I am going to start doing riskier things. And so it is just 
a sort of very complex thing where you have the best intention 
that a solution is making something better but it actually 
makes it worse.
    Mr. Bucshon. Thank you. And this will be directed at Ms. 
Benzel. I am a parent. I have kids. And I know how my kids 
almost shut down one of my computers, essentially a black 
screen. I had to get a computer guy to come out and get it 
back, and there were literally hundreds of viruses and Trojans 
and everything else. So I mean I am amazed at what children can 
do on a computer. And however, there are threats that are 
directed at all of us through children. Does the current 
parental control technology adequately protect minors against 
this type of threat if used properly or are there areas of 
research and developmental efforts to address this?
    Ms. Benzel. Yes, I would have to say I am not a particular 
expert in the current set of parental control technology that 
is out there. I believe that looking at how we model the human 
behavior and understanding, as Dr. Chang said, the relationship 
between the way people use their computers. And I am just as 
concerned about our children as we are to the seniors or the 
uneducated users. And so I believe that we do need to advance 
that technology, but I would have to get back to you on the 
state-of-the-art in the current parental technology.
    Mr. Bucshon. Thank you. I yield back.
    Chairman Massie. Thank you. I now recognize Mr. Lipinski 
for five minutes.
    Mr. Lipinski. Thank you, Mr. Chairman.
    As many people here know, I am a--used to be--maybe I still 
am--a political scientist, and I know that there is--I have 
seen plenty of bad social science research in my time. But I 
think it is important--and I am not trying to start a fight 
here on this but I know that the--I pay attention--I look to 
see what is going on and what is being said about some of the 
supposedly bad research that is being funded. And my 
understanding is--was the $1.2 million videogame claim was 
given a pants-on-fire by PolitiFact because it was helping to 
study how to keep seniors sharp and keep their cognitive skills 
up as they are getting older.
    But that said, I mean there is some bad research but we 
need to be doing good research. Obviously, there are--as all of 
you have pointed out--social science research and how people 
interact is key because it is one of the weakest links that we 
have right now in cybersecurity.
    I wanted to ask about technology transfer. Ms. Benzel had 
mentioned barrier technology transfer in your testimony. I have 
a great deal of interest in this, particularly in areas like 
cybersecurity. It is vital that we translate as much federal 
research as possible to new products and new companies that we 
can help keep our cyber infrastructure secure, and also it has 
the added benefit of creating new jobs so long as we can also 
address the workforce and education issues that our witnesses 
have raised.
    But I just want to ask the panel, what steps can Federal 
Government take the best partner with industry in encouraging 
technology transfer in the cybersecurity sector? Ms. Benzel?
    Ms. Benzel. Yes, thank you very much for your question. It 
is an important area.
    So we do need Federal Government to help us fill the gap 
between the university research and industry. And I think I can 
speak somewhat authoritatively to that having spent much time 
in a university, as well as being a Vice President of Research 
at McAfee. We have all heard about the Valley of Death.
    So we really do have some models that are broken between 
expecting that industry can just pick up and take research 
prototypes that have been developed in a university kind of 
setting. So we need strategic funding which pushes us in a 
particular direction with an awareness. The DHS S&T program run 
by Dr. Doug Maughan has introduced new efforts to work with VCs 
to its signet organization to be able to get venture 
capitalists and to have the researchers be aware of technology 
transfer from the day that they write their proposals.
    The National Science Foundation had introduced its 
Transition to Practice. I am arguing that we need a lot more of 
these sorts of things where we have very early-on awareness of 
where we want to go. And as a researcher, we want to do the 
fundamental basic research, and that is absolutely necessary. 
But as researchers, we also want to see our work have an 
impact. And we need help in working with the different types of 
organizations. And that is where we call for, as the bill 
currently does, industry partnerships with venture capitalists, 
with different kinds of technology organizations. There is 
really nothing currently in that middle to help fill the gap 
between the research dollars and the product dollars. And I 
have to say, unfortunately, it is not realistic to believe that 
industry can simply pick up and do it. Industry is focused on 
its near-term market, next quarter features, and are totally 
market-driven and sales driven, particularly in today's 
economy. And so we need some bridging dollars which should come 
from combinations of university, public/private partnerships, 
and federal funding in that new area.
    Thank you very much.
    Mr. Lipinski. Dr. Chang, do you want to add something?
    Dr. Chang. Sure. I will just support what Terry mentioned.
    There is this model I like to use: technology transfer is a 
contact sport. So it is not uncommon for the private sector to 
establish sort of I guess what you might call lab-lets or sort 
of mini-labs with the university. And the folks in the private 
sector would work sort of shoulder-to-shoulder with the folks 
at the university such that when an innovation is developed, it 
isn't sort of tossed over the cubicle wall and you would like 
for the private sector company to incorporate it. But rather, 
they are generated together.
    To the extent that this kind of notion, of kind of, working 
hand-in-hand between the government, between the private sector 
and academia would be representative of this notion of let us 
develop the technologies together. Technology transfer is a 
contact sport. Let us have them work together. I think that is 
a useful concept here.
    Mr. Lipinski. Thank you.
    A quick question. Mr. Barrett mentioned NSTIC. I just want 
to know when will we be able to do--instead of having 
passwords, have a thumbprint that we use to identify ourselves?
    Chairman Massie. Very quickly, please.
    Mr. Barrett. Yes, we are actually working on that. That is 
the FIDO Alliance work that I mentioned at the beginning, which 
is trying to develop open standards to actually make those kind 
of technologies become much more widely used. And I think you 
will actually see products deployed in the market before the 
end of the year that do exactly that.
    Chairman Massie. Thank you.
    I now recognize Mr. Hultgren.
    Mr. Hultgren. Thank you, Chairman. Thank you all for being 
here. I appreciate it very much.
    This would be first addressed to all of you. My 
understanding is this growing mass of data that is available 
online certainly has implications for cybersecurity. In some 
ways, I know the data can be analyzed to help identify 
potential cyber threats, but I also know in another way the 
data provides bad actors with additional opportunities to 
exploit that data.
    I wonder can you discuss how the emerging big data 
phenomenon poses both challenges and opportunities for 
cybersecurity research and development, and also just any 
recommendations you might have for policymakers to address this 
phenomenon in a beneficial way and not a harmful way?
    Dr. Chang. Sure. I guess I will kind of mention the notion 
of dual use. So many of the cyber technologies are so-called 
dual use. So my company, 21CT, Inc., basically has capabilities 
to analyze big data to sort of find suspicious behaviors in an 
attempt to improve the defensive posture of somebody's network. 
At the same time, an adversary could use similar technologies 
to sort of target folks similarly to look for vulnerabilities 
and so forth.
    So it is always kind of a really important kind of 
balancing act and kind of risk assessment proposition such that 
you will always know that the technologies that could be used 
for defense could potentially be flipped over. So it is 
important to kind of understand both sides, understand the 
technologies deep enough and then make sure you sort of come to 
the right balance point.
    Ms. Benzel. Well, as a researcher I find big data to be 
very exciting. From the research point of view and networking 
and network cybersecurity, we have always been lacking in data. 
And so again, DHS has its PREDICT program and some of the 
researchers in my organization have done some really 
groundbreaking work at analyzing the data, mapping the 
Internet, the first Internet census to give us information both 
about the known spaces and the dark spaces.
    Clearly, in all of our research, there are two sides to it 
and we need to be very understanding about how things could be 
used against us.
    I say the other point to also bring in to this discussion 
about big data are issues with privacy. And so as citizens, we 
need to understand how the data is being used, stored, and 
moved about in transit.
    Mr. Hultgren. Mr. Barrett, before you answer, I would love 
to hear your thoughts on this as well, but I have one other 
additional question I would like to ask you so if maybe you can 
respond to both. We already talked a little bit about 
authentication--online authentication and the challenges there. 
I understand many European governments issue voluntary 
electronic identification cards combining two unique 
identifiers to serve as a type of online passport. But for 
various reasons, I believe the United States is unlikely to 
endorse any sort of government-sanctioned identification 
mechanism. I understand businesses have been working for years 
on providing different online identity schemes to consumers and 
that the Administration's National Strategy for Trusted 
Identities in Cyberspace, or NSTIC, intend to use that work to 
find common standards for online identities.
    I wondered in your view should the government be involved 
at all in this process? If so, is NIST the appropriate agency 
to coordinate the effort? How do we ensure privacy? And what 
prevents this effort from eventually resulting in regulations 
that inhibit innovation?
    Mr. Barrett. So we have been enthusiastic supporters of the 
NSTIC initiative ever since it was first proposed. Simply 
because, as Congresswoman Lofgren said when she introduced me, 
a decade ago I chaired the Liberty Alliance, which is an open 
standards organization in the identity management space. It has 
actually proven quite difficult to develop really large-scale 
identity ecosystems on the Internet.
    We show a lot of promise for users, and so tying that back 
to the question about breaches in big data, the silver lining 
in the cloud of all of the data that has been published in last 
few years essentially as a byproduct of criminal activities is 
that we now actually understand how consumers in large-scale 
use passwords in particular. And the answer is a depressingly 
large number of them, something like 2/3 of them, use the same 
password absolutely everywhere they go on the Internet, with a 
net effect that their security of every single account they 
possess is now the security of that least secure place they 
visited.
    And so having an ecosystem that is built around consumers 
managing their own identity online and allowing the Federal 
Government to help kind of just appropriately nudge that but 
not place too constricting a role is very important. And that 
is actually why a guy on my team was the first Co-Chair of the 
Identity Ecosystem Steering Group so--
    Mr. Hultgren. My time is expired. Thank you all very much. 
Thank you, Mr. Chairman.
    Chairman Massie. Thank you.
    I now recognize Mr. Bera.
    Mr. Bera. Thank you, Mr. Chairman.
    As an academic physician who comes out of a research 
background, I truly appreciate the analogy with healthcare and 
what we do in medicine and the importance of doing research in 
our academic and research universities. The fact that we do a 
lot of experiments, that we look for solutions and we fail a 
lot, but we are constantly feeding that back into the system. 
And then we have that major breakthrough. Where we fall down in 
the academic centers--and Ms. Benzel touched on it--is we don't 
know how to then take those ideas to market.
    You touched on the issue of technology transfer and how 
important that is. I am a firm believer that we would not be 
able to do the research that we do without the Federal 
Government's funding of our academic centers. But we do need to 
do a better job with technology transfer.
    What would your suggestion be as a best practice model of 
taking idea to market given that you have worked on both sides 
of this?
    Ms. Benzel. Well, thank you very much. You know, I agree 
with Dr. Chang. It is a contact sport. We can't do the wait-
until-the-end-and-throw-it-over. And so I think the best 
practice model is early engagement. Engage early and often. So 
they say encouraging the fundamental research funding 
organizations to call out for tech transfer from day one from 
the time you write your proposal and come up with your idea, 
opportunities for communications and meetings with a variety of 
industry partners, opportunities to understand the needs that 
are out there and to work with different kinds of funding 
models both with things such as venture capital organizations 
who might be willing to take some of the risk in early 
technology and also on the university side.
    So at the University of Southern California we have the 
Stevens Institute that works with our researchers early on. So 
early and often. Thank you.
    Mr. Bera. Absolutely.
    Now, also as a former Associate Dean out of University of 
California Medical School, we focus a lot on the workforce 
issue recruiting the best and the brightest and then retaining 
those individuals. You know, on the issue of cybersecurity, on 
the issue of making sure we have the computer science 
professionals, we don't have enough engineers in this country 
and we are not graduating enough engineering students or 
programmers. In other sectors of IT we are certainly trying to 
get that workforce from abroad. But on the issue of 
cybersecurity, we need a homegrown workforce because this--
these are issues that are critical to national security.
    Dr. Chang, you touched on this a bit. What are some models 
that we can use to continue to recruit and retain the best and 
the brightest to go into areas of information technology and 
then go into both the service sector working for the Federal 
Government, working for our Department of Defense and 
Department of Homeland Security? Because they can make 10 times 
as much going off into the private sector but we need some of 
the best and the brightest working to protect our country.
    Dr. Chang. I was recently in a meeting with some folks in 
Austin where we talked about a very sort of broad approach that 
would incorporate trying to recruit students of many ages in 
many disciplines. There is a program that has recently started 
in New Jersey. It is referred to as Cybersecurity Centers, and 
they basically have these kind of initial competitions that 
begin attracting people from all walks of life, maybe former 
military. There are 16 roles, just a whole group of folks. And 
then depending on how they do in that initial competition--and 
it is a fun competition. It sort of capitalizes on people's 
interest in just competing and sort of a person-on-person 
competition. And then depending on how you do with that, the 
people who are more skillful sort of move on.
    But it is this notion of can we come up with ideas that 
attract many, many people, and then if they have a particular 
propensity to kind of move forward, then you can kind of winnow 
them down. I mentioned that there was this need for extremely 
technical deeply elite people. But you have to have a broad 
funnel to kind of bring them in and then a way to successfully 
kind of pull out the people who operate the highest levels.
    Mr. Bera. Wonderful. So playing off of what you just 
mentioned, I would ask our Committee to look at returning 
veterans, men and women who have already shown their patriotism 
to this country, already understand the service to our Country 
and the immediate need to protect ourselves and looking for 
strategic ways to get those folks engaged through our modern GI 
Bill and so forth to get these skills.
    I yield back.
    Chairman Massie. Thank you.
    I recognize Mr. Schweikert.
    Mr. Schweikert. Thank you, Mr. Chairman.
    Mr. Barrett, first off, you have a bunch of PayPal folks in 
Scottsdale, don't you? Yes, it is--when I am in-district, I 
seem to start every morning having coffee with them. We all 
attend the same Starbucks. As a company, you have been trying 
to roll out a number of different products, you know, cell 
phone billfolds or some of those types of mechanics. When we 
are talking about cybersecurity, how much is the threat on this 
site slowing down your adoption and introduction of new 
products?
    Mr. Barrett. That is a really interesting question. It is 
hard to measure. There is certainly good evidence that 
consumers have been worried about security aspects of Internet 
solutions ever since the beginning of the Internet. And there 
is certainly some evidence that they care in the same way about 
mobile solutions, for example, and that they want to see that 
they are appropriately protected in those areas.
    The difficulty, of course, is in saying how much does the 
apparent lack of those features really impact their adoption? 
And so, for example, if you see a--one solution that has a lot 
of barriers to it, in terms of it is hard to use and has a lot 
of security features; but on the other hand, you have another 
very similar product that was much easier to use because it 
didn't have all these apparent security things that you have to 
do. Whether or not the consumers actually believe that, the one 
with the more security features is actually safer. And that 
ties back to the initial research we were talking about a 
little while ago.
    Mr. Schweikert. Well, Mr. Barrett, some of that is the 
adoption side. I am interested on your engineering side. Is it 
a suppressing effect to the design, you know, studio you would 
have on the introduction of new technologies?
    Mr. Barrett. If I am understanding the question correctly, 
it would depend on how much overhead we impose on the 
engineering teams in terms of how much we try to partition them 
and so forth. So, if we were working on confidential projects, 
then clearly we will partition those off as well as, yes, we do 
impose a number of security overheads as we develop those 
applications. But it is a--it has lots of tentacles in terms 
of----
    Mr. Schweikert. It is just having a fixation on expansion, 
economic growth, and new technology. I have always wondered how 
much of a suppressing effect I have over here.
    Mr. Chairman, Ms.--is it Benzel?
    Do you agree with Mr. Barrett's earlier comments that we--
it is hard to have a quality census of how many bad actors, bad 
events, bad things that are actually going on in the cyber 
marketplace?
    Ms. Benzel. Well, most absolutely. I thought his questions 
were very astute and exactly right on. So----
    Mr. Schweikert. So as a Member of Congress, where would you 
send me if I really wanted to get from your academic, sort of, 
view of the world as much data saying, look, here is what the 
best census we have of banking attacks and this type of 
attacks? Or where would you go?
    Ms. Benzel. I think that is a very hard question. I mean, 
clearly, some of our intelligence agencies on the dark side 
have a good census of some of the levels of attacks that are 
happening, particularly in nation-state and against nation 
targets. The different industries tend to keep those things 
pretty closely held. Now, some of the work that has been done 
in the past to set up the Information-Sharing and Analysis 
Centers, the ISACs, are places where that knowledge is known 
but held close to the chest.
    Mr. Schweikert. Okay. And so right now, you are not sure 
there is a good collection of the census, shall we say?
    Ms. Benzel. Oh, I don't believe so.
    Mr. Schweikert. Okay. Mr. Chairman, Dr. Chang--and sorry, I 
am down to just a few, but you actually started to touch on 
something that I would love to have an extended discussion with 
you. And that is, how do we finance ourselves right now? Right 
now, we are sort of in a classic academic sort of model of 
finance, primary research. And hopefully, there is something 
that comes out of it.
    But what you were describing a little while ago in your 
experience sounds more like almost the X-prize-type mechanic of 
bringing people together, whether it be a garage engineer or an 
academic. And the person that produces something great gets to 
move forward. Do you think it is time we also start to wedge 
and design some other ways to finance innovation here?
    Dr. Chang. I will answer that in--maybe in kind of in 
connection with the question you asked to Mr. Barrett. 
Basically, security today is not where it needs to be, and 
fundamentally, somebody is going to have to pay to move 
security up. It will be the government because they have to 
prosecute more criminals. It will be software companies because 
they have to make software more secure. It will be people 
because people are bearing losses.
    So overall I would love to have a longer conversation.
    Mr. Schweikert. Mr. Chairman, thank you for your patience. 
Sorry.
    Chairman Massie. Thank you. If Dr. Chang would like to 
respond in writing for the record, that would be fine.
    I now recognize Ms. Esty. Oh, I am sorry. Mr. Peters. 
Sorry.
    Mr. Peters. Thank you, Mr. Chairman.
    And I appreciate the chance to be here today. This is an 
important industry in my district as well in San Diego, both 
because we are developing a lot of the software and also 
because the Navy has a lot of--or the military has a lot of 
interest in the field.
    And Dr. Chang, I am glad you are a UCSD grad, too. I 
appreciate that.
    My question is sort of, you know, we know that--I think it 
was yesterday that the Global Information Security Workforce 
Study from Booz Allen Hamilton said that 56 percent of 
cybersecurity professionals feel that security organizations 
are short-staffed and that the cybersecurity field is projected 
to grow 11 percent annually over the next five years. And so 
there is--I think it is widely understood that there is a gap 
in the workforce. But what I am sort of interested in is what 
are the--what is the field of cybersecurity from an academic 
sense? You described it as an interdisciplinary exercise. We 
know it is not just computer science or software. But if you 
were trying to certify someone in cybersecurity, kind of--do 
you have a sense--maybe you can help me understand what it is 
that that person would need to know. And that is for anyone.
    Dr. Chang. Sure. I can start. So there are the traditional 
disciplines that you learn in computer science about 
programming, about algorithms, about discrete math and so 
forth. You would add some elements to that in order to focus 
more specifically in cybersecurity. And so you would add more 
about networking, perhaps more about analysis. There is this 
interesting conversation happening at universities now where 
they talk about--that there is a classic computer science major 
and that maybe there ought to be a cybersecurity major as well.
    So there are many things in common but it is different 
enough such that it is worth an interesting dialogue about the 
extent that there is the creation of a specific major in 
cybersecurity.
    Mr. Peters. Well, I guess I think it would be helpful for 
us because the intent of the legislation before us is to kind 
of secure our future in that. But if we don't know kind of what 
we are educating--if you don't understand--if you don't have a 
sense or a consensus about what it is we are seeking to educate 
people in, we are going to--I think we face some of the 
concerns that we are not going to be or that the money is going 
to be bleeding, or we are not going to be effective?
    So if it is anthropology or if it is law in addition to 
these technical things, is there a way to land that plane?
    Ms. Benzel. So first off, I think you need to make a 
distinction between education and training. So many of the 
training organizations and CISSP certifications, that is one 
level of something that is about operations and being able to 
run things.
    And then there is the education challenge in terms of 
creating new researchers and new educators and Ph.D.'s. I think 
that we are just as a community--as Dr. Chang said--beginning 
to put forth master's curriculums in cybersecurity. USC is just 
about to introduce one starting next fall. And really, there 
are different fields. So cybersecurity is not one narrow field. 
So there are cybersecurity researchers in defenses, in active 
security, in mathematical analysis, in networking. And so even 
in a master's degree, there will be specializations in these 
different areas drawing from primarily a computer science 
curriculum but also some engineering, some systems kind of 
work, networking, and then bringing in an understanding of 
human behavior.
    Mr. Peters. I guess there is going to be some sense we are 
going to have to keep adjusting as we go.
    Ms. Benzel. That is right. There is not one answer that 
fits all.
    Mr. Peters. Mr. Barrett, maybe quickly, you might touch on 
the first of your rhetorical questions which is how much money 
are we losing? Do you have a sense of how we go about answering 
that question?
    Mr. Barrett. I believe the answer is we need to put in 
place more detailed reporting frameworks in order to actually 
ascertain the scope of the problem. Because the estimates range 
all over the place, I mean as low as a few billion up into the 
trillion range. My own personal view is it is probably in the 
tens of billions of range. But that would be hard to----
    Mr. Peters. That would be something that would be done by 
industry presumably. Is that right?
    Mr. Barrett. I believe so, yes.
    Mr. Peters. Okay.
    Mr. Barrett. It certainly could be done. A reporting 
framework could be developed, but at the moment, what we have 
is entirely voluntary and it models how much money is lost with 
how much the company spends on defenses, and those two numbers 
are quite different as well. And how much do you turn away?
    Mr. Peters. Again, I very much appreciate your being here.
    Thank you, Mr. Chairman.
    Chairman Massie. Thank you.
    I want to recognize Ms. Esty--Etsy.
    Ms. Esty. Esty, not the crafting website. Although I would 
be much wealthier if it were mine.
    Thank you very much, Mr. Chairman.
    For Dr. Chang and Ms. Benzel, both of you had talked about 
the need to create a science of cybersecurity. And if you can 
elaborate a little bit on that, what are the metrics we would 
need? If we don't know right now if a company is more secure 
than it was a month ago, where do we even start with this? What 
sort of research do we need? What sort of metrics do we need to 
develop so that we even know what we are talking about?
    Dr. Chang. Well, that is one of the key issues. We actually 
don't have the right language, the right set of metrics to even 
begin to understand this notion of whether my--the computer 
this year is more secure than it was last year, if this 
computer is more secure than somebody else's.
    There is kind of this idea of understanding the limits of 
what is possible. So that is what a science allows you to do. 
Can I understand how secure something can be? We sort of don't 
know, kind of what is possible, you know, what are kind of the 
control bounds. Cybersecurity is an adversarial science. And 
like anything adversarial, we will probably never completely 
eliminate it. But if we can establish some sort of control bars 
that basically say we are going to make it harder for an 
adversary to kind of get through and maybe the difficulty that 
their--you know, if we make it too hard for them to get 
through, then, they will quit trying. But it is this motion of 
kind of setting some control bars and trying to keep it within 
that. We certainly won't eliminate crime.
    Ms. Benzel. So we advocate being able to do experimental 
science. So in many other sciences we have workbenches and labs 
and we can go in and we can also repeat our peers' experiments 
and be able to understand what they are. Unfortunately, in 
computer science and in--particularly in cybersecurity, the 
experiments are very ad hoc. And so it might work once or it 
might work in my lab or in my example.
    This is one of the challenges also in technology transfer. 
It may have worked in some researcher's lab under some 
conditions, but I don't know that it is really going to work. 
So what we really advocate is that we need an experimental 
science where we can create hypotheses, we can do an 
experiment, see the results, modify some parameters, rerun the 
experiment. And my colleagues similarly have an opportunity to 
do that just as they would in any of the hard sciences.
    Ms. Esty. Are there any of the federal agencies that are 
actually doing work on this notion of the metrics that we would 
even use to measure?
    Dr. Chang. I am aware of some work that has started at 
NIST, and I would tell you I haven't looked at the work in more 
detail. I probably need to. But I am recalling from some years 
ago, oh, maybe 2009 or 2010 within the Computer Security 
Division at NIST, they started up a program in metrics. It is 
something I would need to look at further. But I believe there 
is some activity happening.
    Ms. Benzel. Metrics is a very difficult area in security 
and has plagued us for a long time. I would say that DARPA has 
started some work there and some very fundamental research. The 
National Science Foundation and DHS S&T always include metrics 
as a research topic in their calls.
    Ms. Esty. And one final question. As I know some colleagues 
and friends of my son who is a junior in college, if you could 
elaborate a little bit more on this adversarial science notion 
because I think it is different--it strikes me as different 
than a lot of times what attracts people to science and a sense 
of the purity and how you go about thinking about recruiting 
young people designing programs--if they need to have this 
back-and-forth adversarial approach.
    Dr. Chang. I would have to do some more thinking about 
this, but the models of the human immune system strike me as a 
reasonable model. So basically, the human immune system is 
fighting off adversaries of all kinds. And it is just sort of 
amazing how versatile and how flexible the human immune system 
is. The human immune system--by the way, about one percent of 
human cells are leukocytes, are actually defensive. So when you 
think about the body is basically allocating about one percent 
of its cells to defense, that is a pretty substantial number. 
If you look at the number of lines of computer code, I doubt 
one percent is dedicated to defense.
    The other model that seems to make sense to me in terms of 
the science is in the field of actually agriculture. So 
agriculture also has pests, and the pests try to eat the crops. 
And you can either make the crops more resilient or you kill 
the pests. I mean that is another sort of adversarial model 
that seems to be relevant.
    Chairman Massie. Thank you. I want to thank Chairman McCaul 
for his initiative with this bill and his persistence in 
reintroducing it and especially his patience today.
    And I recognize him now for five minutes.
    Mr. McCaul. I thank the Chairman.
    And Dr. Chang, let me say thank you for your service on the 
CSIS Commission and to the Nation and to the University of 
Texas in Austin.
    And Ms. Benzel, I agree with you our adversaries are moving 
forward, moving ahead. They are attacking our federal agencies 
every day. In support--and building a record in support of this 
legislation, I see this bill doing several things, applying 
NIST standards to the Federal Government. It provides--it 
bolsters research and development in this area, a private-
sector university federal task force, education and awareness 
piece and procurement standards within the Federal Government.
    And I would like to go through each of you and if you could 
tell me how you believe--if you do--that this legislation will 
advance the cause for enhancing cybersecurity for this Nation. 
Mr. Barrett?
    Mr. Barrett. I would give a very brief answer which is 
maybe not quite so brief.
    In general, philosophically, we think that cybersecurity, 
as Dr. Chang said, is a wicked problem. And as such, there is 
probably no single bill that could be passed that will, on its 
own, materially change the trend line. But on the other hand, 
the sort of lack of a grand unification theory shouldn't stop 
us from doing good work. And this bill would definitely appear 
to be falling into that place where it does no harm and it also 
does good work in the specific areas it has chosen.
    Mr. McCaul. That is a very good point. I think--I served on 
the Speaker's Cybersecurity Task Force, and our first action 
was to do no harm by legislation. So I appreciate you saying 
that.
    Dr. Chang?
    Dr. Chang. Thank you.
    So in advance of reading the bill if I could have picked 
two things that are critical to improving the Nation's 
cybersecurity posture it would be research and development and 
workforce development. And so this legislation to me is just 
right on target relative to addressing the top two problems. I 
guess I would add, as I mentioned in my spoken testimony, the 
notion that we need to be patient about this. You know, I guess 
it would be great if we could sort of plant a forest and all 
the trees turn into something that resulted in wonderful 
research. But we--I see this legislation as important in that 
it is at least planting a few trees. It allows us to plant 
some--a few things that will grow into the future.
    I would sure hate to be sitting here ten years from now, 20 
years from now still saying that we actually don't understand 
causes. We don't understand solutions. We don't understand 
countermeasures. And this legislation I believe begins planting 
a few trees. Thank you.
    Mr. McCaul. And thanks for making the point about the cyber 
workforce in the Federal Government. I think that is very, very 
important as well.
    Ms. Benzel?
    Ms. Benzel. Yes, thank you for the opportunity and thank 
you for your perseverance in this area.
    I agree with my colleagues. There is no one answer. It is a 
very difficult field. But I was quite--very impressed to see 
this particular bill in two areas that I would call out. And 
one is the technology transfer recognition of the difficulty of 
that problem. And I have worked in a number of different 
public-private partnerships over the years. I was part of the 
PCAST Committee back in the early 2000s. I see that the 
opportunity here to do some real planning around university 
kinds of partnerships and bringing the universities into it so 
it is a three--tri-part aspect is very exciting in the bill.
    The other one is in the science of cybersecurity and 
understanding that there is a need for research and development 
kinds of testbeds and experimentation. That is called out in 
the bill for experimental science.
    So I think technology transfer and experimental 
cybersecurity have a chance to be fundamentally changing. And 
of course the education and training are important, too.
    Mr. McCaul. Well, let me thank the witnesses for your 
expertise and for appearing here today.
    Mr. Chairman, thank you for allowing me to participate in 
this hearing even though I don't sit on the Subcommittee. And I 
look forward to the markup and hopefully overwhelmingly passage 
of the bill and signed into law by the President. Thank you. I 
yield back.
    Chairman Massie. Thank you, Chairman McCaul.
    In closing this joint hearing, I would like to recognize 
Chairman Bucshon for a moment to say a few words.
    Mr. Bucshon. Thank you, Mr. Chairman.
    I just want to remind everyone about a few facts. Overall 
spending in the Federal Government has gone up 17 percent since 
2008. This year, we are on track to spend $3.6 trillion with a 
tax collection of $2.7 trillion, which, by the way, is the 
highest amount in history that is being projected. We have 16.5 
trillion in national debt, over 1 trillion in annual deficits 
for the past five years running. Recently reported, 110 billion 
in inappropriate payments the government made just last year 
across a multitude of federal programs and the current 
sequester is 85 billion.
    I agree that spending cuts need to be more targeted. That 
is why the House has passed two bills over the last year that 
would target these cuts more appropriately. So I think that we 
are very well aware of research and development dollars that 
need to be there, not only on cybersecurity but other issues. 
And we will work towards this--a resolution that will help with 
that situation. Thank you. I yield back.
    Chairman Massie. Thank you.
    I want to thank the witnesses for traveling here today and 
for their valuable testimony and to the Members for their 
questions.
    Members of the Committee may have additional questions for 
you and we will ask you to respond to those questions in 
writing. The record will remain open for two weeks for 
additional comments and written questions for Members.
    The witnesses are excused and this hearing is adjourned.
    [Whereupon, at 11:33 a.m., the Subcommittees were 
adjourned.]
                               Appendix I

                              ----------                              



                   Answers to Post-Hearing Questions

Responses by Mr. Michael Barrett

[GRAPHIC] [TIFF OMITTED] T9926.044

Responses by Dr. Frederick R. Chang

[GRAPHIC] [TIFF OMITTED] T9926.045

[GRAPHIC] [TIFF OMITTED] T9926.046

Responses by Ms. Terry Benzel

[GRAPHIC] [TIFF OMITTED] T9926.047

[GRAPHIC] [TIFF OMITTED] T9926.048

[GRAPHIC] [TIFF OMITTED] T9926.049

[GRAPHIC] [TIFF OMITTED] T9926.050

                              Appendix II

                              ----------                              


                   Additional Material for the Record


          Department of Homeland Security letter submitted by
                   Representative Frederica S. Wilson

[GRAPHIC] [TIFF OMITTED] T9926.051

[GRAPHIC] [TIFF OMITTED] T9926.052

[GRAPHIC] [TIFF OMITTED] T9926.053

            National Science Foundation letter submitted by
                   Representative Frederica S. Wilson

[GRAPHIC] [TIFF OMITTED] T9926.054

[GRAPHIC] [TIFF OMITTED] T9926.055

                                 
