b"<html>\n<title> - DHS CYBERSECURITY: ROLES AND RESPONSIBILITIES TO PROTECT THE NATION'S CRITICAL INFRASTRUCTURE</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n DHS CYBERSECURITY: ROLES AND RESPONSIBILITIES TO PROTECT THE NATION'S \n\n                        CRITICAL INFRASTRUCTURE\n=======================================================================\n\n\n                                HEARING\n\n                               before the\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 13, 2013\n\n                               __________\n\n                            Serial No. 113-4\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC] [TIFF OMITTED] \n\n                                     \n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n81-458                    WASHINGTON : 2013\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O'Rourke, Texas\nSteven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii\nLou Barletta, Pennsylvania           Filemon Vela, Texas\nChris Stewart, Utah                  Steven A. Horsford, Nevada\nKeith J. Rothfus, Pennsylvania       Eric Swalwell, California\nRichard Hudson, North Carolina\nSteve Daines, Montana\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\n                       Greg Hill, Chief of Staff\n          Michael Geffroy, Deputy Chief of Staff/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               STATEMENTS\n\nThe Honorable Michael T. McCaul, a Representative in Congress \n  From the State of Texas, and Chairman, Committee on Homeland \n  Security:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     3\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Oral Statement.................................................     7\n  Prepared Statement.............................................     9\n\n                               WITNESSES\n                                Panel I\n\nMs. Jane Holl Lute, Deputy Secretary, Department of Homeland \n  Security:\n  Oral Statement.................................................    10\n  Prepared Statement.............................................    11\n\n                                Panel II\n\nMr. Anish B. Bhimani, Chairman, Financial Services Information \n  Sharing and Analysis Center:\n  Oral Statement.................................................    47\n  Prepared Statement.............................................    49\nMr. Gary W. Hayes, Chief Information Officer, Centerpoint Energy:\n  Oral Statement.................................................    52\n  Prepared Statement.............................................    53\nMs. Michelle Richardson, Legislative Counsel, American Civil \n  Liberties Union:\n  Oral Statement.................................................    57\n  Prepared Statement.............................................    58\n\n                             FOR THE RECORD\n\nThe Honorable Michael T. McCaul, a Representative in Congress \n  From the State of Texas, and Chairman, Committee on Homeland \n  Security:\n  Prepared Statement of Dean C. Garfield.........................    44\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Letter From Bennie G. Thompson and Yvette D. Clarke............     8\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York:\n  Article, Best Security Team Gold Winner........................    41\n\n                                APPENDIX\n\nQuestions From Honorable Susan W. Brooks for Jane Holl Lute......    71\nQuestions From Honorable Scott Perry for Jane Holl Lute..........    72\nQuestion From Honorable Susan W. Brooks for Gary W. Hayes........    72\n\n\n DHS CYBERSECURITY: ROLES AND RESPONSIBILITIES TO PROTECT THE NATION'S \n                        CRITICAL INFRASTRUCTURE\n\n                              ----------                              \n\n\n                       Wednesday, March 13, 2013\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n                                            Washington, DC.\n    The committee met, pursuant to call, at 10:16 a.m., in Room \n311, Cannon House Office Building, Hon. Michael T. McCaul \n[Chairman of the committee] presiding.\n    Present: Representatives McCaul, King, Miller, Meehan, \nDuncan, Marino, Chaffetz, Palazzo, Barletta, Stewart, Rothfus, \nHudson, Daines, Brooks, Perry, Thompson, Sanchez, Jackson Lee, \nClarke, Richmond, Keating, Barber, Payne, O'Rourke, Gabbard, \nVela, Horsford, and Swalwell.\n    Chairman McCaul. The Committee on Homeland Security will \ncome to order. I appreciate everybody's patience. The Ranking \nMember should be here any minute now. The committee is meeting \ntoday to consider the cybersecurity roles and responsibilities \nof the Department of Homeland Security. I now recognize myself \nfor an opening statement.\n    I would like to first of all thank our witnesses for \ntestifying today and particularly Deputy Secretary Jane Lute, \nwho is testifying for the Department here today. I also look \nforward to seeing Secretary Napolitano in the coming weeks to \ndiscuss DHS's budget and its plan to maintain operations during \nthese challenging times.\n    The chart on the screen depicts the roles of each major \nagency protecting our Nation from cyber attacks. This chart was \nfirst presented to me by General Alexander at the NSA. And then \nseparately by Deputy Secretary Jane Lute over at the NCCIC \nfacility. The significance of this agreed-upon relationship to \nour National security is paramount. Each and every agency \ndepicted understands their roles and responsibilities, working \nin tandem to keep Americans safe.\n    The purpose of this hearing is to examine the Department of \nHomeland Security's role, capabilities, and challenges \nconcerning cybersecurity. There are many issues facing the \nDepartment. Today's hearing is an opportunity to focus on the \ncyber threats facing our homeland and how together we can \ndefend against them.\n    Cyber attacks come in all forms. America is the victim of \ncyber espionage. Countries steal our military and intelligence \ninformation. There are threats of cyber warfare from terrorists \nand economic cyber attacks from Iran and from China. These \ncountries are stealing our trade secrets and intellectual \nproperty. The most daunting is undoubtedly the cyber threats \nagainst our critical infrastructures.\n    We know that four nations are conducting reconnaissance on \nour utilities, they are penetrating our gas and water systems, \nand also our energy grids. If the ability to send a silent \nattack through our digital networks falls into our enemy's \nhands, this country could be the victim of a devastating \nattack.\n    Yet while threats are imminent, no major cybersecurity \nlegislation has been enacted since 2002. Imagine months without \npower. An attack on our transformers could cripple our power \ngrids and our economy would follow. This is not science \nfiction. It is reality. A report recently released by Mandiant \nconfirmed China is the source of nearly 90 percent of cyber \nattacks against the United States.\n    Most troubling is that these hackers targeted a company \nthat provides remote access to more than 60 percent of North \nAmerica's oil and gas pipelines. Hackers have also attacked the \nservers of our air traffic control system, and just last year \nan al-Qaeda operative issued a call for ``electronic jihad'' \nagainst the United States comparing our technological \nvulnerabilities to that of our security before 9/11.\n    Iran and Russia are some of the world's worst offenders. \nLast December Iranians attacked the state-owned Saudi Aramco \nwith the goal of stopping Saudi Arabia's oil production. \nAdditionally this year, Iran conducted multiple denial of \nservice attacks on major U.S. banks. The slide up there \ndemonstrates all of the denial of service attacks that have \nbeen conducted. You can see it is truly a global phenomenon. It \nis a global threat.\n    Unlike 9/11, we have seen the warning signs. But now it is \ntime to act. For us to defend against cyber attacks we must \ndesignate roles for all the key agencies. That is DHS, DOD, and \nthe Justice Department. Each play a critical role defending our \nhomeland against cyber threats and none can do it alone.\n    When DHS was established, the Secretary of DHS was made \nresponsible for coordinating the overall National effort to \nenhance the protection of our critical infrastructure. The \nNational Infrastructure Protection Plan and the recent \nExecutive Order, solidified DHS's role as the lead Federal \nagency in protecting domestic, critical infrastructure.\n    Most importantly, the agencies themselves have agreed that \na framework, where DOJ is the lead for investigation, DHS is \nthe lead for protection, and DOD the lead for defense. This \nwould allow each department to concentrate on their core \nmission with, as General Alexander once said, DHS is the entry \npoint for working with the industry.\n    In order to fulfill this role, as a civilian command \ncenter, DHS has been building its partnership with the private \nsector and growing its capability as an effective conduit for \nthreat information sharing. DHS manages a bottom-up network of \nentities from local first responders to Nation-wide threat \nanalysis and emergency response centers like the National \nCybersecurity & Communications Integration Center or the NCCIC.\n    The Department possesses the ability to provide real-time \ninformation necessary for instant threat detection and to share \nemerging threat information to enable industry to act \nimmediately to safeguard critical infrastructure. Additionally \nDHS has a well-developed Privacy Office to protect Americans' \nprivacy and civil liberties.\n    While the Department has made great progress, there are \nareas for further improvement across the board when dealing \nwith cyber threats. Legal barriers, regulatory uncertainty, and \na lack of resources remain challenges. Additionally there is \nnot enough private-sector participation in the programs that \nare already in place because they either don't have the \nresources, or don't see the value in doing so.\n    Congress has the ability and the obligation to help fix \nthese problems. For us to thwart attacks we must build upon the \nExecutive branch's efforts and work with all stakeholders to \nfind a consensus necessary to protect this country. As part of \nthis commitment, the Continuing Resolution recently passed by \nthe House includes an increase of $282 million for \ncybersecurity over fiscal year 2012.\n    Hearings like the one today will help guide the legislative \nprocess. I have made it clear from the first day as Chairman in \nthis Congress, that cybersecurity be the highest legislative \npriority in this Congress. I look forward to listening to all \nthe witnesses about what works, what doesn't, and what we can \ndo to streamline our cyber defenses.\n    One of the primary lessons from 9/11 is that only by \nworking together can we detect and deter our enemies. In the \nwake of that tragedy, the walls prevented agencies from sharing \nthreat information which became very apparent. We cannot allow \nturf battles to hinder us from developing the defenses \nnecessary to prevent cyber attacks. The threat is real and this \ntime we see it coming.\n    [The statement of Chairman McCaul follows:]\n                Statement of Chairman Michael T. McCaul\n                             March 13, 2013\n    I would like to thank all of our witnesses for testifying today. \nDeputy Secretary Lute is testifying for the Department but I look \nforward to seeing Secretary Napolitano in the coming weeks to discuss \nDHS' budget and its plan to maintain operations during these \nchallenging times.\n    The chart on the screen depicts the roles of each major agency \nprotecting our Nation from cyber attacks. \n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    The significance of this agreed-upon relationship to our National \nsecurity is paramount. Each and every agency depicted understands their \nroles and responsibilities, working in tandem to keep America safe.\n    The purpose of this hearing is to examine the Department of \nHomeland Security's (DHS) role, capabilities, and challenges concerning \ncybersecurity. There are many issues facing the Department.\n    Today's hearing is an opportunity to focus on the cyber threats \nfacing our homeland and how together, we can defend against them.\n    Cyber attacks come in all forms. America is the victim of cyber \nespionage. Countries steal our military and intelligence information. \nThere are threats of cyber-warfare from terrorists, and economic cyber \nattacks from Iran and China. These countries are stealing our trade \nsecrets and intellectual property. The most daunting is undoubtedly the \ncyber threats against our critical infrastructure.\n    We know that foreign nations are conducting reconnaissance on our \nutilities--they are penetrating our gas and water systems and also our \nenergy grids--and if the ability to send a silent attack through our \ndigital networks falls into our enemies' hands, this country could be \nthe victim of a devastating attack.\n    Yet while threats are imminent, no major cybersecurity legislation \nhas been enacted since 2002.\n    Imagine months without power. An attack on our transformers could \ncripple our power grids and our economy would follow. This is not \nscience fiction; it is reality. A report recently released by Mandiant \nconfirmed China is the source of nearly 90% of cyber attacks against \nthe United States. Most troubling is that these hackers targeted a \ncompany that provides remote access to more than 60% of North America's \noil and gas pipelines.\n    Hackers have also attacked the servers of our Air Traffic Control \nSystem, and just last year, an al-Qaeda operative issued a call for \n``electronic jihad'' against the United States--comparing our \ntechnological vulnerabilities to that of our security before 9/11.\n    Iran and Russia are some of the world's worst offenders. Last \nDecember, Iranians attacked the state-owned Saudi Aramco, with the goal \nof stopping Saudi Arabia's oil production. Additionally, this year Iran \nconducted multiple denial of service attacks on major U.S. banks.\n    Unlike 9/11, we have seen the warning signs--now it is time to act. \nFor us to defend against cyber attacks we must designate roles for all \nof the key agencies--DHS, DoD, and the Justice Department. Each play a \ncrucial role defending our homeland against cyber threats and none can \ndo it alone.\n    When DHS was established, the Secretary of DHS was made responsible \nfor ``coordinating the overall National effort to enhance the \nprotection of our critical infrastructure.''\n    The National Infrastructure Protection Plan (NIPP) and the recent \nExecutive Order solidified DHS' role as the lead Federal agency in \nprotecting domestic critical infrastructure.\n    Most importantly, the agencies themselves agree that a framework \nwhere DOJ is the lead for investigation, DHS is the lead for protection \nand DoD as the lead for defense would allow each department to \nconcentrate on their core mission with, as General Alexander once said, \n`` . . . DHS as the entry point for working with industry.''\n    In order to fulfill this role as a civilian command center, DHS has \nbeen building its partnerships with the private sector and growing its \ncapacity as an effective conduit for threat information sharing. DHS \nmanages a bottom-up network of entities from local first responders to \nNation-wide threat analysis and emergency response centers like the \nNational Cybersecurity and Communications Integration Center (NCCIC).\n    The Department possesses the ability to provide real-time \ninformation necessary for instant threat detection, and to share \nemerging threat information to enable industry to act immediately to \nsafeguard critical infrastructure. Additionally, DHS has a well-\ndeveloped Privacy Office to protect Americans' privacy and civil \nliberties.\n    While the Department has made great progress, there are areas for \nfurther improvement across the board when dealing with cyber threats. \nLegal barriers, regulatory uncertainty and a lack of resources remain \nchallenges. Additionally, there is not enough private-sector \nparticipation in the programs that are already in place, because they \neither don't have the resources or don't see the value in doing so.\n    Congress has the ability and the obligation to help fix these \nproblems. For us to thwart attacks, we must build upon the Executive \nbranch's efforts and work with all stakeholders to find the consensus \nnecessary to protect this country. As part of this commitment, the \nContinuing Resolution recently passed by the House includes an increase \nof $282 million for cybersecurity over fiscal year 2012 levels.\n    Hearings like the one today will help guide the legislative \nprocess. I look forward to listening to all of our witnesses about what \nworks, what doesn't, and what we can do to streamline our cyber \ndefenses.\n    One of the primary lessons from 9/11 is that only by working \ntogether can we detect and deter our enemies. In the wake of that \ntragedy, the walls preventing agencies from sharing threat information \nbecame apparent. We cannot allow turf battles to hinder us from \ndeveloping the defenses necessary to prevent cyber attacks. The threat \nis real, and this time we see it coming. \n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Chairman McCaul. With that the Chairman now recognizes the \nRanking Minority Member, Mr. Thompson.\n    Mr. Thompson. Thank you very much, Mr. Chairman, for \nholding this very timely hearing today.\n    Each week brings new reports of cyber breaches. Hackers are \nbecoming more sophisticated. They are hitting Americans where \nwe live, work, and play at an unprecedented rate and in new and \nvery troubling ways.\n    Last month, President Obama signed an Executive Order \nimproving critical infrastructure cybersecurity that directed \nthe Department of Homeland Security to establish a new \nvoluntary program for critical infrastructure.\n    The issuance of this Executive Order is a positive step \nforward. It has the potential to foster unprecedented \ncollaboration between the Federal Government and the private \nsector on this very difficult homeland security challenge.\n    I look forward to hearing from you, Deputy Secretary Lute, \nabout the Department's central role under this order, as well \nas the progress DHS has made in recent years to build its cyber \ncapabilities.\n    I am also looking forward to hearing from representatives \nof critical infrastructure sectors that are joining us today \nabout the importance of fostering a close working relationship \nbetween industry and the Federal Government.\n    At my urging, Ms. Richardson of the American Civil \nLiberties Union is here to help us think about how we can \nprotect that relationship in a way that protects the privacy \nand civil liberties of all Americans.\n    While the issuance of the Executive Order is a welcome \ndevelopment, it will take legislative action to fully address \ncyber threats and vulnerabilities to critical infrastructure.\n    I appreciate what the Chairman has said about his desire to \nfocus on cybersecurity this Congress. But as we saw in the \n112th Congress, simply wanting to pass cybersecurity \nlegislation is not sufficient.\n    Mr. Chairman, I know you share my desire to authorize DHS's \ncybersecurity programs and bolster our Nation's ability to ward \noff attacks to critical infrastructure. However, I am afraid \nthat some of our colleagues in the House have not seen the \nlight.\n    Hopefully the testimony we receive today will help this \ncommittee make the case for moving cybersecurity legislation to \nthe House floor. Even as we begin work on our bill, we must not \nlose sight of the need to defend, pursue, and exercise our \njurisdiction.\n    Recently, another committee introduced cyber legislation, \nH.R. 624, which is expected to see action on the House floor in \nApril. That bill, for the first time, would authorize the \nDepartment's National cybersecurity and communications \nintegrations center, but the Speaker did not refer the bill to \nthis committee.\n    Last week, I, along with Ranking Member Clarke, sent you a \nletter urging you to insist upon a referral of the bill. Our \nMembers deserve the opportunity to consider the Cyber \nIntelligence Sharing and Protection Act before it goes to the \nfull House.\n    With that, Mr. Chairman, I ask unanimous consent that our \nletter to you be inserted into the record.\n    Chairman McCaul. Without objection, so ordered.\n    [The information follows:]\n          Letter From Bennie G. Thompson and Yvette D. Clarke\n                                     March 5, 2013.\nThe Honorable Michael T. McCaul,\nChairman, Committee on Homeland Security, H2-176 Ford House Office \n        Building, U.S. House of Representatives, Washington, DC 20515.\nThe Honorable Patrick Meehan,\nChairman, Subcommittee on Cybersecurity, Infrastructure Protection, and \n        Security Technologies, 204 Cannon House Office Building, U.S. \n        House of Representatives, Washington, DC 20515.\n    Dear Chairman McCaul and Subcommittee Chairman Meehan: We write \nregarding H.R. 624, the ``Cyber Intelligence Sharing and Protection \nAct.''\n    As you are aware, H.R. 624 contains numerous provisions within the \nRule X, clause 1(j) jurisdiction of the Committee on Homeland Security. \nSpecifically, H.R. 624 contains provisions directing the Department of \nHomeland Security's National Cybersecurity and Communications \nIntegration Center to integrate and disseminate homeland security \ninformation and addressing the Government-wide use of cyber threat \ninformation for cybersecurity or the protection of National security. \nDespite these provisions clearly falling within the Committee's \nlegislative jurisdiction, the Speaker chose not to refer the measure to \nthe committee upon introduction.\n    On Friday, March, 1, 2013, the Chairman of the Permanent Select \nCommittee on Intelligence, Representative Mike Rogers of Michigan, was \nquoted as saying that negotiations with the White House on the ``Cyber \nIntelligence Sharing and Protection Act'' are underway and that the \nparties are ``very close'' to agreeing on the role that the Department \nof Homeland Security would play to better defend against cyber \nattacks.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ ``White House, lawmakers resume cybersecurity bill talks,'' \nChicago Tribune at http://articles.chicagotribune.com/2013-03-01/\nbusiness/sns-rt-us-usa-cybersecurity-billbre9200w9-\n20130301_1_cybersecurity-bill-cyber-attacks-rogers.\n---------------------------------------------------------------------------\n    Given that the provisions under discussion with the White House are \nwithin the committee's jurisdiction, it is troubling to learn that the \nleadership of another committee believes it has reached agreement on \nthe parameters of the Department's cybersecurity role.\n    Like you, we have strong views about the criticality of \ncybersecurity to the welfare of our Nation, the role of the Department \nof Homeland Security in that effort, and our committee's obligation to \nplay a central role in shaping cybersecurity policy. That is why we \nfirmly believe that the committee should defend, pursue, and exercise \njurisdiction in this area. In light of the Speaker's decision not to \nrefer H.R. 624 to the committee upon introduction, we urge you to \ninsist upon a sequential referral of the measure and afford Members of \nthe committee the opportunity to consider this legislation in an open \nmark-up session.\n    By taking these actions early in the 113th Congress, you will \ndemonstrate your commitment to vigorously defending this committee's \nlegislative jurisdiction and protect this committee's position as a \ncentral player in the cybersecurity arena. Additionally, it will afford \nthe committee, which has conducted extensive oversight and developed \nexpertise in matters of cybersecurity, an opportunity to debate and \ninform the bill.\n    Thank you, in advance, for your attention to this request. Should \nyou or your staff have any questions on this matter, please contact Ms. \nRosaline Cohen, Chief Counsel for Legislation of the Committee on \nHomeland Security[.]\n            Sincerely,\n                                        Bennie G. Thompson,\n                                                    Ranking Member.\n                                          Yvette D. Clarke,\n     Ranking Member, Subcommittee on Cybersecurity, Infrastructure \n                             Protection, and Security Technologies.\n\n    Mr. Thompson. Before I close, I would note that this \nhearing is taking place at a time when the effects of \narbitrary, across-the-board spending cuts are just beginning to \nbe realized.\n    I look forward to hearing from you, Deputy Secretary Lute, \nabout how the sequester and the perpetual uncertainty around \nbudgeting impacts DHS's ability to plan, prioritize, and \nexecute its critical cybersecurity mission.\n    Once again, I would like to thank all of the witnesses for \nbeing here today and I look forward to their testimony. I yield \nback.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                             March 13, 2013\n    Each week brings new reports of cyber breaches. Hackers are \nbecoming more sophisticated. They are hitting Americans where we live, \nwork, and play at an unprecedented rate and in new and very troubling \nways.\n    Last month, President Obama signed an Executive Order entitled \n``Improving Critical Infrastructure Cybersecurity'' that directed the \nDepartment of Homeland Security to establish a new voluntary program \nfor critical infrastructure.\n    The issuance of this Executive Order is a positive step forward. It \nhas the potential to foster unprecedented collaboration between the \nFederal Government and the private sector on this very difficult \nhomeland security challenge.\n    I look forward to hearing from you, Deputy Secretary Lute, about \nthe Department's central role under this order, as well as the progress \nDHS has made in recent years to build its cyber capabilities.\n    I also look forward to hearing from representatives of critical \ninfrastructure sectors that are joining us today about the importance \nof fostering a close working relationship between industry and Federal \nGovernment.\n    At my urging, Ms. Richardson of the American Civil Liberties Union \nis here to help us think about how we can structure that relationship \nin a way that protects the privacy and civil liberties of all \nAmericans.\n    While the issuance of the Executive Order is a welcome development, \nit will take legislative action to fully address cyber threats and \nvulnerabilities to critical infrastructure.\n    I appreciate what the Chairman has said about his desire to focus \non cybersecurity this Congress, but, as we saw in the 112th Congress, \nsimply wanting to pass cybersecurity legislation is not sufficient.\n    Mr. Chairman, I know you share my desire to authorize DHS's \ncybersecurity programs and bolster our Nation's ability to ward off \nattacks to critical infrastructure.\n    However, I am afraid that some of our colleagues in the House have \nnot seen the light.\n    Hopefully, the testimony we receive today will help this committee \nmake the case for moving cybersecurity legislation to the House floor.\n    Even as we begin work on our bill, we must not lose sight of the \nneed to defend, pursue, and exercise our jurisdiction.\n    Recently, another committee introduced cyber legislation, H.R. 624, \nwhich is expected to see action in the House in April. That bill, for \nthe first time, would authorize the Department's ``National \nCybersecurity and Communications Integration Center'' but the Speaker \ndid not refer it to this committee.\n    Last week, I, along with the Ranking Member Clarke, sent you a \nletter urging you to insist upon a referral of that bill. Our Members \ndeserve the opportunity to consider the Cyber Intelligence Sharing and \nProtection Act before it goes to the full House.\n    Before I close, I would note that this hearing is taking place at a \ntime when the effects of arbitrary, across-the-board spending cuts are \njust beginning to be realized. I look forward to hearing from you, \nDeputy Secretary Lute, about how the sequester and the perpetual \nuncertainty around budgeting impacts DHS' ability to plan, prioritize, \nand execute its critical cybersecurity mission.\n\n    Chairman McCaul. I thank the Ranking Member and I also \nshare in your commitment to marking up a cyber bill and getting \nit on the floor, passed by the House, Senate, and signed into \nlaw by the President.\n    I would also, again, note that, concerning the budget \nresolution, the House actually included an increase of over \n$282 million for cybersecurity and I think that is a positive \nstep forward in this mission.\n    Other Members are reminded that opening statements may be \nsubmitted for the record. We are pleased to have two panels of \ndistinguished witnesses.\n    The first would be the Honorable Jane Lute, deputy \nsecretary of the Department of Homeland Security. Dr. Lute came \nto this position in 2009 with over 30 years of military and \nsenior executive experience in the United States Government, \nincluding service at the United Nations and the National \nSecurity Council.\n    The deputy's full written statement will appear in the \nrecord. The Chairman now recognizes Deputy Secretary Lute for 5 \nminutes for an opening statement.\n\nSTATEMENT OF HON. JANE HOLL LUTE, DEPUTY SECRETARY, DEPARTMENT \n                      OF HOMELAND SECURITY\n\n    Ms. Lute [continuing]. Ensuring the Nation's cybersecurity \nis an integral part of the DHS mission, which is to help create \na safe, secure, resilient place where the American way of life \ncan thrive.\n    Four years ago, in the QHSR, the Quadrennial Homeland \nSecurity Review commissioned by Congress, we called out five \nessential missions in order to perform our role: Preventing \nterrorism, securing our borders, administering and enforcing \nour immigration laws, building National resilience, and \nensuring the Nation's cybersecurity.\n    Cyberspace has become the very endoskeleton of modern life, \nand while this connectivity has led to transformations and \nadvances around the world, it has also increased our shared \nrisk.\n    DHS is responsible for securing unclassified, Federal \ncivilian agency networks and for working with owners and \noperators of critical infrastructure to help them secure their \nnetworks. We coordinate the National response to significant \ncyber-incidents and create and maintain a common operational \npicture for cyberspace across the Government.\n    On a minute-by-minute basis, 24 by 7, our cyber teams \nconfront the dangerous combination--excuse me--of known and \nunknown cyber vulnerabilities and adversaries across the globe \nwith strong and expanding capabilities.\n    We face denial-of-service attacks, the theft of valuable \ntrade secrets, intrusions against Government networks, and \nattempts against the systems that control critical \ninfrastructure.\n    To protect Federal networks, DHS deploys technology to \ndetect and block cyber intrusions, develop continuous \ndiagnostics and mitigation for agency systems and provide \nguidance to agencies so that they can protect themselves.\n    We also work closely with owners and operators of critical \ninfrastructure to strengthen their facilities by sharing risk \nand threat information through on-site risk assessment, \nmitigation, and incident response.\n    DHS is home to the National Cybersecurity & Communications \nIntegration Center, the NCCIC, which many of you have seen, our \n'round-the-clock cyber situational awareness and incident \nresponse hub.\n    Over the past 4 years, the NCCIC has responded to nearly \nhalf-a-million incidents and released more than 26,000 \nactionable cybersecurity alerts to public and private-sector \npartners.\n    Last year, our U.S. Computer Emergency Readiness Team, US-\nCERT, resolved approximately 190,000 cyber incidents and issued \n7,500 alerts, a 68 percent increase over 2011. Our Industrial \nControl Systems Cyber Emergency Response Team responded to 177 \nincidents, while completing 89 site visits and deploying 15 \nteams to respond to significant private-sector incidents.\n    We partnered closely with the Departments of Justice and \nDefense to ensure, as the Chairman said, that a call to one is \na call to all, mobilizing all of the resources of the Federal \nGovernment in partnership to prevent and respond, when \nnecessary, rapidly to cyber incidents.\n    While each agency operates within the parameters of its \nauthorities, our overall Federal response to cyber incidents of \nconsequence is coordinated among the three of us. This \nsynchronization ensures that all of our capabilities are \nbrought to bear against cyber threats.\n    But while our accomplishments our significant, we need the \nhelp of Congress, by enacting a suite of comprehensive \ncybersecurity legislative measures. In the interim, last month \nthe President took the executive action within current \nauthorities and established the Executive Order.\n    This Executive Order on improving critical infrastructure \ncybersecurity supports enhanced sharing of cyber threat \ninformation with the private sector. It also directs DHS to \ndevelop a voluntary program to promote the adoption of a \ncybersecurity framework for critical infrastructure and to \nassist the private sector in its implementation.\n    At the same time, a policy directive on critical \ninfrastructure security and resilience strengthens our ability \nto share information about how critical infrastructure systems \nare functioning and the consequence of failures.\n    These documents reflect input from stakeholders of all \nviewpoints across Government, industry, and the advocacy \ncommunity. They include rigorous protections for individual \nprivacy and civil liberties.\n    Mr. Chairman, the American people expect us to secure the \ncountry from the growing threats posed in cyberspace and to \nensure that the critical infrastructure of this country is \nprotected. We look forward to working with this committee and \nwith Congress to ensure that we continue to do everything \npossible to keep the Nation safe and secure.\n    Thank you very much.\n    [The prepared statement of Ms. Lute follows:]\n                  Prepared Statement of Jane Holl Lute\n                             March 13, 2013\n    Chairman McCaul, Ranking Member Thompson, and Members of the \ncommittee: I am pleased to join you today, and I thank the committee \nfor your strong support for the Department of Homeland Security (DHS) \nover the past 4 years and, indeed, since the Department's founding 10 \nyears ago.\n    I can think of no more urgent and important topic in today's \ninterconnected world than cybersecurity, and I appreciate the \nopportunity to explain the Department's mission in this space and how \nwe continue to improve cybersecurity for the American people as well as \nwork to safeguard the Nation's critical infrastructure and protect the \nFederal Government's networks.\n                        current threat landscape\n    Cyberspace is woven into the fabric of our daily lives. According \nto recent estimates, this global network of networks encompasses more \nthan 2 billion people with at least 12 billion computers and devices, \nincluding global positioning systems, mobile phones, satellites, data \nrouters, ordinary desktop computers, and industrial control computers \nthat run power plants, water systems, and more.\n    While this increased connectivity has led to significant \ntransformations and advances across our country--and around the world--\nit also has increased the importance and complexity of our shared risk. \nOur daily life, economic vitality, and National security depend on \ncyberspace. A vast array of interdependent IT networks, systems, \nservices, and resources are critical to communication, travel, powering \nour homes, running our economy, and obtaining Government services. No \ncountry, industry, community, or individual is immune to cyber risks. \nThe word ``cybersecurity'' itself encompasses protection against a \nbroad range of malicious activity, from denial-of-service attacks, to \ntheft of valuable trade secrets, to intrusions against Government \nnetworks and systems that control our critical infrastructure.\n    The United States confronts a dangerous combination of known and \nunknown vulnerabilities in cyberspace and strong and rapidly expanding \nadversary capabilities. Cyber crime has also increased significantly \nover the last decade. Sensitive information is routinely stolen from \nboth Government and private-sector networks, undermining the integrity \nof the data contained within these systems. We currently see malicious \ncyber activity from foreign nations engaged in espionage and \ninformation warfare, terrorists, organized crime, and insiders. Their \nmethods range from distributed denial-of-service (DDoS) attacks and \nsocial engineering to viruses and other malware introduced through \nthumb drives, supply chain exploitation, and leveraging trusted \ninsiders' access.\n    We have seen motivations for attacks vary from espionage by foreign \nintelligence services to criminals seeking financial gain and hackers \nwho may seek bragging rights in the hacker community. Industrial \ncontrol systems are also targeted by a variety of malicious actors who \nare usually intent on damaging equipment and facilities or stealing \ndata. Foreign actors are also targeting intellectual property with the \ngoal of stealing trade secrets or other sensitive corporate data from \nU.S. companies in order to gain an unfair competitive advantage in the \nglobal market.\n    Cyber attacks and intrusions can have very real consequences in the \nphysical world. Last year, DHS identified a campaign of cyber \nintrusions targeting natural gas and pipeline companies that was highly \ntargeted, tightly focused and well crafted. Stolen information could \nprovide an attacker with sensitive knowledge about industrial control \nsystems, including information that could allow for unauthorized \noperation of the systems. As the President has said, we know that our \nadversaries are seeking to sabotage our power grid, our financial \ninstitutions, and our air traffic control systems. These intrusions and \nattacks are coming all the time and they are coming from different \nsources and take different forms, all the while increasing in \nseriousness and sophistication.\n    The U.S. Government has worked closely with the private sector \nduring the recent series of denial-of-service incidents. We have \nprovided classified cyber threat briefings and technical assistance to \nhelp banks improve their defensive capabilities and we have increased \nsharing and coordination among the various Government elements in this \narea. These developments reinforce the need for Government, industry, \nand individuals to reduce the ability for malicious actors to establish \nand maintain capabilities to carry out such efforts.\n    In addition to these sophisticated attacks and intrusions, we also \nface a range of traditional crimes that are now perpetrated through \ncyber networks. These include child pornography and exploitation, as \nwell as banking and financial fraud, all of which pose severe economic \nand human consequences. For example, in March 2012, the U.S. Secret \nService (USSS) worked with U.S. Immigration and Customs Enforcement \n(ICE) to arrest nearly 20 individuals in its ``Operation Open Market,'' \nwhich seeks to combat transnational organized crime, including the \nbuying and selling of stolen personal and financial information through \non-line forums. As Americans become more reliant on modern technology, \nwe also become more vulnerable to cyber exploits such as corporate \nsecurity breaches, social media fraud, and spear phishing, which \ntargets employees through emails that appear to be from colleagues \nwithin their own organizations, allowing cyber criminals to steal \ninformation.\n    Cybersecurity is a shared responsibility, and each of us has a role \nto play. Emerging cyber threats require the engagement of our entire \nsociety--from Government and law enforcement to the private sector and, \nmost importantly, members of the public. The key question, then, is how \ndo we address this problem? This is not an easy question because \ncybersecurity requires a layered approach. The success of our efforts \nto reduce cybersecurity risks depends on effective identification of \ncyber threats and vulnerabilities, analysis, and enhanced information \nsharing between departments and agencies from all levels of government, \nthe private sector, international entities, and the American public.\n                  roles, responsibilities, activities\n    DHS is committed to ensuring cyberspace is supported by a secure \nand resilient infrastructure that enables open communication, \ninnovation, and prosperity while protecting privacy, confidentiality, \nand civil rights and civil liberties by design.\nSecuring Federal Civilian Government Networks\n    DHS has operational responsibilities for securing unclassified \nFederal civilian government networks and working with owners and \noperators of critical infrastructure to secure their networks through \ncyber threat analysis, risk assessment, mitigation, and incident \nresponse capabilities. We also are responsible for coordinating the \nNational response to significant cyber incidents and for creating and \nmaintaining a common operational picture for cyberspace across the \nGovernment.\n    DHS directly supports Federal civilian departments and agencies in \ndeveloping capabilities that will improve their cybersecurity posture \nin accordance with the Federal Information Security Management Act \n(FISMA). To protect Federal civilian agency networks, our National \nProtection and Programs Directorate (NPPD) is deploying technology to \ndetect and block intrusions through the National Cybersecurity \nProtection System and its EINSTEIN protective capabilities, while \nproviding guidance on what agencies need to do to protect themselves \nand measuring implementation of those efforts.\n    NPPD is also developing a Continuous Monitoring as a Service \ncapability, which will result in an array of sensors that feed data \nabout an agency's cybersecurity risk and present those risks in an \nautomated and continuously-updated dashboard visible to technical \nworkers and managers to enhance agencies' ability to see and counteract \nday-to-day cyber threats. This capability will support compliance with \nadministration policy, be consistent with guidelines set forth by the \nNational Institute of Standards and Technology (NIST), and enable \nFederal agencies to move from compliance-driven risk management to \ndata-driven risk management. These activities will provide \norganizations with information necessary to support risk response \ndecisions, security status information, and on-going insight into \neffectiveness of security controls.\nProtecting Critical Infrastructure\n    Critical infrastructure is the backbone of our country's National \nand economic security. It includes power plants, chemical facilities, \ncommunications networks, bridges, highways, and stadiums, as well as \nthe Federal buildings where millions of Americans work and visit each \nday. DHS coordinates the National protection, prevention, mitigation, \nand recovery from cyber incidents and works regularly with business \nowners and operators to take steps to strengthen their facilities and \ncommunities. The Department also conducts on-site risk assessments of \ncritical infrastructure and shares risk and threat information with \nState, local, and private-sector partners.\n    Protecting critical infrastructure against growing and evolving \ncyber threats requires a layered approach. DHS actively collaborates \nwith public and private sector partners every day to improve the \nsecurity and resilience of critical infrastructure while responding to \nand mitigating the impacts of attempted disruptions to the Nation's \ncritical cyber and communications networks and to reduce adverse \nimpacts on critical network systems.\n    DHS enhances situational awareness among stakeholders, including \nthose at the State and local level, as well as industrial control \nsystem owners and operators, by providing critical cyber threat, \nvulnerability, and mitigation data, including through Information \nSharing and Analysis Centers, which are cybersecurity resources for \ncritical infrastructure sectors. DHS is also home to the National \nCybersecurity & Communications Integration Center (NCCIC), a 24\x1d7 cyber \nsituational awareness, incident response, and management center that is \na National nexus of cyber and communications integration for the \nFederal Government, intelligence community, and law enforcement.\nResponding to Cyber Threats\n    DHS is responsible for coordinating the Federal Government response \nto significant cyber or physical incidents affecting critical \ninfrastructure. Since 2009, the NCCIC has responded to nearly half a \nmillion incident reports and released more than 26,000 actionable \ncybersecurity alerts to our public and private-sector partners. The DHS \nOffice of Intelligence and Analysis is a key partner in NCCIC \nactivities, providing tailored all-source cyber threat intelligence and \nwarning to NCCIC components and public and private critical \ninfrastructure stakeholders to prioritize risk analysis and mitigation.\n    An integral player within the NCCIC, the U.S. Computer Emergency \nReadiness Team (US-CERT) also provides response support and defense \nagainst cyber attacks for Federal civilian agency networks as well as \nprivate-sector partners upon request. US-CERT collaborates and shares \ninformation with State and local government, industry, and \ninternational partners, consistent with rigorous privacy, \nconfidentiality, and civil liberties guidelines, to address cyber \nthreats and develop effective security responses. In 2012, US-CERT \nprocessed approximately 190,000 cyber incidents involving Federal \nagencies, critical infrastructure, and our industry partners. This \nrepresents a 68 percent increase from 2011. In addition, US-CERT issued \nover 7,455 actionable cyber-alerts in 2012 that were used by private-\nsector and Government agencies to protect their systems, and had over \n6,400 partners subscribe to the US-CERT portal to engage in information \nsharing and receive cyber threat warning information.\n    The Department's Industrial Control Systems Cyber Emergency \nResponse Team (ICS-CERT) also responded to 177 incidents last year \nwhile completing 89 site assistance visits and deploying 15 teams with \nUS-CERT to respond to significant private-sector cyber incidents. DHS \nalso empowers owners and operators through a cyber self-evaluation \ntool, which was used by over 1,000 companies last year, as well as in-\nperson and on-line training sessions.\n    Successful response to dynamic cyber threats requires leveraging \nhomeland security, law enforcement, and military authorities and \ncapabilities, which respectively promote domestic preparedness, \ncriminal deterrence and investigation, and National defense. DHS, the \nDepartment of Justice (DOJ), and the Department of Defense (DOD) each \nplay a key role in responding to cybersecurity incidents that pose a \nrisk to the United States. In addition to the aforementioned \nresponsibilities of our Department, DOJ is the lead Federal department \nresponsible for the investigation, attribution, disruption, and \nprosecution of domestic cybersecurity incidents while DOD is \nresponsible for securing National security and military systems as well \nas gathering foreign cyber threat information and defending the Nation \nfrom attacks in cyberspace. DHS supports our partners in many ways. For \nexample, the United States Coast Guard as an Armed Force has partnered \nwith U.S. Cyber Command and U.S. Strategic Command to conduct military \ncyberspace operations.\n    While each agency operates within the parameters of its \nauthorities, the U.S. Government's response to cyber incidents of \nconsequence is coordinated among these three agencies such that ``a \ncall to one is a call to all.'' Synchronization among DHS, DOJ, and DOD \nnot only ensures that whole-of-Government capabilities are brought to \nbear against cyber threats, but also improves Government's ability to \nshare timely and actionable cybersecurity information among a variety \nof partners, including the private sector.\nCombating Cyber Crime\n    DHS employs more law enforcement agents than any other Department \nin the Federal Government and has personnel stationed in every State \nand in more than 75 countries around the world. To combat cyber crime, \nDHS relies upon the skills and resources of the USSS and ICE and works \nin cooperation with partner organizations to investigate cyber \ncriminals. Since 2009, DHS has prevented $10 billion in potential \nlosses through cyber crime investigations and arrested more than 5,000 \nindividuals for their participation in cyber crime activities.\n    The Department leverages the 31 USSS Electronic Crimes Task Forces \n(ECTF), which combine the resources of academia, the private sector, \nand local, State, and Federal law enforcement agencies to combat \ncomputer-based threats to our financial payment systems and critical \ninfrastructure. A recently executed partnership between ICE Homeland \nSecurity Investigations and USSS demonstrates the Department's \ncommitment to leveraging capability and finding efficiencies. Both \norganizations will expand participation in the existing ECTFs. In \naddition to strengthening each agency's cyber investigative \ncapabilities, this partnership will produce benefits with respect to \nthe procurement of computer forensic hardware, software licensing, and \ntraining that each agency requires. The Department is also a partner in \nthe National Cyber Investigative Joint Task Force, which serves as a \ncollaborative entity that fosters information sharing across the \ninteragency.\n    We work with a variety of international partners to combat cyber \ncrime. For example, through the U.S.-E.U. Working Group on \nCybersecurity and Cybercrime, which was established in 2010, we develop \ncollaborative approaches to a wide range of cybersecurity and cyber \ncrime issues. In 2011, DHS participated in the Cyber Atlantic tabletop \nexercise, a U.S.-E.U. effort to enhance international collaboration of \nincident management and response, and in 2012, DHS and the European \nUnion signed a joint statement that advances transatlantic efforts to \nenhance on-line safety for children. ICE also works with international \npartners to seize and destroy counterfeit goods and disrupt websites \nthat sell these goods. Since 2010, ICE and its partners have seized \nover 2,000 domain names associated with businesses selling counterfeit \ngoods over the internet. To further these efforts, the administration \nissued its Strategy on Mitigating the Theft of U.S. Trade Secrets last \nmonth. DHS will act vigorously to support the Strategy's efforts to \ncombat the theft of U.S. trade secrets--especially in cases where trade \nsecrets are targeted through illicit cyber activity by criminal \nhackers.\n    In addition, the National Computer Forensic Institute has trained \nmore than 1,000 State and local law enforcement officers since 2009 to \nconduct network intrusion and electronic crimes investigations and \nforensic functions. Several hundred prosecutors and judges as well as \nrepresentatives from the private sector have also received training on \nthe impact of network intrusion incident response, electronic crimes \ninvestigations, and computer forensics examinations.\nBuilding Partnerships\n    DHS serves as the focal point for the Government's cybersecurity \noutreach and awareness efforts. Raising the cyber education and \nawareness of the general public creates a more secure environment in \nwhich the private or financial information of individuals is better \nprotected. For example, the Multi-State Information Sharing and \nAnalysis Center (MS-ISAC) opened its Cyber Security Operations Center \nin November 2010, which has enhanced NCCIC situational awareness at the \nState and local government level and allows the Federal Government to \nquickly and efficiently provide critical cyber threat, risk, \nvulnerability, and mitigation data to State and local governments. MS-\nISAC has since grown to include all 50 States, three U.S. territories, \nthe District of Columbia, and more than 200 local governments.\n    The Department also has established close working relationships \nwith industry through partnerships like the Protected Critical \nInfrastructure Information (PCII) Program, which enhances voluntary \ninformation sharing between infrastructure owners and operators and the \nGovernment. The Cyber Information Sharing and Collaboration Program \nestablished a systematic approach to cyber threat information sharing \nand collaboration between critical infrastructure owners and operators \nacross the various sectors. And, in 2010, we launched a National \ncampaign called ``Stop.Think.Connect'' to spread public awareness about \nhow to keep our cyber networks safe.\n    In addition, DHS works closely with international partners to \nenhance information sharing, increase situational awareness, improve \nincident response capabilities, and coordinate strategic policy issues \nin support of the administration's International Strategy for \nCyberspace. For example, the Department has fostered international \npartnerships in support of capacity building for cybersecurity through \nagreements with Computer Emergency Response and Readiness Teams as well \nas the DHS Science & Technology Directorate (S&T). Since 2009, DHS has \nestablished partnerships with Australia, Canada, Egypt, India, Israel, \nthe Netherlands, and Sweden.\nFostering Innovation\n    The Federal Government relies on a variety of stakeholders to \npursue effective research and development projects that address \nincreasingly sophisticated cyber threats. This includes research and \ndevelopment activities by the academic and scientific communities to \ndevelop capabilities that protect citizens by enhancing the resilience, \nsecurity, integrity, and accessibility of information systems used by \nthe private sector and other critical infrastructure. DHS supports \nCenters of Academic Excellence around the country to cultivate a \ngrowing number of professionals with expertise in various disciplines, \nincluding cybersecurity.\n    DHS S&T is leading efforts to develop and deploy more secure \ninternet protocols that protect consumers and industry internet users. \nWe continue to support leap-ahead research and development, targeting \nrevolutionary techniques and capabilities that can be deployed over the \nnext decade with the potential to redefine the state of cybersecurity \nin response to the Comprehensive National Cybersecurity Initiative. For \nexample, DHS was a leader in the development of protocols at the \nInternet Engineering Task Force called Domain Name System Security (DNS \nSEC) Extensions. DNS SEC is necessary to protect internet users from \nbeing covertly redirected to malicious websites and helps prevent \ntheft, fraud, and abuse on-line by blocking bogus page elements and \nflagging pages whose Domain Name System (DNS) identity has been \nhijacked. S&T is also driving improvements through a Transition to \nPractice Program as well as liability and risk management protections \nprovided by the Support Anti-Terrorism by Fostering Effective \nTechnology (SAFETY) Act that promote cybersecurity technologies and \nencourage their transition into successful use.\nGrowing and Strengthening our Cyber Workforce\n    We know it only takes a single infected computer to potentially \ninfect thousands and perhaps millions of others. But at the end of the \nday, cybersecurity is ultimately about people. The most impressive and \nsophisticated technology is worthless if it's not operated and \nmaintained by informed and conscientious users.\n    To help us achieve our mission, we have created a number of \ncompetitive scholarship, fellowship, and internship programs to attract \ntop talent. We are growing our world-class cybersecurity workforce by \ncreating and implementing standards of performance, building and \nleveraging a cybersecurity talent pipeline with secondary and post-\nsecondary institutions Nation-wide, and institutionalizing an \neffective, on-going capability for strategic management of the \nDepartment's cybersecurity workforce. Congress can support this effort \nby pursuing legislation that provides DHS with the hiring and pay \nflexibilities we need to secure Federal civilian networks, protect \ncritical infrastructure, respond to cyber threats, and combat cyber \ncrime.\n                        recent executive actions\n    As discussed above, America's National security and economic \nprosperity are increasingly dependent upon the cybersecurity of \ncritical infrastructure. With today's physical and cyber infrastructure \ngrowing more inextricably linked, critical infrastructure and emergency \nresponse functions are inseparable from the information technology \nsystems that support them. The Government's role in this effort is to \nshare information and encourage enhanced security and resilience, while \nidentifying and addressing gaps not filled by the marketplace.\n    Last month, President Obama issued Executive Order 13636 on \nImproving Critical Infrastructure Cybersecurity as well as Presidential \nPolicy Directive 21 on Critical Infrastructure Security and Resilience, \nwhich will strengthen the security and resilience of critical \ninfrastructure through an updated and overarching National framework \nthat acknowledges the increased role of cybersecurity in securing \nphysical assets.\nDHS Responsibilities\n    The President's actions mark an important milestone in the \nDepartment's on-going efforts to coordinate the National response to \nsignificant cyber incidents while enhancing the efficiency and \neffectiveness of our work to strengthen the security and resilience of \ncritical infrastructure. The Executive Order supports more efficient \nsharing of cyber threat information with the private sector and directs \nNIST to develop a Cybersecurity Framework to identify and implement \nbetter security practices among critical infrastructure sectors. The \nExecutive Order directs DHS to establish a voluntary program to promote \nthe adoption of the Cybersecurity Framework in conjunction with Sector-\nSpecific Agencies and to work with industry to assist companies in \nimplementing the framework.\n    The Executive Order also expands the voluntary DHS Enhanced \nCybersecurity Service program, which promotes cyber threat information \nsharing between Government and the private sector. This engagement \nhelps critical infrastructure entities protect themselves against cyber \nthreats to the systems upon which so many Americans rely. This program \nis a good example of information sharing with confidentiality, privacy, \nand civil liberties protections built into its structure. DHS will \nshare with appropriately-cleared private-sector cybersecurity providers \nthe same threat indicators that we rely on to protect the .gov domain. \nThose providers will then be free to contract with critical \ninfrastructure entities and provide cybersecurity services comparable \nto those provided to the U.S. Government.\n    Through the Executive Order, the President also directed agencies \nto incorporate privacy, confidentiality, and civil liberties \nprotections. It specifically instructs DHS to issue a public report on \nactivities related to implementation, which would therefore enhance the \nexisting privacy policy, compliance, and oversight programs of DHS and \nthe other agencies.\n    In addition, the Presidential Policy Directive directs the \nExecutive branch to strengthen our capability to understand and \nefficiently share information about how well critical infrastructure \nsystems are functioning and the consequences of potential failures. It \nalso calls for a comprehensive research and development plan for \ncritical infrastructure to guide the Government's effort to enhance \nmarket-based innovation.\n    Because the vast majority of U.S. critical infrastructure is owned \nand operated by private companies, reducing the risk to these vital \nsystems requires a strong partnership between Government and industry. \nThere is also a role for State, local, Tribal, and territorial \ngovernments who own a significant portion of the Nation's critical \ninfrastructure. In developing these documents, the administration \nsought input from stakeholders of all viewpoints in industry, \nGovernment, and the advocacy community.\n    Their input has been vital in crafting an order that incorporates \nthe best ideas and lessons learned from public and private-sector \nefforts while ensuring that our information sharing incorporates \nrigorous protections for individual privacy, confidentiality, and civil \nliberties. Indeed, as we perform all of our cyber-related work, we are \nmindful of the need to protect privacy, confidentiality, and civil \nliberties. The Department has implemented strong privacy and civil \nrights and civil liberties standards into all its cybersecurity \nprograms and initiatives from the outset. To accomplish the integrated \nimplementation of these two directives, DHS has established an \nInteragency Task Force made up of representatives from across all \nlevels of government.\n                    continuing need for legislation\n    It is important to note that the Executive Order directs Federal \nagencies to work within current authorities and increase voluntary \ncooperation with the private sector to provide better protection for \ncomputer systems critical to our National and economic security. It \ndoes not grant new regulatory authority or establish additional \nincentives for participation in a voluntary program. We continue to \nbelieve that a suite of legislation is necessary to implement the full \nrange of steps needed to build a strong public-private partnership, and \nwe will continue to work with Congress to achieve this.\n    The administration's legislative priorities for the 113th Congress \nbuild upon the President's 2011 Cybersecurity Legislative Proposal and \ntake into account 2 years of public and Congressional discourse about \nhow best to improve the Nation's cybersecurity. Congress should enact \nlegislation to incorporate privacy, confidentiality, and civil \nliberties safeguards into all aspects of cybersecurity; strengthen our \ncritical infrastructure's cybersecurity by further increasing \ninformation sharing and promoting the establishment and adoption of \nstandards for critical infrastructure; give law enforcement additional \ntools to fight crime in the digital age; and create a National Data \nBreach Reporting requirement.\n                               conclusion\n    The American people expect us to secure the country from the \ngrowing danger of cyber threats and ensure the Nation's critical \ninfrastructure is protected. The threats to our cybersecurity are real, \nthey are serious, and they are urgent.\n    I look forward to working with this committee and the Congress to \nensure we continue to take every step necessary to protect cyber space, \nin partnership with government at all levels, the private sector, and \nthe American people, and continue to build greater resiliency into \ncritical cyber networks and systems.\n    I appreciate this committee's guidance and support as together we \nwork to keep our Nation safe. Thank you, again, for the attention you \nare giving to this urgent matter.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Chairman McCaul. I thank the Secretary and I now recognize \nmyself for 5 minutes for questions.\n    Let me say first, Dr. Lute, how much I enjoyed visiting the \nNCCIC and our conversation out there and our visit. I would \nencourage all Members to the extent you haven't been out there \nto the cyber command center at DHS that you do so.\n    I think it is a very valuable experience as we move forward \ntowards marking up a bill and getting it on the House floor. I \nthink the Member education process is extremely important in \nmoving forward to protecting the Nation from this very \ndangerous threat.\n    You know, we hear every day about attacks from China, the \nMandiant report, or military systems, Russia, very \nsophisticated, Iran--one of the latest ones was particularly \ndisturbing when you hear about a rogue nation like Iran hacking \ninto Aramco's computer systems, 30,000 computers--hard drives \nerased.\n    At the same time, a simultaneous attack against our major \nfinancial sector. We will hear from the financial sector in the \nsecond panel. In fact, JPMorgan was a victim just yesterday.\n    This is a serious concern. An attack like the one on Aramco \nand our financial sector could have been extremely chaotic and \ncause major disruption and destruction.\n    I wanted to say, in the limited time I have, I am very \nimpressed that, in spite of Congress's failure to act, that \nyou, that the Secretary, that General Alexander with the NSA \nand Director Mueller with the FBI have come together to \nactually reach out in a workable arrangement and as I think we \nlook forward to crating legislation, this is a model that I \nthink it provides a good first step in terms of what kind of \nlegislation we are going to mark up on this committee.\n    I know you referred to threat information almost like a \nphonebook, you said the Manhattan phonebook, I know you are \nfrom New York. But a piece of it in NSA's domain, a piece of it \nwithin DHS, you know NSA's more foreign classified threat, DHS \nthreat information, FBI. But what we don't really fail to \nrealize is that majority of this threat information actually \nresides in the private sector with the critical infrastructures \nout there.\n    So I think the goal is how do we create a safe harbor, if \nyou will, where all of these entities can come together and \nshare this threat information in real time, so we can protect \nnot only the interest of the Federal Government but also the \ncritical infrastructures that are out there.\n    I know you and I talked about the idea of having \nrepresentatives from the ISAC's, the Information Sharing \nAnalysis Centers, as a full participant on the NCCIC and \nforward, I think that will be a--certainly a worthwhile goal to \npursue.\n    So with that, let me just turn it over to you in the little \nbit of time I have and maybe explain this model, how y'all came \nup with it and how you see the NCCIC moving forward?\n    Ms. Lute. Thank you, Mr. Chairman.\n    I would say the model derived out of Secretary Napolitano's \nconviction along with Director Mueller and General Alexander, \nthat we needed to pool our strengths in order to share the \nburden that is being posed to the American public by threats in \ncybersecurity.\n    We call there when they meet, we call it the TROIKA and \nthey come together and they speak in very plain terms about how \nwe can operationalize the need to respond to these threats. We \ncan do it by bringing our authorities and our capabilities \nthat, as you see in this chart, are distributed among the three \nagencies.\n    You mentioned the analogy of the Manhattan phonebook, and \nit is true. If you think about the old-fashioned Manhattan \nphonebook, for those of us who remember it, it was a pretty \nthick thing.\n    The government has Q, think of it as that way, and all the \nrest of the threat information exists out there in the private \nsector and we need to find ways to share this information in \nreal time. Now that will require better automation, better \ntechnology, smarter networks, smarter machines, but also that \nusers, enterprises, and organizations get more savvy as well.\n    There is a famous saying making the rounds, that there are \ntwo kinds of companies in the United States, in the world \nperhaps, those that have been hacked and those that know they \nhave been hacked.\n    The status quo is simply unacceptable and the Government is \nnot standing still in the face of that. Our job is to protect \nsociety from threats as they emerge. There are threats in \ncyberspace and we need to mobilize to act. But we need to do it \nmindful of the role of the private sector. Most of the critical \ninfrastructure is in private-sector hands and we operate on the \nbasis of, or the principle of, nothing about you without you. \nSo sit down with us and let's walk through how we can again, \npool all of our strengths to share these burdens.\n    So of it, as you said, Mr. Chairman will result in greater \nrepresentation on the NCCIC floor, greater information sharing, \ngreater transparency, but the time to act is now.\n    Chairman McCaul. I certainly agree and I think, you know, \nwe have conducted and I may say, Chairman Pat Meehan of the \nCybersecurity Subcommittee has done an outstanding job setting \nup listening posts, listening to the private sector. We--our \nphilosophy is our bill, we will have buy-in from the \nstakeholders.\n    We will have feedback from the private sector about what \nworks and what doesn't work. We believe that our relationship \nshould be a shared relationship with the infrastructures, with \nthe industry rather than a forced one, which I think doesn't \nwork as well, and less proscriptive because it is an ever-\nevolving area where the law can be quickly behind events.\n    So, it needs to be agile, it needs to be flexible. The one \nissue I have heard--now some sectors work very well at DHS like \nwe will hear from the finance sector, of course the oil and gas \nsector. Others say that they want more participation.\n    How can you improve, I think DHS and the NCCIC \neffectiveness, capability, and participation with the private \nsector, who I believe is really the true partner here?\n    Ms. Lute. Thank you, Mr. Chairman.\n    There are partners that they are true partners, but \nequally, so are the other partners in the other agencies in the \nFederal Government, the sector lead agencies that work every \nday with elements of the critical infrastructure of this \ncountry across the 16 sectors of critical infrastructure.\n    We have prepared and handed out to all of our counterpart \nagencies and to all of the governors a checklist for \nunderstanding the problem posed by cybersecurity. What they \nshould be asking in their organizations, how they should work \nwith their partners in the private sector. We are prepared to \nbring our expertise together with theirs in these various \nsectors.\n    Some sectors are ahead of others, the defense sector for \nexample, IT, telecom, finance as you will hear from. Others are \nmobilizing and increasingly becoming aware and taking action \nand we are prepared to support all of those efforts.\n    Chairman McCaul. Yes, the tour I got in the NCCIC, I saw \nthe operations in progress. I know that NSA just did a little \nsort of pilot program with you where they did share more \nsensitive information through the civilian portal known as DHS \nand I think the results were actually quite good and I think \nthe feedback was very positive about the efforts.\n    I think the civilian interface is important and it is \nimportant to a lot of privacy groups I know as well. I know \nGeneral Alexander actually endorsed that idea that DHS provide \nthat civilian interface to the private sector.\n    So with the 9 seconds I have, I look forward to working \nwith you, I look forward to working with this committee on \ndrafting important legislation and finally getting this thing \ndone. It has been long overdue. I have been working on this \nissue for quite some time and I finally feel that the time is \nright now for the Congress to act for us to get something done \nand we are working with our Senate counterparts, which is \nsomething you didn't see last Congress.\n    I believe that, you know, Michael Daniel in the White House \nhas been very open and it is something that I think is \nsomething that is too important from a National security \nstandpoint to play politics with. It is something we need to \nget out of this committee, out of the Senate, and signed into \nlaw by the President.\n    So with that, I will now recognize the Ranking Member.\n    Mr. Thompson. Thank you very much, Mr. Chairman.\n    I look forward to working with you on this committee with \nrespect to our jurisdiction to make sure that we have our \nopportunity to put the Homeland Security's stamp on whatever \ngoes to the floor.\n    That being said, Dr. Lute, good seeing you again. We have \nbeen missing each other for a while.\n    President Bush and President Obama both have indicated \nthrough various statements and Executive Orders that \ncybersecurity has to be a priority. With the latest Executive \nOrder from President Obama, can you tell this committee if that \nExecutive Order is satisfactory enough or would you encourage \nthis committee to take on legislation relative to \ncybersecurity?\n    Ms. Lute. Thank you, thanks very much. Good to see you \nalso.\n    The Executive Order--through the Executive Order, the \nPresident has acted within his authorities to direct us to \nundertake a number of aggressive measures to improve the status \nquo. We think legislation is still necessary.\n    We need to enhance information sharing, create incentives \nfor that, incorporate privacy, civil rights, civil liberties, \nassurances, and safeguards into all aspects of cybersecurity \nand adopt a framework for cybersecurity standards.\n    We think Congress has an important role to play, also in \naffirmatively establishing the positive authority of DHS to \nprotect dot-gov and to help create a National data breach \nreporting mechanism. So we think there is still a need for \nlegislation and certainly look forward to working with the \ncommittee within its jurisdiction to successfully reach that \ngoal.\n    Mr. Thompson. Thank you very much, I am glad you made that \npoint.\n    The Chairman put a slide on the screen here that talked \nabout a three-part relationship between the DOD, DOJ, and DHS. \nTo some degree, the process is beginning to work, but from what \nI understand, your testimony today is the roles could be \nfurther defined legislatively so that those three agencies can \ndo their work in a better manner. Is that correct?\n    Ms. Lute. What I am saying, Mr. Thompson, is that, yes, we \nthink we can--it would be helpful to have legislation clarify \nand strengthen the role of DHS in protecting .gov, \nstrengthening the tools available to law enforcement, and \nclarifying that this is a problem of great urgency that the \nGovernment is seized with.\n    Mr. Thompson. We received briefings quite a bit on \nvulnerabilities that exist within cyber. But most of those \nbriefings go in the direction of hackers from China, hackers \nfrom Russia, and that is a very significant part of the \nchallenge. But from your testimony, there is also other areas \nthat we should be looking at beyond that.\n    So most of our briefings for the most part come from a \ndefense posture and I am convinced that that is necessary. But \nfrom DHS's perspective, how do you see DHS's role and in \nmanaging that cyber jurisdiction that you have?\n    Ms. Lute. Well you are talking to an old soldier.\n    Mr. Thompson. Absolutely.\n    Ms. Lute. So I certainly understand the role of the Defense \nDepartment, and in particular, knowing the National Security \nAgency as I have since 1978, I understand and value its \ncontribution to the National defense. It absolutely has a role \nto play.\n    But cyberspace is civilian space. We need to manage it as \ncivilian space. The status quo is not acceptable. People are \nunder attacks. The attacks that are emanating from actors in \nChina or Iran or Russia or elsewhere around the world are \ncertainly worrisome. We have raised these issues in our \ndiplomatic and other dialogues with appropriate authorities.\n    But we also know is one of the greatest dangers that we \nface are the existing vulnerabilities that go unpatched in our \nsystems every single day. They number in the millions. So we \nhave got to take action collectively. Our role, in Homeland \nSecurity, and we called this out 4 years ago. We said, \nessential to helping create a safe, secure, resilient place \nwhere the American way of life can thrive, is ensuring our \nNational cybersecurity. We intend to fulfill that \nresponsibility.\n    Mr. Thompson. Thank you very much. Yield back, Mr. \nChairman.\n    Chairman McCaul. I thank you Ranking Member. Chairman now \nrecognizes the gentleman from New York, Mr. Peter King.\n    Mr. King. Thank you Mr. Chairman. Secretary Lute, great to \nsee you back here. Thank you very much. Let me commend the \nChairman for going forth with this hearing. This is absolutely \nessential that legislation be passed. I believe that DHS and \nthis committee have a vital role to play in that, in those \nregards. Without setting up a competition but showing seamless \ncooperation. What unique capacity does DHS bring to the table, \nlet's say separate from the FBI, separate from DOD? Why is it \nessential that DHS be part of the final answer?\n    Ms. Lute. Thank you, good to see you also. When you think \nabout the expertise and the resources and the authorities and \njurisdictions that each of the departments bring, DOD is \nresponsible, General Alexander, responsible for securing dot-\nmil. Dot-mil, if I can be allowed a comparison, is the size of \nthis pen cap. Dot-gov is the size of this box in front of me. \nDot-com is the size of this room. And growing. Organically and \ninstantaneously every single day.\n    What we bring is our working relationship with the private \nsector. The responsibility to coordinate National protection \nefforts on behalf of the Federal Government. The responsibility \nto secure dot-gov. Now I have handed out, and I hope you have \nall received our strategy for securing dot-gov. That addresses \nissues, and we have policies and capabilities and staff, that \nassist the Federal agencies in managing their IT systems well. \nKnowing and training the users, the administrators of their \nsystems, knowing, understanding and protecting the systems and \ntechnologies and the boundaries of the network as well.\n    Our job, and we take it seriously, is to prevent bad things \nfrom happening and respond rapidly when we do. We have \nextraordinary men and women who work in the Department on this. \nIn fact, our ICS-CERT, our Industrial Control Systems \nCybersecurity Emergency Response Team, was just highlighted by \nSC magazine as the No. 1 cybersecurity team in the country. We \ntake great pride in that.\n    So we bring this perspective and this additional set of \nresponsibilities and authorities and capabilities to bear.\n    Mr. King. At the current moment, do you believe that DHS \nhas sufficient resources to implement and carry out the \nExecutive Order?\n    Ms. Lute. We are, we are undertaking to carry out the \nExecutive Order and devising on an aggressive time table, the \nplans, the approaches, the frameworks, and the inputs. Those \nresourcing decisions will need to be made in the context when \nthat work is completed. But we have mobilized ourselves \ninternally, created a task organization within the Department, \nacross every aspect of the Department, to get that work done in \nresponse to the President's direction.\n    Mr. King. On the issue of the hostile power cyber breaches, \nto the extent you can discuss it in open forum, if you could \nrefer to the Mandiant report and the impact of China hacking \ninto the United States. The significance of that, and could you \njust drive home how significant that is?\n    Ms. Lute. Well we believe it is extraordinarily significant \nand what I would say about the Mandiant report only, is that it \nis illustrative of the extraordinary capability that exists in \nthe American private sector in the area of cybersecurity. We \nreally have some of the best in the world in this country. When \nit comes to technology, expertise, insight, analysis, and \nperseverance, with what is a growing problem.\n    Second, what I would say is, I guess I would echo what Tom \nDonilon said recently in a speech on the question of China, we \nhave raised this issue of the attacks that are emanating from \nactors in China, with Chinese authorities. We have called on \nthem to acknowledge it, take it seriously, understand it. To \ninvestigate it and stop it and to work with us in creating \nbroad norms of responsible cyber behavior.\n    Mr. King. Would you say that Mandiant is typical or \natypical of cooperation between Government and the private \nsector?\n    Ms. Lute. What I would say is that it is the leading edge \nof what will be best practice.\n    Mr. King. Okay. Do you intend to pursue that type of \nrelationship?\n    Ms. Lute. Absolutely.\n    Mr. King. Yes, okay.\n    Ms. Lute. What is very clear, Chairman, is that no single \nentity can do all that needs doing here. Partnering with the \nprivate sector is an intrinsic part of our approach to \ncybersecurity.\n    Mr. King. Secretary, thank you very much. Yield back. Thank \nyou.\n    Chairman McCaul. The gentleman, the Chairman now recognizes \nthe gentlelady from California, Ms. Sanchez.\n    Ms. Sanchez. Thank you Mr. Chairman and thank you Secretary \nfor being before us. This is an issue that many of us have been \nworking on this for a while. I have the opportunity to sit on \nthe Armed Services Committee and do cybersecurity from that \nend.\n    There are many people, let me begin by saying, I \ncongratulate you in working across so many agencies and \ndepartments with respect to this in the Executive arena. I know \nthat in the House and the Senate, those of us who work on this \non different committees sometimes don't even know we are all \nworking on it. So I congratulate you on that.\n    But there are some of my colleagues who feel that the total \nanswer to this is our Defense Department. I find that, \nespecially when I am sitting with Intel members or with HASC \nmembers or people who are very comfortable, if you will, with \nthe military. So sitting also on this committee, I understand \nthere is just so much more to be done than just to use our \nDepartment of Defense or some of those agencies and initiatives \non the rest of this.\n    Can you, can you do me a favor and walk through currently \nwhat, how you are involved and what the situation would look \nlike for example? Let's say a big telecom, maybe AT&T gets \nhacked and it is ruinous to many people who use, for whatever \nreason, that company on a daily basis. From the moment we know \nthat something is going wrong, so we have got a private-sector \nperson, company, entity. Then it is important to all of us, \nbecause we may do banking through that, or talking to each \nother, networks. So I would assume you are involved with that. \nThen who ultimately, you know, who really shuts things down or \nfigures out what went on? Or re-routes what is going on?\n    Can you sort of walk us through that so that we have an \nunderstanding of what the different roles are, private, DHS, \nmilitary if it is there, et cetera, et cetera?\n    Ms. Lute. So thanks very much for that. There is no \nquestion that what is going on in cyberspace and on the \ninternet right now, it is contested space. As we all have said, \nand as we all know, there is a variety of sources of threats \nand attacks. There is a variety of pre-existing threats and \nattacks.\n    Among our most capable industries is the telecom industry. \nYou cited AT&T, certainly they are a leading player in that \nindustry. But the moment of attack is not the point at which to \nbegin our dialogue. We haven't. We are in constant dialogue \nwith AT&T, the other internet providers, other service \nproviders across the critical infrastructures in cyberspace \nalready. We have been doing that now for years.\n    Together with our partners in DOJ and DOD, who also have \ntheir relationships and dialogues with them. So if there is an \nattack, what we look to see is how well the entity under attack \ncan defend itself. Can we augment that with additional \ninformation? Here is where part of what we have been innovating \nover the past few years is really coming into play.\n    The government, as I mentioned, has threat information. Can \nwe put that in the hands of the private sector so that they can \ntake appropriate steps to defend themselves? We have proven \nthat we can. This country can protect itself and we will use \nall of our resources to do so. But we also know that there is a \nvast amount of information in the private sector.\n    Can we mobilize that? As kind of a cyber neighborhood \nwatch, so that everyone has the benefit of where the threats \nmight be coming from and when. So we have developed what we \ncall, is a sufficiency framework for defense of the networks, \nwhere we step through, beginning at the entity level, the \nagency or the organization's level. Are they doing everything \nthey can? Can they be augmented by us? By the FBI? By other \nparts of the Federal Government or other parts of government \nusefully? Can we step through that to ensure that we prevent \nbad things from happening and that we respond and mitigate \nimmediately when they do?\n    Ms. Sanchez. At what point, because we have read, in \nplaces, that more and more are experts within Intel and Defense \nare aiding, if you will, some of these private entities. At \nwhat point would they swoop in to save the situation?\n    Ms. Lute. So we work side-by-side with our partners in the \nFederal Government, including in the intelligence agency, \nappropriately under rules. Also mindful of the responsibilities \nto, that we all have within our authorities. We will not manage \nthe cybersecurity of this Nation as an Intel program. No one is \nsuggesting that.\n    What we do want to do is mobilize all of the resources that \nwe have in the Federal Government to address the status quo \nwhich is unacceptable.\n    Ms. Sanchez. Thank you, Secretary. I have other questions, \nbut I will submit them for the record. Thank you for your work \nin this.\n    Ms. Lute. Thank you.\n    Chairman McCaul. Chairman now recognizes the Committee--\nCybersecurity Subcommittee Chairman, Mr. Meehan, out of order, \nand ask for unanimous consent that he be recognized. Without \nobjection.\n    Mr. Meehan. Thank you, Mr. Chairman.\n    I am very grateful for the opportunity to join with you on \nthis. I thank you for your leadership in taking this issue at \nthe outset for our committee, because of its importance which I \nthink is being driven home. Not just by our awareness of the \nevents that are taking place within the Nation currently, but \nthe recognition as well as the communications we have had with \nyou and your colleagues across the spectrum, both in the \ngovernmental sector and the private sector of the importance of \nthis issue.\n    While I believe that you have been consistent in the \nclarion call of recognition on this issue, I think we as a \nNation are lagging in an appreciation for the genuine scope of \nthe threat that we face. In addition that the changing nature \nin that it isn't enough just to be reliant on Government alone, \nthat there is a partnership that is going to be necessary.\n    I am struck by the reality, 90 percent of the network that \nwe are being tasked with protecting is in the private sector. \nYou clarified that well, so we can, among ourselves in the \nGovernment and the Defense Department, NSA, communicate. So I \nam really interested in how we create this collaboration with \nthe private sector tying back to our Governmental entities. \nRecognizing of course, as well, that as we get into \ncommunication, not just from the Government, what we know to \nthe private sector, but requests from the private sector to \nshare information with the Government that we begin to open the \ndoor to other kinds of issues about who gets it, when, where, \nand what do we do?\n    Can you just give me an oversight of where the critical \nparts are in that relationship and how we encourage the private \nsector to be really engaged in this?\n    Ms. Lute. Thank you. In every way, at every level we are \nworking with the private sector. From the meetings that the \nSecretary has, and the dialogues that I have at my level \nthroughout our organization in Homeland Security, as well \nagain, if I may say in the Department of Justice and in the \nDepartment of Defense we meet regularly with the private sector \nto understand the world in cyberspace from their point of view. \nBut we are also mindful of our role as Government. So we work \nwith the other Federal agencies to--and we have been working to \nbegin to craft a framework, and an approach that will address \nthe unacceptable status quo with respect to cybersecurity \nattacks.\n    Every 90 seconds from an operational perspective, US-CERT \ngets a call about an intrusion. We push out tons of information \nevery day, every week. Recently with the attacks on the \nfinancial sector, we have been working with the bureau to put \nout joint information bulletins, pushing out hundreds of \nthousands of signatures and information that the private sector \ncan use. We hear uniformly that this has been important and \nhelpful information, and they want more. So this is an evolving \npartnership, but one that begins from a very solid foundation \nof respect, mutual regard, and an understanding that no single \nentity can do all that needs doing.\n    Mr. Meehan. How about the private sector sharing with you \nthough, and not just in a voluntary capacity because you have \nbeen great, we have discussed--I had the opportunity with the \nChairman among others to spend time talking to some of these \nentities in New York and otherwise, that are on the front lines \nof these attacks that are coming across. It is a very sobering \nsituation to see the scope of it. But the--you know those are \ngroups that are coming to you to work together. An issue that \nwe are going to have to struggle with is the whole concept of \ndisclosure by private entities when they know that they have \nbeen hacked.\n    I think you said it well, those that have been hacked, and \nthose that know they have been hacked. That they know they have \nbeen hacked, there is an incentive for them to disclose, \nincentive for them to participate with us. How do we make them \npartners? Then how do we deal with those who do not wish to \ndisclose and could be in possession of information which is \nmaterial and important to the defense of our Nation?\n    Ms. Lute. Thank you. I won't speak for the private sector, \nI was raised to speak for myself, and I know you certainly will \nunderstand this. But we have heard this, the notion, and we \nthink we understand it, that it does create a burden on this \nquestion of disclosure. But there is a far superior burden to \nthe consumers and to the users of this critical infrastructure, \nif these entities are hacked.\n    If people's private information has been unlawfully and \nillegitimately exfiltrated and there is potential for \nexploitation by cyber criminals or others, in cyber--and we \nthink that we have to address that concern as well. So we look \nforward to working with Congress as it contemplates legislation \nin trying to square this circle.\n    Mr. Meehan. Well my time has expired, but I thank you Mr. \nChairman and I also look forward to--I thank you for your \nobservation of the need for legislation that helps clarify a \nnumber of things, among which is the framework to allow us to \nwork with you and your--you know your fellow agencies, in an \neffective way to create this public/private partnership. It is \na big task ahead.\n    Thank you.\n    Chairman McCaul. Let me commend subcommittee Chairman \nMeehan for his great work in this area, listening to the \nprivate sector, and the stakeholders which is vitally \nimportant, along with Ms. Clarke from New York, who is now \nrecognized.\n    Oh, I am sorry, Ms. Jackson Lee is now recognized. Please \nforgive me.\n    Ms. Jackson Lee. Let me thank you very much for your work, \nSecretary Lute, and I do want to thank my Chairman and Ranking \nMember, their timing is impeccable. Over the last 24 hours we \nhave heard the proclamations, or proclaiming of a cyber war, \ncyber threats of major proportion in the next 2 years. So I \nwould like to just hold up to say this is a very informative \ndocument, and a very helpful document. As I ask you a series of \nquestions, I do want to make a particular plea.\n    In the course of answering my question if you might respond \nto that plea. The plea is that alongside of those who intend to \ndo enormous devastating harm, are those that we call, hackers. \nOver the last 24 hours, we have heard some of the most \nprovocative hacking in public officials from the First Lady to \nthe former Secretary of State, to a number of entertainers, and \nI believe that one of our pathways to success is whether or not \nwe can convince these individuals, whether they are benign, \nwhether they happen to be in the category of cerebral persons \nwho want to be stimulated, that they need to work with us, or \nthat this is a dangerous proposition when it comes to the \nsecurity of the Nation.\n    Because potentially if we have a cyber war, then are we \ngoing to have all of those intervening factors cloud what we \nare supposed to do to fight those who are truly engaged in \nterrorism? So I want you to be able to answer that premise of \nwhat kind of outreach or understanding do we have of the hacker \ncommunity? Obviously some are in the category of criminal \nactivities. But if we just sit here in this committee and speak \nabout trying to get our hands around cyber threats, and for \nexample by being aggressive and saying, this is devastating, \nwind up having all of our systems hacked because we have not \ncommunicated how devastating this is, or there is not an \noutreach or there is not an understanding.\n    Where are these people at? We are not reaching--finding \nthem either through the investigatory process or not. So I ask \nthat question and I will pause for a moment for you to answer.\n    Ms. Lute. Thank you. I don't use the term, war zone or--\nwhen I talk about cyberspace. We can't manage the Nation's \ncybersecurity as if it were a war zone. I mean we have to \naddress this mobilizing all of the resources we have, including \nthe bright and extraordinary young talent that some say make up \nthe hacker world. We have a member of the Homeland Security \nAdvisory Committee, Jeff Moss who is the founder of DEFCON, and \nBlack Hat, one of the leading organizations that draws on that \nkind of talent. We have also recently, at the Secretary's \ninstruction, implemented the findings of a cybersecurity \nworkforce, a cyber skills workforce initiative.\n    This task force, which was chaired by industry leaders in \nthe United States took 90 days and came back to us with ways to \nraise the skills of our workforce. Ms. Renee Forney sitting \nbehind me, chairs this effort now in the Department. We are \ngoing to do five things, and I think these five things are \ngoing to in part, appeal to this audience. We are going to \nhire, test, and train to the very best standards of \ncybersecurity expertise that exists. We are going to open \npipelines, widen the pipelines bringing people, talented young \npeople into Federal service.\n    We would like them to come to the Department of Homeland \nSecurity first, but we will accept their contribution to \nGovernment across the board, wherever they go. We are going to \nwork with industry and with academia to do it. We are going to \nstrategically manage our workforce to prize this very valuable \ntalent. This is the place where we really invest in our people. \nSo, this is the way we are going to reach out.\n    Ms. Jackson Lee. Let me get these last three questions in. \nDo you think that the lead role of the DHS is effective now? \nBush first established it, now you are in the Obama \nadministration. Two, do you have the flexibility of hiring--you \njust mentioned it, but do you need more flexibility in hiring \nthe right kind of people? Are you improving the sharing of \ninformation between State and local entities from the Federal \nGovernment?\n    Ms. Lute. Yes, we are up to the task. We need permanent \nflexibility in our hiring. We can--we will always improve, and \ncan always improve our information sharing, and we are working \non that.\n    Ms. Jackson Lee. Do you think there will be a cyber war in \nthe next 2 years?\n    Ms. Lute. Uh.\n    Ms. Jackson Lee. Even though you don't use the word, war?\n    Ms. Lute. I was a soldier for a long time----\n    Ms. Jackson Lee. I didn't hear you, I am sorry?\n    Ms. Lute. I was a soldier for a long time. I think we--\ncyberspace will remain contentious for some time to come. But \nthere is a lot we can do about it, and are.\n    Ms. Jackson Lee. Do you think it can threaten the lifestyle \nof Americans over the next 2 to 5 years?\n    Ms. Lute. Not if I can help it.\n    Ms. Jackson Lee. We thank you for your commitment, but I \nhope that we will have this continuing dialogue. I frankly \nbelieve if we do not reach the hacker community, and separate \nthem out from us, trying to fight what can be Government \nundermining, I think we will have a serious problem. I look \nforward to working with you. Thank you.\n    Chairman McCaul. I thank the gentlelady from Texas.\n    The gentleman from Utah, Mr. Stewart, is recognized.\n    Mr. Stewart. Thank you. I think you have been an excellent \nwitness, you are concise, you illustrate in ways that help us \nunderstand, and I appreciate that. I was an Air Force pilot for \n14 years. I flew a fairly sophisticated weapons system, but our \nROE was fairly straightforward. I mean if we were attacked, we \nresponded. If our forward operating bases were attacked, our \ninfrastructure was attacked, we would respond, and I just don't \nget the same sense here that there--you know the rules of how \nwe operate are as clear as it was in those examples.\n    We talk a lot about defend, defend, defend and I would like \nto spend a few minutes elaborating on your comments on \ndeterrents. My questions I guess would be this: Does the Obama \nadministration view--do they have clear red lines that China or \nIran or any other organization knows that they cannot cross? Do \nthey--have we been able to communicate effectively to them what \nthose red lines are? Are we aggressive enough, do you think \nthat that would help to deter future attacks by making them pay \nthe price?\n    It seems like they ping us all the time with impunity in \nsome cases. That concerns me a little bit, and I would \nappreciate your response to that concern?\n    Ms. Lute. One of the things we know about former--being \nformer military--is that society has entrusted its Government \nwith the responsibility to run the military, keep the Nation \nsafe, defend us from attack. We do that in a physical world. We \nare better at that than anybody else in the world as well.\n    What we also know is that not every problem presents itself \nfor a military solution. But there are--nevertheless there is \nlearning, there is information, there is capability, and there \nis technology that we can derive from our partners in DOD and \nfrom our understanding around the world to better defend \nourselves against these attacks.\n    But, as we know, 90 percent of the critical infrastructure \nin this country is in private-sector hands. We have to involve \nthem in that approach. General Alexander takes the back seat to \nno one in his willingness, ability, and determination to defend \nthis country, should we reach that point.\n    I take a back seat to no one, in my commitment to use our \ncivilian resources appropriately under the law to do that as \nwell.\n    Mr. Stewart. Well, I appreciate your response, but maybe \nlet me press just a little bit on this. That is, again, I \ndon't--help me understand what price these organizations fear \nor what they feel they are going to pay with some of their--\nwith their constant attacks.\n    I mean, do they feel like we respond to those and they have \nanything to lose? Or do they feel like they can operate in \nthis--again, with impunity, without us really pressing them \nback on that?\n    Ms. Lute. There is a--at the moment in cyberspace, offense \nwins. We know that. I won't speak for how these organizations \nthat are lobbing threats, unlawfully stealing trade secrets and \nother kinds of crime, quite frankly, in cyberspace, what they \nthink or what motivates them.\n    What I will say is that we are increasingly making the \ncountry aware of the threats posed in cybersecurity. This is \npresent in our dialogues. I have standing conversations with a \nnumber of international partners at the homeland security \nlevel.\n    We rely on our diplomats to communicate our diplomatic \nmessages, but at an operator's level we are communicating very \nclearly as well, behavior that is unacceptable, and trying to \nfind ways that we can--that like-minded governments can work \ntogether to stop these actors from acting.\n    Mr. Stewart. Yes. Well, you know, I appreciate your \ncomment, I really do. Maybe I am not communicating my concern \nadequately. But again, it just seems to me that we have not \ninstilled a--again, we talk about defend, defend, defend and in \nyour response you mentioned that again and again. But I am not \nsure that we are aggressive enough in deter and making them pay \na price. Am I wrong on that concern, do you think?\n    Ms. Lute. I think we are getting better at that all the \ntime. It is an imperative for us. This simply can't go on \nunimpugned.\n    Mr. Stewart. Okay. All right.\n    Mr. Chairman, I yield back.\n    Chairman McCaul. Okay.\n    The Chairman now recognizes the gentleman from Arizona, Mr. \nBarber.\n    Mr. Barber. Thank you, Mr. Chairman.\n    The first meeting I came to under your leadership of this \ncommittee, I was very pleased to hear that you made \ncybersecurity a top priority for our committee and for the \nCongress. I 100 percent agree that that has got to be the case.\n    My concern is generally, and perhaps you can comment on \nthis, Ms. Lute, is the public, it seems to me, is pretty much \nunaware of the threat that this poses to the homeland, to the \ncountry. I think traditionally, you know, we think of \nprotecting the homeland, protecting our Nation, as military \nprotection or police protection. This issue is not a very \nvisible issue at all, unfortunately, for most people.\n    Could you comment on what we can and should be doing, both \nin the administration and in Congress and in the public at \nlarge to make people more aware of the imminent danger of cyber \nattacks and how we can get public support for taking the \nnecessary action?\n    Ms. Lute. Thank you very much for this question. Part of \nthe problem is strategic, centralized, and top-driven, the \nthreats that we perceive in cyberspace to National security. We \nare addressing them.\n    But cyberspace is transactional, decentralized, and bottom-\ndriven. So is homeland security. We are transaction-based, \ndecentralized, bottom-driven. In our world, it is not so much \nneed-to-know, it is duty-to-share, when we are talking about \ninformation.\n    So we are working aggressively to put the word out. A lot \nof people are unaware. We have been promoting, through a cyber \neducation program, such things as ``Stop. Think. Connect,'' so \nthat people engage intellectually before they get on-line, so \nthey understand cyber threats. We have more to do in this \nregard, but equally, citizens, companies, State and local \ngovernment, every aspect of our society needs to get engaged.\n    Mr. Barber. Thank you for that. I just want to add to the \ngentleman's earlier comment that we see a lot of witnesses in \nCongress and I really want to commend you on your clarity and \nyour brevity in responding to our questions and in your initial \nopening statement.\n    I have a question related to the recent Inspector General's \naudit of the Industrial Control Systems Cyber Emergency \nResponse Team. It found that although the team has made \nsignificant progress in building out its capabilities to \nsupport critical infrastructure owners and operators, the \nchallenges still remain, particularly in the sharing of timely \nand actionable threat information.\n    Could you please comment on the challenge of balancing the \nneed to get information to critical infrastructure in time to \nstop attacks, while protecting intelligent sources and methods?\n    Ms. Lute. We are working on that.\n    Sorry, I beg your pardon.\n    I would be happy to talk in greater detail in a different \nsetting. It is not--it is a significant issue. How do we share \ninformation appropriately? But not only between the Government \nand the private sector, but between the private-sector entities \nthemselves. I see US-CERT as the best in the country.\n    Mr. Barber. Very good. I certainly want to commend the \nSecretary for the action that she has taken and the priority \nshe has given and, through you, carrying out this action within \nDHS.\n    I am firmly of the belief that we have to have legislation. \nWe have to have legislation that improves and increases our \ncapabilities to stop these attacks, both on the private as well \nas the public web sites and infrastructure. I also believe that \nwe have to figure out a way to make sure we have--assure people \nthat we are protecting their privacy.\n    So to the question about hackers. As we work to improve \ncybersecurity, I want to know more about what we can do to \npenalize those who perpetrate cyber attacks. That we send--how \ndo we send a clear message to our cyber adversaries of the high \ncost of attacking the United States?\n    Also, could you talk about what we can do to hold hackers \nwho are not friendly, in any way, accountable for their \nactions?\n    Ms. Lute. Thank you for that. Two aspects to my answer. No. \n1, we need to strengthen the hand of law enforcement to enforce \nthe law. To a large extent, what we are seeing in cyberspace is \ncrime. We need to give our law enforcement officers the tools \nthey need to investigate, pursue, and successfully prosecute \nthe crimes that occur in cyberspace. We are working very \nclosely, Secret Service, Immigration Customs Enforcement, \nworking very closely with the FBI, other law enforcement \nagencies, to do just that. We are getting better all the time. \nHere is an area where legislation can help.\n    A word, if I may, on privacy, civil rights and civil \nliberties. We can do both. We can ensure your cybersecurity \nwhile protecting your civil rights and civil liberties. It must \nremain a dual imperative.\n    Mr. Barber. Thank you, Mr. Chairman. You can count on my \nsupport for legislation. This has to be a bipartisan issue and \nI appreciate your leadership and that of the Ranking Member.\n    Chairman McCaul. I thank the gentleman. I agree with you on \nthe capability issue, as well. Also, Dr. Lute, on the balance \nof privacy versus security. It is hugely important and I think \nDHS is well-suited for that.\n    The Chairman now recognizes the gentleman from \nPennsylvania, Mr. Rothfus.\n    Mr. Rothfus. Thank you, Mr. Chairman.\n    Thank you, Madam Secretary, for being here today. This is \nvery informative for me.\n    I understand the collaboration that exists now between DHS, \nthe Defense Department, and the Department of Justice, FBI. A \nquestion that occurs to me is whether or not we currently have \nany Federal official who is the primary point of contact for \nthe oversight of cybersecurity?\n    Ms. Lute. So we would say that the Secretary of Homeland \nSecurity is responsible for coordinating across the Government, \nbut we work collaboratively with our partners in DOJ and DOD.\n    Mr. Rothfus. So the Secretary would convene meetings of \nthese other agencies to ensure that collaboration is taking \nplace as appropriate----\n    Ms. Lute. Also attend. The responsibility for securing dot-\nmil belongs with DOD and in other sectors, and of course, the \nlead law enforcement investigative agency is the FBI.\n    Mr. Rothfus. If I could just----\n    Ms. Lute. I beg your pardon.\n    Mr. Rothfus. Thank you. A couple of questions as I review \nthe organizational structure of the Department of Homeland \nSecurity and whether or not you are as organized as optimal.\n    We appear to have a number of offices within the Department \nthat address cybersecurity. Under Science and Technology, we \nhave the Office of Cybersecurity Division, where we have US-\nCERT, as I understand it. Under National Protection and \nPrograms Directorate, we have the Office of Cybersecurity and \nCommunications. Then under Intelligence and Analysis we have \nanother Office of Cyber, Infrastructure, and Science.\n    None of these offices that appear to deal with \ncybersecurity directly report to the Secretary. If you could \njust share with us how that works, how that information is \nchanneled to the Secretary from these disparate offices, and \nwhether or not there should be consideration for any kind of \nreorganization within the Department, given the importance of \ncybersecurity?\n    Ms. Lute. The Secretary maintains constant awareness of \nwhere we are in cybersecurity and is very up to speed on every \naspect of the operations of the offices that you described.\n    As chief operating officer of the Department, my job is to \nsee that everything is running. Every Wednesday, I chair a 3-\nhour cybersecurity meeting among all of those agencies.\n    This is like so much else. I am an operator. Operations \nconform to functions and needs that agencies or, in our case, \nthe Federal Government require. Is our organizational structure \noptimal? I don't know of any such thing sort of anywhere. It is \na constantly-evolving process.\n    The issue of direct report may, at a surface level, \ncommunicate salience, importance, or ease of access. The \nSecretary places extreme importance on the cyber activities of \nthe Department, has no problem getting access or answers to any \nquestion or issue that may arise, and we maintain constant \nvigilance over all of these parts of the Department.\n    So can we change and improve? Of course. What will drive \nus? We have got a cybersecurity strategy. We have laid out an \napproach to securing dot-gov, we are engaging the private \nsector and the American people on an educational platform, as \nwell, as I mentioned.\n    We will adapt our organization to these imperatives as we \nmove along. We are paying a lot of attention to this.\n    Mr. Rothfus. Thank you.\n    We have some great assets in southwestern Pennsylvania with \nUniversity of Pittsburgh, Carnegie Mellon University. I am just \ncurious how you are leveraging, if at all, the capacities of \nour academic institutions in this effort.\n    Ms. Lute. Well-known to us, great partners in the analytics \nside, I mean our S&T, you mentioned Science and Technology, \nDoug Maughan who heads our cybersecurity work on that front. It \nis a National treasure. He knows these organizations, is well-\nknown to them. So we leverage them a lot as we can.\n    I mentioned also in response to an early question, our \ndesire to broaden the pipeline of talent that comes into \nhomeland security, working with academia and with industry as \nwell.\n    Mr. Rothfus. Thank you.\n    I yield back.\n    Chairman McCaul. Thank you to the gentleman.\n    The Chairman now recognizes the gentleman from New Jersey, \nMr. Payne.\n    Mr. Payne. Thank you, Mr. Chairman.\n    It is very good to see you once again.\n    You know, we have been talking a lot about the different \nGovernment departments are working well together, sharing \ninformation in terms of this whole issue. But it seems like it \nis still a challenge and I hear you saying that the private \nsector is coming along. But you know, much progress has been \nmade with NCCIC program. You said that we need to get private \nentities on board.\n    Specifically, what legislation can be passed to create \nincentives for that?\n    Ms. Lute. Thank you, Congressman Payne and Mr. Chairman \nwith your permission, I would just like to acknowledge \nCongressman Payne's father's passing a year ago last week. He \nwas one of my father's closest friends. He admired him and \nappreciated the work he did. I may be a New Yorker, I was born \nin Newark, and I have never forgotten it, and I just would like \nto acknowledge with respect and appreciation his work, \nCongressman and yours as well on behalf of the people from \nsomeplace I call home.\n    Chairman McCaul. We all share in that our condolences to \nyou and your father.\n    Mr. Payne. Yes, and to you ma'am, your father played a \ngreat part in recognizing my father's commitment to public \nservice very early on when a lot of people doubted it and he \nwas one of the people that really helped open the door for him \nand we see what he was able to accomplish. So to your family, I \nthank you as well.\n    So, in terms of the legislation to create incentive?\n    Ms. Lute. So, many of the ideas in the cyber EO, draw on \nthe House Republicans Cyber Taskforce. We think additional \nlegislation in terms of enhancing information sharing and \ncreating incentives for industry to participate with us and \nadopting standards and best practices.\n    For example, we know today, we know today, that we can--we \nhave the technology to identify hardware that is on systems, \nwhite list software that is acceptable to be on systems, \nunderstand network configurations and have machines talk to \neach other in real time to identify threat factors and respond \nand patch in real time.\n    We think that by sharing this information and creating a \nculture of accountability and action that industry will be \nincentivized to act. We need Congress's help in this regard and \nwe look forward to working with the committee to achieve that.\n    Mr. Payne. Okay.\n    But it--I know there has been some difficulty in getting \nthese private entities to buy in at times and even admit that \nthey have been hacked and have had problems. It is almost like \nhaving a bully and you are scared to say that you have been \nattacked by this bully because it shows some type of weakness. \nHow do we get them to even admit that they have had issues when \na lot of them hold back that information?\n    Ms. Lute. We think an important component of legislation \nwould be establishing a National data breach reporting system \nand we have changed the culture, not completely, in the example \nthat you cite. We need to change the culture here because as \nproblematic as it--as some may think it might be to report on a \nbreach, it is far more problematic when the breach goes \nunreported and far more problematic when people's privacy and \ntheir private information goes exfiltrated unlawfully. We need \nto address that and close that gap.\n    Mr. Payne. Thank you.\n    I think I will yield back, Mr. Chairman.\n    Chairman McCaul. The gentleman--and I--let me just point \nout, I think the liability protections that we will be looking \nat can greatly incentivize the private sector to share the \ninformation and provide that safe harbor that they can go to \nwhich we envision to be the, you know, the NCCIC itself. So, \nlet me also on a point of personal privilege, your father and I \nworked on the Sudan caucus and I know he founded that caucus \nand was just a great soul and we miss him.\n    Mr. Payne. Thank you.\n    Chairman McCaul. With that, I now recognize the gentleman \nfrom Mississippi, Mr. Palazzo.\n    Mr. Palazzo. Thank you, Mr. Chairman and I would like to \nthank Ms. Lute for being here today. Thank you for your \ntestimony and also thank you for the vital service that you \nprovide and protecting our homeland from threats and your \ndedication and your military service is also commendable as one \nsoldier to another. I was a former Marine, now a soldier to a \nsoldier, okay. I had to put that in there, I might get in \ntrouble. I have a gunnery sergeant in my office serving as the \nmilitary fellow. But anyway, I digress.\n    Listen, protecting our private and our public sector from \ncyber attacks is extremely important. But in the interest of \ntime, I would also like to know, you know, what does Department \nof Homeland Security do to protect their own information? \nBecause I am aware the Department uses the National Center for \nCritical Information Processing and Storage which is also known \nas NCCIPS, to house Nationally-sensitive critical or classified \ninformation, hundreds of millions of dollars have been invested \nin massive and redundant infrastructure and IT equipment to \nensure uninterrupted service to multiple Federal agencies who \nshare this facility.\n    So given the amount of sensitive information the Department \nstores at the center, how secure is the center as well as DHS \nassets from potential cyber attacks?\n    Ms. Lute. Thank you for that.\n    We are the largest tenant. I think three-quarters of the \ndata center is leased by us for secure data processing and \nstorage. We adopt as we do in other aspects of homeland \nsecurity, a layered approach, from perimeter fences, roving \npatrols, armed access gates, guards, CCTV, facility control \nsystems, fully redundant power supplies.\n    What we are trying to model in homeland security is best \npractice across the range of activities that we have said is \nnecessary to secure dot-gov, from being aware on how to well \nmanage our IT systems, understand who has access, et cetera. \nBut it is a layered approach involving physical as well as \ncyber measures.\n    Mr. Palazzo. As we focus on how we protect our information \nand prevent cyber attacks, should the Department and other \nFederal agencies use NCCIPS as a model for securing sensitive \ninformation?\n    Ms. Lute. We think it represents an approach to best \npractice who, again, incorporates not only physical but \ncybersecurities as well.\n    Mr. Palazzo. So it is a good model?\n    Ms. Lute. It is a good model.\n    Mr. Palazzo. For other agencies to adopt?\n    Ms. Lute. Yes.\n    Mr. Palazzo. It is secure?\n    Ms. Lute. Yes.\n    Mr. Palazzo. Safe?\n    Ms. Lute. Yes.\n    Mr. Palazzo. All right, now----\n    Ms. Lute. Mississippi, I spent a year in Mississippi, so--\n--\n    Mr. Palazzo. Not in August, right?\n    Ms. Lute. In August, it was hot.\n    Mr. Palazzo. Bless your heart.\n    It--real quick, to just change a little bit and I don't \nthink anybody has really touched--I know China has come up a \ncouple of times. You know, my experience with the Chinese \nhasn't, you know, really been pleasant from the sense that, you \nknow, after Katrina, they flooded our markets with contaminated \ndrywall, you know, constantly hearing about their products \nbeing dangerous to children, you know, coated in lead-based \npaint and so on.\n    Then you look at--from a military standpoint, they are \nbuilding up their military and to hear the report that came out \n2 weeks ago that there is blatant attacks by the Chinese \ngovernment that is kind of attacking our systems. Can you \nelaborate just real quickly on the cyber threat posed by China \nand any plans this administration has in deterring China from \ncontinuing to steal U.S. intellectual property and other assets \nfrom the public and private sectors? What would be our red line \nthat we say they cannot cross before we retaliate?\n    Ms. Lute. Congressman, what I will say in this forum, and I \nam happy to pursue this in an appropriate forum other than \nhere, is that we are concerned about the attacks that seem--\nappear to be emanating from actors within China. We made this \nvery clear. We have called on Chinese authorizes to recognize \nand address this, to investigate it, pursue it, and to work \nwith us in establishing collaborative norms. We take this very \nseriously.\n    Mr. Palazzo. Thank you.\n    I yield back.\n    Chairman McCaul. The Chairman now recognizes the--let's see \nhere, hold on second, the--yes, the gentleman from Texas, Mr. \nO'Rourke.\n    Mr. O'Rourke. Thank you. Thank you, Mr. Chairman.\n    Secretary Lute, thank you for your testimony today and the \nquality of your answers to the questions asked so far.\n    A lot of analogies have been made today to physical space \nand cyberspace, physical security and cybersecurity and one \nthat I would like you to respond to is the analogy between \nborder security and cybersecurity and one of the challenges we \nhave had as a committee and a Congress is defining what border \nsecurity is and we are spending $18 billion on it today, twice \nwhat we were spending in 2006. We have doubled the size of the \nBorder Patrol. A lot of important future legislation hinges on \nour answer to it, and we are unable to define it.\n    I can see perhaps as cybersecurity reaches a greater \nprofile and there is more attention paid to and we understand \nthe nature of the threat. There could be an overcorrection or \nan over response and I think to protect against that, we need \nto find measurable goals and milestones against those goals.\n    Could you talk about how Department of Homeland Security \nhas defined those so far or plans to in the future?\n    Ms. Lute. So when we speak about and everybody is searching \nfor the illusive analogy in the physical world to cyberspace. \nYou know, is it--is it like a global commons, you know, is it \nlike clean air or clean water? I think cyberspace is more like \nlight than air and I think it presents challenges in that \nrespect.\n    What we want and what we have been promoting is an open, \ninteroperable, reliable, and secure internet globally. \nCertainly that requires more than we can do in the Department \nof Homeland Security, more than we can do as a country, it \nrequires all of us around the world. We have benefited \nenormously from this.\n    Our job in homeland security is to secure dot-gov and to \nwork with the private sector to secure the Nation's critical \ninfrastructure. We are evolving standards of what that means, \nreducing the number of attacks and threats, repairing \ninstantaneously vulnerabilities as they are automated or as \nthey are detected on an automated basis. So this will be an \nevolving set of challenges and issues that we will be dealing \nwith.\n    Mr. O'Rourke. What are the protections to the taxpayer with \nthese evolving goals and definitions? I mean we can spend $10 \nbillion, $100 billion, a trillion, $10 trillion, how do we know \nthat we have spent enough, that our money is being used \neffectively, that we are meeting the goals that you and the \noversight committee have agreed upon?\n    Ms. Lute. Right. How do we know that what we are doing is \nworking? If we have a removable media policy, is that enough? \nIf we control access to our networks, is that enough? If we \ngive everybody dual-key authentication responsibilities when \nengaging in networks, will that be enough? This is what we are \ncrafting. We are doing it together with the private sector.\n    Because while we have ideas of our own, we know that they \ndo as well. We look forward to working with this committee, \nbecause we know that you have ideas. So that is very much on \nour minds. Because we are determined to address this problem.\n    Mr. O'Rourke. So you are talking about the process which \nyou will undertake to define those goals and measure success \nand effectiveness. Are those specific goals, perhaps specific \nto the threats and challenges that we face in these, the three \ndomains that you mentioned? Are those goals that you will share \nwith this committee?\n    Ms. Lute. Yes, absolutely.\n    Mr. O'Rourke. We will be able to measure progress against \nthose goals. Measure the effectiveness of the dollar spent.\n    Ms. Lute. That is the, again, we operate on a duty-to-share \nmodel, in terms of information and how we work in Homeland \nSecurity. Especially in cybersecurity. So we will.\n    Mr. O'Rourke. One of the things that you mentioned that \ncaught my attention is cyber space is civilian space. There \nhave been a couple of questions to this, but how do you see \nyour job in terms of managing that balance that you talked \nabout, between civil rights as you talked about it, personal \nfreedom, liberties, the things that make the internet such a \ndriver of economic growth and creativity in our country and in \nthe world, and balance that against these security concerns?\n    Ms. Lute. So if I could be permitted an example? I was the \nlead negotiator for the United States with the European Union \non a data-sharing agreement called Passenger Name Recognition, \nPNR, to ensure the safety of air travel. It took us 18 months \nto have this negotiation. At the center of it was our ability \nto enforce our laws at our borders and to ensure the \noperational safety of the traveling public. Equally at the \ncenter was the role, were issues of privacy and civil rights \nand civil liberties.\n    We have been managing billions of files of data over the \npast 10 years in the Department of Homeland Security with \nrespect to this traveling information. There has not been one \nprivacy incident. So we think we can get it right. Again, I am \nan operator and this comes down to what it is we do.\n    Mr. O'Rourke. That is impressive. Thank you. Thank you, Mr. \nChairman.\n    Chairman McCaul. The gentleman, the gentlelady from \nIndiana, Mrs. Brooks, is recognized.\n    Mrs. Brooks. Thank you, Mr. Chairman and thank you deputy \nsecretary for being here and for your service. In 2012, FEMA \nand DHS held a National-level exercise. I have been a deputy \nmayor in the city of Indianapolis in the late 1990s working \nclosely with public safety. As a U.S. attorney have worked with \nFederal, State, and local on a number of exercises, \nparticularly after 9/11. I value the importance of exercises. \nIt was on the Nation's ability to prevent, respond, and recover \nfrom a significant cyber incident, as I understand it. We hear \nthat obviously cyber incidents are becoming greater in number \nand in severity.\n    My question is: What role does FEMA play, before, during \nand after, a significant or a catastrophic cyber incident? At \nwhat point might we expect that, if that after-action report is \nfinished, and if it is not finished, when can we expect its \nrelease?\n    Ms. Lute. I will have to get back to you on the release of \nthe after-action report. In my background and tradition, those \nare extremely important exercises, the lessons learned. What \nyou want to do successfully in any organization, and we \nparticularly want to do in Homeland Security, is embed these \nlessons learned so that we can replicate our success and avoid \nrepeating failure.\n    Lessons learned are an important part of that. You know \nwhen I was a young Signal Officer in the Army, we use to do \nexercise all the time. The Signal Officer always had to keep \neverything running so that the infantry or armor, they could do \nexercises. But we had to have everything working perfectly. \nWell, what if it doesn't work perfectly? What are the \nconsequences to our ability to operate? So how do you bake that \nin to our exercises and our understanding?\n    FEMA of course plays a key role in leading Federal-level \nexercises, which State and locals are so much a part. So we are \nbeginning to bake this into our thinking about exercise \nscenarios. But also, FEMA also, you know, in the Department of \nHomeland Security, is the Federal Response Agency. So what are \nthe consequences, how do we understand, working with industry, \nthe consequences of catastrophic failure and what that will \nmean for the public? How do we mitigate it, how do we restore \nservices quickly? Address our responsibilities in that regard. \nSo very much on our minds.\n    Mrs. Brooks. Does DHS, does FEMA actually possess the legal \nresources and authority it needs, in the case of a catastrophic \nincident?\n    Ms. Lute. Well FEMA certainly has the authorities that it \nneeds to respond to an incident. What we know is that, a cyber \nincident could have consequences that matter for which FEMA is \nappropriately authorized to respond.\n    Mrs. Brooks. Okay. Do you know how FEMA works with the \nprivate sector in, I am not certain, are you familiar with the \nexercise that they did in 2012?\n    Ms. Lute. Yes, yes.\n    Mrs. Brooks. How does FEMA work with the private sector in \nrecovery?\n    Ms. Lute. Well, well again, you know one of the things \nabout Homeland Security is our partnership with the American \npeople. FEMA is an example of where we live that every day in \nresponse to disasters. So it is a very close working \nrelationship. Our dialogue at the State and local level with \nFEMA representatives on the ground, with community leaders, \npolitical officials as well, it is pretty interwoven.\n    I think the central point for me on cyber and FEMA is that \nphysical and cyber infrastructure are inextricably linked. \nThere can be vulnerability to that infrastructure through \ncyber, to which we have to be attentive, broaden our minds and \nunderstandings of what could result, and mobilize the \nappropriate levels at the Federal level to respond. The \nappropriate resources at the Federal level to respond.\n    I would be happy to get you, to discuss this in greater \ndetail. We are working with FEMA on the lessons learned, as you \nmentioned. We know that there could be consequences that we \nhave to be attentive to.\n    Mrs. Brooks. So how does FEMA interact with the other DHS \ncomponents during a cyber incident specifically?\n    Ms. Lute. They are at the table, appropriately, again for \nwhat response they may have to mobilize. The actions that they \nmay have to take. They are certainly in the room and part of \nthe response. As we understand the consequences of an event \nthat may give rise to physical effects that would engage FEMA's \nresponsibilities.\n    Mrs. Brooks. Thank you, I yield back.\n    Chairman McCaul. Thank you. The Chairman now recognizes the \ngentleman from Nevada, Mr. Horsford.\n    Mr. Horsford. Thank you, Mr. Chairman and thank you, Deputy \nSecretary. It is been very informative to have you here in the \npresentation. I do have a specific question on cybersecurity \nbut before I do that, while I have such a high-ranking \nrepresentative, I wanted to share something with you and see if \nyou could help me with the response.\n    I heard from one of our local veterans recently. His name \nis James Courtney. He served three tours in Iraq and he is \ndisabled after 15 years of active duty in the United States \nArmy. His wife and the mother of three U.S. citizens, all boys, \ndoes not have a green card. As I understand it, in 2003, Sharon \nwas held by the Border Patrol for several hours and denied even \na phone call to her family in El Paso. Without any explanation \nSharon was told if she just signed a simple document, that she \nwould be let go. She now stands accused of falsely claiming to \nbe a U.S. citizen.\n    What do we say to families like this? Who have been \naffected by what is a broken process? From what I have heard, \nit sounds like this family has been wronged. Do you agree? What \nis the Department doing to address issues like this one?\n    Ms. Lute. Congressman I am not familiar with the incident \nthat you are speaking about. I don't want to give you an off-\nthe-cuff answer. I would be happy to take the facts back as you \nrepresent them, and find out.\n    Mr. Horsford. If you wouldn't mind doing that. I know that \nthis did occur in the prior administration and it is, some time \nago but there are details that I think are important for this \ncommittee and for me to be able to respond to.\n    You know, Mr. Chairman, I think that as we address larger \nissues, other issues including immigration, it is these type of \ncircumstances that I hope will be brought forward and I that we \ncan also talk about.\n    Let me switch to the issue of cybersecurity. I wanted to \nfollow up to the Ranking Member's question dealing with the \nsequester. You know, we have all agreed here today that \ncybersecurity is very important and that we need to work in a \nbipartisan manner to pass legislation to help both the private \nsector as well as the public sector.\n    But we have a sequester that is affecting our ability to do \nour job today. So I would like to understand what the impact of \nthe sequester has been to your Department, specifically as it \nrelates to cybersecurity.\n    Ms. Lute. Thank you for that. Cybersecurity is not immune \nfrom the impact of sequester. Both our perimeter deployment \nEinstein E3A will be affected. Our ability to automate the \ncontinuous diagnostics and monitoring system will be affected \nas well. Our ability to reach out to stakeholders as well.\n    It is particularly important because in cyber space, in the \nworld of technology, the problems and the solutions that we are \ngoing to be dealing with 2 years from now, haven't been \ninvented yet. So this is a place and an environment where speed \ntakes on a whole new meaning.\n    Mr. Horsford. As it pertains to the workforce because as we \nhave heard from members in the private sector, this is a very \nspecialized workforce, and as we develop information-sharing \ncapacity, what is our ability to recruit and retain on the \nDepartment side, the skill set of the workforce that we need in \nthis regard?\n    Ms. Lute. Of course it is affected, as you know. But one of \nthe things that we are doing is overhauling our whole approach \nto become a world-class home to a world-class cybersecurity \nworkforce. By hiring, testing, and training to the highest \nstandards of cybersecurity. These really are cyber ninjas. \nThose are the standards that we want to instill, train to, \ncertify, and maintain. We want to attract folks. We want to \nopen the pipeline with industry and with academia. We want to \nstrategically manage this workforce across the Department, and \nindeed, across the Federal Government one day.\n    We want to overhaul our acquisition and procurement, \nincluding our workforce, so that they are as skilled of the \nneeds in the contracting environment for this. We want to \ncreate a cyber reserve. So we are not standing still on this \nquestion at all.\n    Mr. Horsford. Just if I could ask if the Department could \nprovide us the college initiatives, I guess, that you have \ndone. If you could maybe share that information with those of \nus who want to make sure that the Department is doing \neverything it can to reach out to the next generation of \ngraduates that we need.\n    Thank you, Mr. Chairman.\n    Chairman McCaul. Thank you. The gentlelady from New York, \nthe Ranking Member of the Cybersecurity, Infrastructure \nProtection, amd Security Techonologies Subcommittee, Ms. Clarke \nis recognized.\n    Ms. Clarke. Thank you, Mr. Chairman. Deputy Secretary Lute, \nI don't mind sharing you with Congressman Payne. I am the New \nYorker here.\n    Let me first of all thank you for your passion, your \ntalent, your expertise that you brought to bear on the \ncybersecurity mission for the Department of Homeland Security. \nIt is truly refreshing.\n    I also want to extend a thank you to our Ranking Member, \nMr. Thompson, for his leadership and partnership in penning the \nletter to Chairman McCaul and me regarding the legislative \njurisdiction issues that threatens to undermine the DHS mission \nand marginalize the effectiveness of governance and oversight \nof this committee. I think it is really important that we not \nget into a bidding war, but we all play a very critical role in \nthis new governance in this space.\n    Mr. Chairman, last year our committee faced strict \nresistance to legislating a strong statutory role for the \nDepartment of Homeland Security's cybersecurity mission. Though \nyou may have differences of opinion with Mr. Lungren's \nlegislation, the precise act, I am sure you would agree, that \nthe strong authorities for the Department of Homeland Security \nwere commendable.\n    Unfortunately, some colleagues last year were unwilling to \nconsider giving DHS the statutory certainty that it sorely \nneeds and prevented the legislation from reaching the floor.\n    So I am glad that you are holding this hearing today to \nhopefully spotlight the good work, and you have been, that the \nDepartment is doing. Just last month, ICS-CERT was awarded the \nbest security team award at the RSA by ``SC Magazine.'' I would \nlike to insert that recognition into the record. I think that \nwe need to--morale is important here.\n    Chairman McCaul. I agree and without objection, so ordered.\n    [The information follows:]\n                     BEST SECURITY TEAM GOLD WINNER\n    The Industrial Control Systems Cyber Emergency Response Team (ICS-\nCERT) Security Team responds to incidents, vulnerabilities, and threats \nthat can impact those industrial control systems (ICS) which operate \ncritical infrastructure across the United States. These systems are \nvital for the processes used throughout many critical sectors that the \nNation depends on every day.\n    The ICS-CERT Security Team's mission is to reduce cybersecurity \nrisks by offering four core products and services to the Nation's \ncritical infrastructure sectors: Providing situational awareness to \nGovernment and the private sector through National alerts and \nadvisories that warn of cyber threats and vulnerabilities; conducting \ntechnical analysis of malware, system vulnerabilities, and emerging \nexploits; performing cybersecurity incident response for asset owners \nand operators; and partnering with the control system community to \ncoordinate risk management efforts and serve as the focal point for \ninformation exchange.\n    The ICS-CERT Security Team has received National and international \nrecognition as an essential element for coordinating cybersecurity risk \nreduction efforts among the Nation's critical infrastructure asset \nowners. Through its incident response, situational awareness, and \nrecommended practices efforts, the team is recognized as a National \nresource for cybersecurity guidance.\n    It is also a key functional element of the DHS National Cyber \nSecurity and Communications Integration Center (NCCIC) and is integral \nto the Department's capability to coordinate National-level cyber \nevents. ICS-CERT Security Team presence in the NCCIC Operations Center \nprovides synergistic information-sharing value to the various public \nand private-sector partners participants.\n    http://awards.scmagazine.com/best-security-team-0\n\n    Ms. Clarke. Thank you, sir.\n    I firmly believe that DHS's role needs the clarity and \nauthority of statute to most effectively do its mission. That \nis why last year I introduced the Identifying Cybersecurity \nRisks to Critical Infrastructure Act to get an important \nsegment of DHS's authorities written into law.\n    So Deputy Secretary Lute, can you talk about the importance \nof getting your Department's cybersecurity mission and \nauthorities codified in statute? What aspects of DHS's \ncybersecurity mission do you think would be particularly \nimpactful if we could fully authorize them?\n    Let me repeat that for you--can you speak to the importance \nof getting your Department's cybersecurity mission and \nauthorities codified? What aspects of DHS's cybersecurity \nmission do you think would be particularly impactful?\n    Ms. Lute. I certainly agree with the importance of that and \nthe Secretary absolutely agrees. We think it is important in \nthis rapidly unfolding field to clarify the responsibilities \nthat this Department will be given, particularly when it comes \nto securing dot-gov, in the area of information sharing as \nwell.\n    Ms. Clarke. With that, I yield back the balance of my time.\n    Chairman McCaul. Well, I thank you for your questioning. \nKnow that I am committed to getting this done, to getting \nexisting authorities codified, and to making the Department as \nstrong a player as they are in this very important field, \nworking together with the other agencies. I think we have one \nlast Member, the gentleman from California, Mr. Swalwell.\n    Mr. Swalwell. My district is in Northern California and it \nincludes northern Silicon Valley and it is really the cradle of \ninnovation. We also have two National laboratories and, I \nbelieve, more Ph.D.s in our district than anywhere else in the \ncountry. Very smart, innovative folks in our district, and I am \nconcerned that if we were to get hit hard in our district, we \nwould fall hard.\n    I am also concerned that if we sneezed from a cyber attack, \nthe rest of the country could catch a cold because of the \nripple effect of what it would mean to many of the industries \nin our district. We are talking all of Silicon Valley south and \nthen, of course, the part of Silicon Valley that is in my \ndistrict in the north.\n    So I am concerned that right now the rest of the country \nalso does not understand enough about what the real threat is \nhere. I want to know what we can do to better educate. Because \nwe are starting to hear more about the threat, but--and folks, \nI think, will accept that their computer may get hacked. \nSomeone may send out an e-mail in their name that didn't come \nfrom them.\n    But I don't know if we are prepared yet or we understand \nthat we could go to the bank one day and our account balance \ncould say zero. Or we could show up to work one day and our job \nis no longer there because the technology or something critical \nto the employer has been stolen by someone abroad.\n    When I was a prosecutor for 7 years, I worked closely with \ntelecommunication companies to prosecute a number of our \nhomicide cases, to work with them on subpoena compliance as \nwell as ways to make sure that it was a two-way street, that \ntheir cooperation would not mean they would be penalized for \nworking with us.\n    Now I know that we do have the National Cybersecurity and \nCommunications Integration Center and my first question is what \nis the participation like, in that center, with private \nindustry and what can we do, legislation-wise and as far as \ncoordination efforts, to make sure that private industry is \nreally working with us?\n    Because I know from being a prosecutor that it has to be a \ntwo-way street and because 90 percent of the networks are not \ndot-gov or dot-mil, if we don't have their cooperation or \nparticipation, we can't truly protect against the threat.\n    Ms. Lute. Well, thank you for the question and thank you \nfor your part of the country. I took my Ph.D. from Stanford. I \nam a believer. I am a believer.\n    It is an extraordinary National asset for us, the vibrancy \nand the contribution of that community, not only to this \ncountry but to the world. This instantaneous organic growth of \nthe internet, in many ways can trace its lineage back to this \npart of the country. We certainly appreciate it.\n    We also appreciate the role of collaboration in the private \nsector. I speak very often with the leadership of private \nindustry out in the Valley. They are extraordinarily thoughtful \non all of the questions that we have discussed today.\n    On the NCCIC thought, to your specific question, we do have \nprivate industry representatives in some of the various sectors \nand we can talk to you in detail about that. For those members, \nMr. Chairman, who have yet to come see us, we invite--that \ndoor--let me just reiterate your invitation and urging that \nthey come and see us.\n    We agree on the partnership. We agree on the two-way \nstreet. We agree on the need for collaboration. We are putting \nour money where our mouth is in terms of having them on the \nfloor with us at an operational level and including dialogue \nwith them at a policy level at my and the Secretary's--in our \ndiscussions with them as well.\n    So across the board I agree with you.\n    Mr. Swalwell. Great. Right now in this era of sequester, \nand we don't know how long this is going to last, but we do \nknow that the threats are going up and the money to fight the \nthreats are going down. How much does that concern you that \nyour budget could continue to be on the chopping block and \nreduced as our country becomes more and more vulnerable to a \ncyber attack?\n    Ms. Lute. Nothing is standing still. As I mentioned before, \nin cyber space, the problems and the opportunities that even 2 \nyears from now, perhaps even 1 year from now, that we will be \ndealing with have not been invented yet. So time is of the \nessence.\n    Mr. Swalwell. Finally, as a prosecutor, it is frustrating \nto me that it seems like we spend most of our time defending \nagainst the threat, but it is very hard, and I understand from \nthe cases I have had, it is very hard to go after somebody on \nthe law enforcement side and prosecute an individual who is \nhacking against us, tracing where the individual is coming \nfrom, which oftentimes is across the world.\n    Can we truly, really not just prevent the threat or prevent \na cyber attack, can we truly go after an individual and \nprosecute them and hold them to account?\n    Ms. Lute. I am a big fan of the rule of law and I am a big \nfan of the power of the law in this country. We are working \nvery closely with the FBI to strengthen the hand of law \nenforcement. We have mentioned this is one of the things that \nwe think cyber legislation would usefully add, which are tools \nto put them in the hands of law enforcement officers to \nsuccessfully prosecute cyber criminals.\n    Mr. Swalwell. Great. Thank you, Mr. Chairman.\n    Chairman McCaul. Thank you. Let me say, Deputy Secretary \nLute, let me thank you for your testimony. It is been very \nimpressive and I think very productive towards our discussions \nin developing legislation, which as I state, is a high \npriority.\n    Also, Chairman Meehan and I will be scheduling tours for \nour members to the NCCIC and we look forward to seeing you out \nthere again.\n    With that, I know the Members will have--they have \nadditional questions. You need to--you should respond in \nwriting. With that, the clerk will prepare the witness table \nfor the second panel.\n    Okay, with that, let me go ahead and introduce the next \npanel and thank you for your patience.\n    First we have Mr. Anish Bhimani; he is the managing \ndirector and chief information risk officer, JPMorgan Chase and \nis chairman of the Financial Services Information Sharing and \nAnalysis Center, also known as the FSISAC, industry-wide \norganization charged with facilitating information sharing \namong the various members of the financial services sector as \nwell as Government agencies. He has served as chairman since \n2011 and on the board since 2009.\n    Next we have Mr. Gary Hayes; he is the vice president and \nchief information officer at CenterPoint Energy. In this \nposition he oversees the information technology infrastructure \nand systems for the company's electric and gas delivery \nservices, some actually in my district. Mr. Hayes has decades \nof experience in the field of energy infrastructure protection.\n    Thank you for being here today.\n    Last we have Ms. Michelle Richardson; she is the \nlegislative counsel with the American Civil Liberties Union \nwhere she focuses on National security and Government \ntransparency issues. Before joining the ACLU, Ms. Richardson \nserved as counsel to the House Judiciary Committee where she \nspecialized in National security and civil rights.\n    We look forward to hearing from all of you. Your full \nstatements will appear in the record, and I would also like to \nnote that Mr. Dean Garfield, CEO of the IT Industry Counsel was \nalso scheduled to appear but had a scheduling conflict. I ask \nunanimous consent that his statement be entered into the \nrecord.\n    Without objection, so ordered.\n    [The information follows:]\n                 Prepared Statement of Dean C. Garfield\n                             March 13, 2013\n    Chairman McCaul, Ranking Member Thompson, and Members of the \ncommittee, thank you for the opportunity to testify today. I am Dean \nGarfield, president and CEO of the Information Technology Industry \nCouncil (ITI), and am pleased to testify before the House Committee on \nHomeland Security on the important topic of cybersecurity. ITI \nrepresents global leaders in innovation, from all corners of the \ninformation and communications technology sector, including hardware, \nsoftware, and services.\n    You have asked ITI to speak on the topic of cyber threat \ninformation sharing. Within that context, I would like to focus my \ntestimony today on three areas: (1) The opportunity facing the United \nStates to establish a cybersecurity policy framework that is a model \nfor the rest of the world; (2) the critical role of bidirectional \nindustry-Government information sharing in a robust cybersecurity \npolicy framework; and (3) key considerations regarding how U.S. \ncivilian agencies can effectively contribute to effective information \nsharing.\n       our opportunity: the right cybersecurity policy framework\n    I want to begin by stating a fact I think all of us agree on: We \nall are committed to protecting the Nation from cyber threats. The tech \nsector, other industries and stakeholders, Federal and State \ngovernments--we share a common responsibility to work collaboratively \nto provide effective, forward-thinking strategies and solutions that \nsafeguard the American people and the networks and systems upon which \nwe all rely. For us in the tech sector, this responsibility is part of \nour ethos. It is built into every one of our products and services.\n    During the past few years, both Congress and the administration, \nworking with numerous private-sector stakeholders, have sought to \ncreate policies to improve America's cybersecurity posture, \nparticularly critical infrastructure (CI) cybersecurity. We commend the \nefforts our policymakers have devoted to the unique challenge of better \nprotecting America's citizens, critical assets, and infrastructures \nfrom ever-evolving cyber threats.\n    ITI and our member companies have been deeply involved in the \npolicymaking process. Our views are based on a comprehensive set of \ncybersecurity principles for industry and Government we developed to \nbetter inform the public cybersecurity discussion.\\1\\ ITI's six \nprinciples aim to provide a useful and important lens through which any \nefforts to improve cybersecurity should be viewed. To be effective, \nefforts to enhance cybersecurity should:\n---------------------------------------------------------------------------\n    \\1\\ http://www.itic.org/dotAsset/191e377f-b458-4e3d-aced-\ne856a9b3aebe.pdf.\n---------------------------------------------------------------------------\n    (1) Leverage public-private partnerships and build upon existing \n        initiatives and resource commitments;\n    (2) Reflect the borderless, interconnected, and global nature of \n        today's cyber environment;\n    (3) Be able to adapt rapidly to emerging threats, technologies, and \n        business models;\n    (4) Be based on effective risk management;\n    (5) Focus on raising public awareness; and\n    (6) More directly focus on bad actors and their threats.\n    We were pleased the cybersecurity bills passed by the House last \nyear--on cybersecurity R&D, cybercrime, education and awareness, \ninformation sharing, and others--embodied these principles. We \nunderstand many of the ideas Members of Congress are contemplating this \nyear will enable these approaches. We are also appreciative that the \nPresident's recent Executive Order adopts these same principles. \nOverall, the United States appears to be embracing a cyber environment \nthat encourages efficiency, innovation, and economic prosperity while \npromoting security, business and individual privacy, and civil \nliberties.\n    The United States is, however, not the only country grappling with \nhow to develop the right cybersecurity framework. Governments around \nthe world are also wrestling with important questions of how to protect \ntheir citizens and businesses in the face of ever-evolving cyber \nthreats. Unfortunately, the approaches some other governments are \ntaking do not always put innovation and collaboration first. Some \ngovernments are enacting inflexible, heavy-handed cybersecurity-related \nlaws and policies that are rooted in top-down regulation and technology \nmandates. Most worryingly, these mandates are country-specific and thus \nat odds with global best practices. Such approaches rarely provide \nbetter security and in many cases may weaken security and disrupt \nglobal commerce and innovation.\n    Thus, the U.S. approach is important for an additional reason. We \ncan and must set a good example for the rest of the world about the \nright way to approach cybersecurity policy. And as we execute on our \napproach, it will be important that we in both Government and industry \ncollaborate with our peers around the world to tackle our shared \nchallenge. Cyberspace is a global and interconnected domain that spans \ngeographic borders and National jurisdictions. Top-down approaches \nbeing pursued in other nations undermine the greater global \ncollaboration that is needed to respond to threats. The U.S. Government \nmust proactively seek dialogues with our trading partners about how to \nachieve the requisite levels of security needed to meet National \nsecurity concerns while preserving interoperability, openness, and \neconomic development.\n   the role of bi-directional industry-government information sharing\n    Mr. Chairman, Mr. Ranking Member, effective sharing of actionable \ninformation among and between the public and private sectors on cyber \nthreats, and incidents is an essential component of improving \ncybersecurity. To be as nimble and flexible as many cyber intruders \nare, we need an improved information-sharing system that operates in \nreal time, ensures protection of personal data, and is bi-directional--\nfrom the private sector to Government, and from Government to the \nprivate sector. Of course, effective information sharing itself is not \nthe goal. What matters is the action relevant stakeholders take with \nthat shared information to manage and mitigate cyber risk. But we know \nfrom experience that, once effectively informed of the specific threats \nthey face, organizations take appropriate and reasonable measures to \nmitigate them.\n    Although many public and private-sector entities participate in \ninformation-sharing activities, there is broad agreement that gaps \nexist. ITI has worked closely with policymakers over the past few \nyears, providing ideas and possible solutions for what types of \nimprovements could and should be made. Overall, our recommendations \nfall into four general areas.\n    First, we should improve upon existing information-sharing \norganizations rather than create new structures. We need to better \nleverage our current organizations and evolve them into more effective \npartnerships for true sharing. Dozens of organizations and structures \nplay important roles facilitating cybersecurity information sharing \namong private entities and between the private and public sectors. Some \nkey examples include the Information Sharing and Analysis Centers \n(ISACs), the U.S. Computer Emergency Readiness Team (US-CERT), and the \nNational Cybersecurity and Communications Integration Center (NCCIC). \nThese and other organizations represent nearly all sectors of the \neconomy as well as Federal, State, and local governments.\n    Second, we must improve the flow of actionable information from \nGovernment to industry. Government has unique insight into certain \ntypes of threats or hazards. When provided with this insight, the \nprivate sector's ability to assess risks, make prudent security \ninvestments, and develop appropriate resiliency strategies is greatly \nenhanced. The Executive Order intends to improve the Government's \nsharing of actionable information with the private sector on specific, \ntargeted cyber threats and technical indicators that flag risks \ngenerally. We hope these changes are executed quickly, but we also \nbelieve that more needs to be done legislatively to build on the \nExecutive Order.\n    Third, we must address liability concerns that impede information \nflows. Private entities holding information about cybersecurity risks \noften decline to voluntarily disclose it, or delay disclosure, for fear \nof lawsuits or regulatory actions. There is a need for limited safe \nharbors in these cases, and this is a key role for Congress. We look \nforward to also working with you to pass legislation in this regard.\n    Finally, privacy must be protected while information sharing is \nincreased. We believe effective cybersecurity should strengthen \npersonal privacy. For that reason, a policy framework must ensure that \ninformation that companies might share with the Government and each \nother for cybersecurity purposes should only be used for those \npurposes. This will protect civil liberties and at the same time give \ncompanies confidence that what they share will not be used for \nunrelated, unintended purposes.\n          the way forward: the role of u.s. civilian agencies\n    As we work to improve Government-industry information sharing, ITI \nunderstands policymakers are thinking about how the U.S. Government can \nbetter coordinate and execute its roles and responsibilities vis-a-vis \nthe private sector in this area. Civilian agency leadership in this \nregard is critically important. ITI believes that whatever agency has \nprincipal responsibility for cybersecurity information sharing \ncoordination should follow three key tenets. First, the lead agency \nneeds to build on existing Government resources so as not to create new \nredundancies and confusion. Second, those tasked with this job must \nhave the technical proficiencies to be able to provide rapid, real-\ntime, situational awareness. Finally, the lead agency must ensure \nGovernment-wide respect for the legitimate data security, privacy, and \ncivil liberties concerns I alluded to earlier.\n                               conclusion\n    Mr. Chairman, Mr. Ranking Member, ITI and our member companies are \npleased you are continuing to consider how we can improve information \nsharing for the purposes of cybersecurity. We stand ready to provide \nyou any additional input and assistance. In addition to this testimony, \nwe are submitting for the record two ITI papers that provide more \ndetailed recommendations on how information sharing can be improved.\\2\\ \nThank you.\n---------------------------------------------------------------------------\n    \\2\\ ITI Recommendation: Steps to Facilitate More Effective \nInformation Sharing to Improve Cybersecurity (October 2011), and ITI \nRecommendation: Addressing Liability Concerns Impeding More Effective \nCybersecurity Information Sharing (January 2012).\n\n    The Chairman now recognizes Mr. Bhimani for 5 minutes for \nhis opening statement.\n\n  STATEMENT OF ANISH B. BHIMANI, CHAIRMAN, FINANCIAL SERVICES \n            INFORMATION SHARING AND ANALYSIS CENTER\n\n    Mr. Bhimani. Thank you, Mr. Chairman.\n    Chairman McCaul, Ranking Member Thompson, Members of the \ncommittee, my name is Anish Bhimani and I am appearing today as \nthe chairman of the Financial Services Information Sharing and \nAnalysis Center, FSISAC.\n    The FSISAC was established in 1999 in response to \nPresidential Decision Directive 63. It is a nonprofit \norganization funded entirely by its member firms and sponsors. \nIts membership is comprised of over 4,400 financial and banking \ninstitutions, large and small, and it serves as a primary \nindustry forum for collaboration on the critical cybersecurity \nthreats facing the financial sector.\n    Despite the competitive nature of our industry, members of \nthe FSISAC recognize that the threat from cyber attacks affects \nall of us. That defending the Nation's critical infrastructure \nis not a competitive issue.\n    To effectively combat this threat, we must come together as \na sector and leverage the full capabilities of our collective \nmembership. Above all, the key to the success of the FSISAC is \ntrust amongst its members. Trust is not something that can be \nmandated nor easily earned.\n    Indeed, over the past 14 years, FSISAC members have worked \ntirelessly to engender trust amongst each other and promote the \nflow of threat information across the sector. These efforts \nhave paid off significantly.\n    In January of this year, members of the FSISAC shared over \n92,000 pieces of threat intelligence and approximately 400 \nevents across the sector.\n    Equally critical is a strong partnership and close \ncollaboration with Government agencies. One example of this \npartnership is the successful effort to obtain over 250 secret-\nlevel clearances and several top-secret SCI clearances for key \nfinancial services personnel. These clearances have enabled \nFSISAC members to receive briefings on new security threats and \nimplement defenses to combat these threats.\n    We would like to see this process updated and expanded to \nprovide more clearances to the private sector and make it \neasier for this information to be shared more broadly and \nquickly with our members.\n    Another good example of partnership is the work of the \nNational Cybersecurity and Communications Integration Center, \nNCCIC at DHS, of what we heard said earlier.\n    Since June 2011, FSISAC representatives cleared at the top-\nsecret SCI level have attended NCCIC daily briefs and other \nmeetings to share information on threats and potential impacts \nto the sector. Our presence on the NCCIC floor has greatly \nenhanced the sector's awareness of and ability to respond to \ncontinuously evolving threats against the industry.\n    In 2011, a pilot program known as the Government \nInformation Sharing Framework, or GISF, was launched with the \nDefense Department. Under the program, an initial 16 financial \nservices firms were granted access to advanced analysis on \ncyber threats. The GISF provided an invaluable service of the \nsector, enabling participants to receive actionable and timely \ninformation that allow them to search for similar activity in \ntheir own environments. Unfortunately, the Department of \nDefense terminated the pilot program in December 2011 due to \nfunding limitations.\n    The FSISAC strongly supports not only restarting the GISF \nprogram or a program like it, but also expanding its reach \nacross the entire financial services sector.\n    In addition to our DHS partnerships, we also benefit \ntremendously from having a strong sector-specific agency, \nspecifically, the Treasury's Office of Critical Infrastructure \nProtection plays an invaluable role to the sector serving as a \nconduit between our members and the various agencies that play \na role in critical infrastructure protection. We believe that \ngiven its knowledge of the industry, as well as its \nrelationship with various agencies, Treasury is uniquely \nqualified to serve in that role.\n    Finally, I would like to point out that it is impossible to \ndiscuss information sharing without also considering what \nspecific information we need to share in order to most \neffectively protect our infrastructure.\n    Although much of the current debate around information \nsharing has focused on the very important goal of protecting \nprivacy, we believe that much could be accomplished without \never sharing any personal information. The most valuable \ninformation we could gain, such as technical details of cyber \nattacks, analysis of incident attack patterns, techniques and \ntrends and contextual information about threat actor groups and \ncampaigns tends to be extremely technical in nature and doesn't \nnecessarily need to include any personal information nor reveal \nthe organization affected.\n    Whatever information we receive, the most important thing \nis that it be actionable and timely. Cyber threats are coming \nout as faster than ever before and are growing increasingly \ncomplex. As a result, receiving stale and outdated information \nis of very little value. In fact, it is a drain on resources \nand a waste of valuable time.\n    We are strong advocates of a framework where our respective \nagencies and companies can deliver relevant information very \nquickly at network speed with information flowing in both \ndirections.\n    In closing, please accept my thanks on behalf of the FSISAC \nfor the opportunity to address the committee on this critical \nissue. The ability to share information across the sector as \nwell as our partners in Government and law enforcement, while \nstill protecting privacy and civil liberties is core to our \nindustry and our Nation's response of the growing threat.\n    I look forward to any questions the committee may have.\n    [The prepared statement of Mr. Bhimani follows:]\n                 Prepared Statement of Anish B. Bhimani\n                             March 13, 2013\n    Chairman McCaul, Ranking Member Thompson, and Members of the \ncommittee, my name is Anish Bhimani, and I am the chief information \nrisk officer of JPMorgan Chase & Co. I am appearing today as the chair \nof the Financial Services Information Sharing and Analysis Center (FS-\nISAC). I thank you for the opportunity to address the committee on the \nimportant topic of roles and responsibilities of the Government and \nprivate sector in the critical area of cybersecurity.\n    I would like to address a few points today: First, an overview of \nthe FS-ISAC, its charter, purpose, and membership; lessons learned with \nregard to information sharing; perspectives on the FS-ISAC membership's \ninteraction with Government agencies; and finally, recommendations \naround information sharing and cybersecurity governance.\n                           fs-isac background\n    The FS-ISAC was established in 1999 in response to Presidential \nDecision Directive 63. This directive, later updated by Homeland \nSecurity Presidential Directive 7, required public and private-sector \norganizations to share information about cyber threats and \nvulnerabilities, with the goal of helping protect the Nation's critical \ninfrastructure. The FS-ISAC is a nonprofit organization funded entirely \nby its member firms and sponsors. Its membership is comprised of \nthousands of financial and banking institutions, large and small, and \nits mission is straightforward--to provide the primary industry forum \nfor collaboration on the critical cybersecurity threats facing the \nfinancial services sector. From 12 founding members at its inception, \nthe FS-ISAC has grown to over 4,400 organizations, including commercial \nbanks and credit unions of all sizes, brokerage firms, insurance \ncompanies, exchanges and clearing houses, payments processors, and over \n30 trade associations, representing the majority of the U.S. financial \nservices sector.\n    The overall objective of the FS-ISAC is to provide the financial \nservices sector with the information it needs to defend against cyber \nthreats and risk. It acts as a trusted third party that allows members \nto share threat, vulnerability, and incident information in a timely, \ntrusted, and, if desired, anonymous manner. FS-ISAC information-sharing \nservices and activities include:\n  <bullet> Delivery of timely, relevant, and actionable alerts from \n        various sources distributed through the FS-ISAC Security \n        Operations Center (SOC);\n  <bullet> Trusted mechanisms to facilitate member sharing of threat, \n        vulnerability, and incident information, in either an \n        attributed or non-attributed manner;\n  <bullet> Sector-specific groups and subcommittees that provide forums \n        for members in a given part of the sector, e.g., the Payment \n        Processors Information Sharing Council (PPISC), Insurance Risk \n        Council, Payments Risk Council, Community Institutions Council, \n        and the Clearing House and Exchange Forum (CHEF);\n  <bullet> Bi-weekly threat information sharing calls for members and \n        invited security/risk experts to discuss the latest threats, \n        vulnerabilities, and incidents affecting the sector;\n  <bullet> Engagement with private-security companies to identify \n        threat information of relevance to the membership and the \n        sector;\n  <bullet> Development of risk mitigation best practices, threat \n        viewpoints and toolkits, as well as member-driven research \n        regarding best practices at member organizations;\n  <bullet> Subject Matter Expert committees, including the Threat \n        Intelligence and Business Resilience Committees, which provide \n        in-depth analysis of risks to the sector, and provide \n        technical, business, and operational impact assessments, as \n        well as strategies to mitigate risk; and\n  <bullet> Participation in sector, cross-sector, and National \n        exercises and drills, such as the Cyber Attacks Against Payment \n        Processes (CAPP), National Level Exercise 2012, and the Cyber \n        Storm series.\n    Despite the competitive nature of our industry, members of the FS-\nISAC recognize that the threat from cyber attacks affects all of us, \nand that defending the Nation's critical infrastructure is not a \ncompetitive issue. We all recognize that to effectively combat this \nthreat, we must come together as a sector and leverage the full \ncapabilities of our collective membership. We also know that we must \ntrust one another. Trust, simply put, is the key to the success of the \nFS-ISAC, and any information-sharing model.\n    Trust is not something that can be mandated, nor easily earned. \nIndeed, over the past 14 years, FS-ISAC members have worked tirelessly \nto engender trust amongst each other and are using all of the \ncapabilities listed above to promote the flow of threat information \nacross the sector. As an example, the FS-ISAC has built a model for \nsharing information in an authenticated, but anonymous, manner for \nthose organizations that wish to take advantage of it. In addition, we \nhave instituted a ``traffic light'' protocol, indicating levels of \ninformation sensitivity and how information may be disseminated to the \nmembership, partners, and other organizations. These mechanisms have \neffectively and efficiently enabled the amount of information shared \namong FS-ISAC members to grow from a mere trickle a few years ago, to a \nveritable (but manageable) flood today. In January 2013, members shared \nover 92,000 pieces of threat intelligence and approximately 400 events \nacross the sector.\n                      u.s. government interaction\n    Equally critical as industry collaboration is our partnership with \nGovernment agencies. We could not protect ourselves against cyber \nattacks without extremely close collaboration, partnership, and most \nimportantly, information sharing, with a number of Government \nagencies--most notably, the U.S. Department of Treasury and the \nDepartment of Homeland Security, but also the Federal Reserve, Office \nof the Comptroller of the Currency, United States Secret Service, U.S. \nCyber Command, Federal Bureau of Investigation, National Security \nAgency, Central Intelligence Agency, and State and local governments. \nAdditionally, the FS-ISAC is a member of, and partner to, the Financial \nServices Sector Coordinating Council (FSSCC) for Homeland Security and \nCritical Infrastructure Protection, established under HSPD7, and works \nextremely closely with the Financial and Banking Information \nInfrastructure Committee (FBIIC), under the auspices of the President's \nWorking Group on Financial Markets. These organizations and \nrelationships are part of the financial sector's long history of \npublic-private partnership with various Government agencies in the area \nof cybersecurity.\n    One example of this partnership is the successful effort by the \nDepartment of Treasury, Homeland Security, FBI, U.S. Secret Service, \nand other partners to obtain over 250 secret-level clearances and \nseveral TS/SCI clearances for key financial services sector personnel. \nThese clearances have enabled FS-ISAC members to receive briefings on \nnew security threats and have provided useful information to the sector \nto implement effective controls and defenses to combat these threats. \nWe know that this process is not always easy, and that sponsoring \nprivate-sector clearances has, historically, been difficult. But in our \nview, given how much cyber information is classified, it is absolutely \nessential that private-sector representatives have access to this \ninformation. The FS-ISAC would like to see this process updated and \nexpanded to provide more clearances to the private sector, and make it \neasier for this information to be shared more broadly and quickly with \nour members.\n    Another good example of partnership is the work of the National \nCybersecurity & Communications Integration Center (NCCIC) at DHS. In \nJune 2011, the FS-ISAC became the fourth private-sector organization to \nplace staff on the floor at the NCCIC. Specifically, FS-ISAC \nrepresentatives, cleared at the Top Secret/SCI level, attend NCCIC \ndaily briefs and other meetings to share information on threats, \nvulnerabilities, incidents, and potential impacts to the sector. These \nindividuals interact on a daily basis with the NCCIC, routinely submit \nand respond to requests for information, collaborate on analyses and \nwork with the NCCIC staff to determine what information from the NCCIC \nwould be of use to our members, and what can be shared with whom. Over \nthe past 18 months in particular, our presence on the NCCIC floor has \ngreatly enhanced situational awareness and information sharing between \nthe sector and the Government, as well as across other critical \ninfrastructure sectors that participate on the floor. More recently, \nthe FS-ISAC has embedded a full-time staff person on the NCCIC floor in \naddition to the part-time resources that were deployed last year.\n    One of the high points in the public-private partnership with the \nsector occurred in 2011 when a pilot program, known as the Government \nInformation Sharing Framework (GISF) was launched with the Defense \nDepartment. Under the program, an initial 16 financial services firms \n(with a plan to expand participation later) were granted access to \nadvanced threat information, as well as to classified analysis on \nthreat actors and mitigation techniques. The GISF provided an \ninvaluable service to the sector, enabling the pilot participants to \nreceive actionable, timely, and contextual information that allowed \nthem to search for similar threat activity in their own environments. \nIt also allowed private-sector participants to adjust their assessments \nof cyber espionage threats using intelligence that had previously been \nunavailable. The program jump-started new efforts across the industry \nand helped reshape the sector's approach to assessing cyber espionage \nrisks.\n    Unfortunately, the Department of Defense terminated the pilot \nprogram in December 2011 due to funding limitations. The GISF was a \nsignificant leap forward in the public-private partnership, and \nrepresented a critical line of defense in mitigating the growing cyber \nthreat. The loss of that information feed has already been felt, as \nnumerous financial institutions have experienced activity from actors \nfirst identified through GISF reporting and intelligence. The FS-ISAC \nstrongly supports not only restarting the GISF program, but also \nexpanding its reach across the financial services sector. We urge \nCongress and the Department of Defense to resolve any outstanding \nfunding or authorization issues and reinstate this crucial program.\n    As you can see, the financial services sector, and the FS-ISAC in \nparticular, work in collaboration with a wide range of Government \nagencies--probably more than anyone would imagine. At the same time, we \nbenefit from having a strong sector-specific agency--the Treasury \nDepartment--that allows us to navigate the various Government agencies \ninvolved in cybersecurity.\n    Specifically, the Treasury's Office of Critical Infrastructure \nProtection plays an invaluable role to the sector, serving as a conduit \nbetween our members and the various Government agencies that play a \nrole in critical infrastructure protection. We believe that, given its \nknowledge of the financial services industry, as well as its \nrelationship with various intelligence agencies, Treasury is uniquely \nqualified to serve in that role. Regardless of which organization is \ninvolved, however, the key is that we receive timely, actionable data \nfrom the appropriate source, whoever that is, so that we can take the \nappropriate action.\n            creating a useful information sharing framework\n    There are two critical elements to creating a useful information-\nsharing framework: Determining what information should be shared, and \ndeveloping robust processes for sharing timely information.\n    In thinking through this problem, it is impossible to construct an \neffective information-sharing framework without also considering what \nspecific information we need to share to most effectively protect our \ninfrastructure. Although much of the current debate around information \nsharing has focused on the important goal of protecting personal \ninformation, we believe that much could be accomplished without ever \nsharing personally identifiable information. With that in mind, here \nare a few examples of information we at FS-ISAC believe would be most \nhelpful to share:\n  <bullet> Technical details of cyber attacks as seen on networks, in \n        IT systems, or by victims, including IP addresses of attackers \n        and their networks;\n  <bullet> Analytic content of incidents, attack patterns, and trends \n        without revealing the organization affected;\n  <bullet> Analysis of technical details to determine the techniques, \n        tools, and procedures that adversaries are using to target \n        victim organizations;\n  <bullet> Contextual information about threat actor groups and \n        campaigns;\n  <bullet> Information about the motivation, objectives, and \n        capabilities of these groups or campaigns.\n    In addition to those most critical data elements we think must be \nshared, we also believe that critical infrastructure owners and \noperators would benefit from having a much stronger framework around \nhow we share.\n    The cybersecurity threats the financial industry faces are coming \nat us faster than ever before, and are growing increasingly complex. As \na result, receiving stale and outdated information is of very little \nvalue in protecting our infrastructure--in fact, it is a drain on \nresources, and a waste of valuable time. We are strong advocates of a \nframework where our respective agencies and companies can deliver \nrelevant information very quickly, at network speed, with that \ninformation flowing in both directions.\n    Why is that important? Today, we in the private sector face attacks \nthat were once directed only against major Government institutions. \nGovernment agencies may have established strategies and tactics to deal \nwith those attacks that would be valuable to those us facing similar \nthreats. Likewise, the financial sector has collectively established \nstrategies and tactics that may be of use to Government agencies. \nSharing these strategies and tools to deal with advanced threats \ncomprehensively and quickly would do a great deal to help us all fight \nadvanced attackers.\n                               conclusion\n    In closing, please accept my thanks on behalf of the FS-ISAC for \nthe opportunity to address the committee on this critical issue. The \nrisks associated with cyber attacks and threats are real, and of \nparamount importance to the financial industry as a whole. The ability \nto share information across the sector, as well as with our partners in \nGovernment and law enforcement, while still protecting privacy and \ncivil liberties, is core to our industry and our Nation's response to \nthe growing threat.\n    I look forward to any questions the committee may have.\n\n    Chairman McCaul. Thank you, Mr. Bhimani.\n    The Chairman now recognizes Mr. Hayes for his testimony.\n\n    STATEMENT OF GARY W. HAYES, CHIEF INFORMATION OFFICER, \n                       CENTERPOINT ENERGY\n\n    Mr. Hayes. Thank you Chairman McCaul, Ranking Member \nThompson, and Members of the committee. My name is Gary Hayes, \nI am the chief information officer for CenterPoint Energy and \nthank you for inviting me to testify and share my experiences \nand perspectives on cybersecurity and our Nation's critical \ninfrastructure.\n    A few quick points about CenterPoint Energy, we are \nheadquartered in Houston, Texas. We have electric transmission \nand distribution, natural gas distribution and interstate \npipeline. We serve over 5 million metered customers, primarily \nin Arkansas, Louisiana, Minnesota, Mississippi, Oklahoma, and \nTexas.\n    In other words, we are the owner/operators of multiple \ncritical infrastructure systems. We take cybersecurity \nseriously.\n    As identified in our enterprise risk management program is \none of the highest corporate risk. We have been in the cyber \nbusiness for well over 10 years. The issue is the game has \nchanged. The volume, voracity, and variety presented by \nextremely sophisticated and organized bad actors whose intent \nis to steal information or impact operations continues to \nexponentially evolve.\n    The question is: How do we work together to meet these \ndynamic and ever-changing and evolving threats?\n    I strive to keep my team focused by reminding them we need \nexcellent solutions quickly not perfect solutions eventually. \nWe have to keep that same thought in mind.\n    Some key takeaways that I would like for us to talk about. \nFirst, we need shared goals and collaboration. Excellent \nsolutions for collaboration, information sharing, and \ntechnology sharing. It is very clear we need each other in this \ncyber war, situational awareness, information, tools, and \ntechniques to be proactive and not reactive.\n    We must have a peer-to-peer partnership built on those \nshared goals, objectives, and trust to achieve these results.\n    The good news is there are some examples of this today. Our \nindustry's collective cybersecurity work with the DHS, DOE, \nTSA, and NIAC provides a foundation but we need more.\n    Second, we need a pragmatic cyber framework. A framework \nmust be based on the principles of risk and agility, a \nframework that provides value. It must provide learning, \nstrategies, objectives, techniques, and tools that can be \naligned with that risk.\n    Another challenge is there is energy providers from \nhundreds of customers to millions of customers. So our solution \nhas to be scalable. A one-size-fits-all will be ineffective and \ncostly.\n    Finally, we must have incident readiness. The reality is \nadvanced persistent threat actors are not going away and the \nrisk of cyber incidents remain. Increased situational awareness \ncoupled with joint response and recovery plans have to be \nincorporated into everyone's current operating procedures.\n    As I mentioned before, the effort in the electric sector \nwith NIAC is an excellent example of an emerging Government and \nindustry effort to address resiliency and incident response.\n    In closing, I grew up in Oklahoma right in the heart of \nTornado Alley. Any time a large thunderstorm rolled across the \nplains, my mom had us in the cellar. My dad stood at the top of \nthe stairs looking at the sky trying to see if a funnel cloud \nwas forming. Sometimes we were there for hours.\n    Now flash forward a few decades, today we have tremendous \nsituational awareness, meteorology based on advances in \ntechnology tell us when the funnel is forming. How strong is \nthe tornado? What is the path and the time that it is going to \nreach our location? Couple this with education of the public, \nimprovements and construction techniques and emergency response \nplans and we dramatically changed tornado safety.\n    Looking back, I realize my parents were being responsive to \nthe best information they had. The risk of not acting was too \ngreat.\n    Today, I feel I am standing at the top of the cellar stairs \nlooking to the skies and watching for that cyber tornado. We \nhave protection in place but constant vigilance is our mission \nin this cyber storm. In summary, we must join in shared goals, \npeer-to-peer collaboration to be proactive and to be prepared.\n    Chairman McCaul, Ranking Member Thompson, and Members of \nthe committee, we appreciate the opportunity to share our \nperspectives and stand ready to assist you in your efforts as \nyou move forward to protect our critical infrastructure.\n    [The prepared statement of Mr. Hayes follows:]\n                  Prepared Statement of Gary W. Hayes\n                             March 13, 2013\n                                overview\n    Chairman McCaul, Ranking Member Thompson, and Members of the \ncommittee, my name is Gary Hayes and I am the chief information officer \nfor CenterPoint Energy. Thank you for inviting me to testify on my \nexperiences and perspectives on protecting critical infrastructure from \ncyber attacks.\n    CenterPoint Energy, Inc. (``CenterPoint Energy''), headquartered in \nHouston, Texas, is a domestic energy delivery company that includes \nelectric transmission and distribution, natural gas local distribution, \nnatural gas gathering and processing, interstate pipelines, and \ncompetitive natural gas sales and services. It has assets totaling more \nthan $21 billion. Our company has approximately 8,800 employees and \nserves more than 5 million metered customers primarily in Arkansas, \nLouisiana, Minnesota, Mississippi, Oklahoma, and Texas.\n    As the CIO of CenterPoint Energy I am accountable for our \ncybersecurity programs and have direct responsibility for our corporate \nbusiness systems' cybersecurity. Because of the diverse segments of the \nenergy infrastructure in which CenterPoint Energy's companies \nparticipate, I coordinate, collaborate, and communicate with our \noperational technology functions to define policies, procedures, \npractices and programs in our efforts to provide cybersecurity. I have \na highly dedicated, educated, and capable team executing \nresponsibilities in this effort.\n    I also have the responsibility to represent and coordinate \nrepresentation of our company in industry and Government efforts \nfocused on cybersecurity.\n    We focus heavily on participation in relevant industry groups. I \nparticipate on the American Gas Association (``AGA'') and Edison \nElectric Institute (``EEI'') Cyber Task Groups and I coordinate with \nDavid Jewell, senior vice president, Commercial Operations, \nOptimization and Gas System, who represents CenterPoint Energy on the \nCyber Task Group for the Interstate Natural Gas Association of America \n(``INGAA''). We also participate in numerous governmental, private, and \nindustry-related efforts focused on cybersecurity.\n    Our cybersecurity technologies operate across three areas: \nInterstate pipelines, local gas distribution utilities, and an electric \nutility. For cybersecurity purposes, our interstate natural gas \ntransmission pipelines are under the jurisdiction of the Transportation \nSecurity Administration (``TSA''). Our local gas distribution companies \noperate under the same jurisdiction but, for cybersecurity purposes, \nhave no single regulator because some of the Federal authority has been \ndelegated to the States. And, finally, CenterPoint Energy's electric \nutility in the Houston, operates under the jurisdiction of the Federal \nEnergy Regulatory Commission (``FERC'') for compliance with North \nAmerican Electric Corporation reliability standards. We also work \nvoluntarily with a multitude of other groups including the Federal \nBureau of Investigation, Industrial Controls Systems Cyber Emergency \nResponse Team (ICS-CERT) and the Department of Energy (DOE) and, of \ncourse, Department of Homeland Security (DHS).\n    My goal today is to share CenterPoint Energy's perspective with \nregards to cybersecurity challenges, activities, and opportunities. \nThat perspective is this: Cyber threats are evolving and require \ncollaboration, information sharing with the Government, and continued \ncollaboration with the industry to effectively protect the Nation's \ncritical infrastructure. Our goal is to focus our resources on facing \nthe cyber threat.\n    This perspective is shaped by our experiences and participation in \nindustry groups as well as our collaboration with several Governmental \nagencies including the DOE, DHS, and the TSA. Furthermore, our \nrelationship with members of our supply chain, our suppliers and \nvendors, is critical. From these experiences, we have determined that \nwe need the ability to respond in a quick and agile manner, as well as \ncontinuously improve our capabilities to respond. Collaboration is the \nkey.\n    As a critical energy transporter and distributor to the Nation, we \nknow that we have responsibilities to the public, our customers, and \nour shareholders. We have prioritized our cybersecurity efforts in \nparallel with our corporate philosophy.\n    (1) Public Safety\n    (2) Energy Delivery\n    (3) Customer Service\n    I hope this document provides a helpful ``participant's view and \nperspective'' as we work together to protect our company and our \nNation's critical infrastructure.\n                cybersecurity efforts and collaboration\n    CenterPoint Energy has a long history of safe and reliable energy \ndelivery to our customers. Our team members take pride in getting up \nevery morning with this mission top of mind. To this point, we take \nprotection of the public, our control systems, customer and employee \ninformation, critical infrastructure information, and intellectual \nproperty very seriously. Cybersecurity has been incorporated into our \nprocesses, procedures, and operations through various mechanisms over \ntime. But, we do recognize that the current cyber environment has \nescalated beyond historical expectations and our efforts must and will \ncontinue to evolve in order to meet these dynamic and ever-evolving \nthreats.\n    We have evolved from a strategy of ``perimeter defense'' (e.g., \nkeep the bad actors out) to a strategy of ``depth-in-defense'' \n(recognition that technology system perimeters were susceptible to \ncompromise, depth-in-defense provides increased reliance on detection \nand response mechanisms to address threats within the protection \nperimeter). We have established objectives, techniques, talent, and \ntools to assist us in our current efforts. We have also focused on \neducating our workforce, as they represent the first line of defense. \nHowever, we recognize our cybersecurity capabilities must continue to \nevolve. This recognition comes from education and collaboration with \nindustry and Government. Our objectives are to mature and enhance our \nstrategy and move to an ``agile defense''.\\1\\ In particular, we will \nenhance our focus on the people, processes, and technologies that can \nbe managed, monitored, tested, measured, and continuously improved.\n---------------------------------------------------------------------------\n    \\1\\ An enhanced comprehensive security strategy referred to by NIST \nas ``agile defense''. Agile defense combines traditional perimeter, \ndepth-in-defense, and depth-in-breadth, which is a planned, systematic \nset of multidisciplinary activities that seek to identify, manage, and \nreduce risk of exploitable vulnerabilities at every stage of the life \ncycle. Life cycle is the network that includes product design and \ndevelopment; manufacturing; packaging; assembly; system integration; \ndistribution; operations; maintenance; and retirement.\n---------------------------------------------------------------------------\n    As an important part of the energy delivery value chain, we are \nalso enhancing resiliency, which is our ability to respond quickly to \nattacks and to maintain critical services. As we have learned through \nour participation in many of the cyber discussions, ``bad actors will \nget in''. It is not a matter of ``if'' but a matter of ``when.'' \nTherefore, we continue to evolve our capability to respond and operate \nin a compromised state.\n    Identifying and coordinating with the right stakeholders is vital \nto that evolution.\n    First, we believe that participation with industry coalitions is \ncritical. Our collaboration with fellow energy sector members allows us \nto continually learn and incorporate leading practices, provide mutual \nassistance and educate stakeholders and policy makers of real risks and \npossible solutions. We encourage and assist in collaboration between \nAGA, EEI, INGAA, and key policymakers.\n    Second, collaboration between the public and private sector is a \nvital part of cyber protection. Deployment of the SmartGrid in Houston \npresented us with the opportunity to work with DOE, DHS, and other \nFederal agencies in order to successfully deliver advanced metering \ncapabilities. Throughout the process, we collaborated with Government \nstakeholders to incorporate customer protection and cybersecurity into \nour design and operations. This could not have been achieved without \ninformation sharing, a focus on quality and integrity, strong risk \nmanagement, and joint objectives--all of these achieved through \ncollaboration.\n    Those partnerships are also critical for our intelligent grid \nproject and we look forward to continuing those relationships.\n    Other examples illustrating the success of public-private \npartnerships are the joint industry and Governmental initiatives that \ndeveloped the electric sector cybersecurity Capability Maturity Model, \nguidelines for the natural gas pipeline sectors' Pipeline Security \nGuidelines and many more activities that have benefited CenterPoint \nEnergy and our industry. These collaborative efforts focused on \ntargeted objectives and provided tangible programs, information, tools, \ntechniques, and knowledge to help us enhance our efforts in this war \nagainst cyber threats. We encourage Congress to promote continued focus \non private and public partnerships for the protection of our National \nsecurity.\n    And, finally, cybersecurity collaboration must take into account \nthe entire life cycle and supply chain. Therefore, we must recognize \nthe essential participation of our vendors and suppliers in this \neffort. They have worked with us to provide products and solutions to \nmeet the demands of this challenge. Our joint goals and efforts focus \non design, testing, and improvement of products to understand quality, \nintegrity, risks, threats, mitigations, and management of these \nsolutions in our operating environment.\n                 cybersecurity participant observations\n    There is a set of common themes that we see emerging from our \ncybersecurity efforts and dialogues:\n    Shared Goals.--Identifying and merging the focus and priorities of \nthe stakeholders is a key to success.\n    Risk-Based Approach.--A risk-based approach is fundamental to our \nefforts. Goals should be prioritized and articulated clearly. Solutions \nshould be focused and yet flexible. A ``one-size-fits-all'' approach \nwon't work for unique problems. There are utility service providers \nserving hundreds of customers and others serving millions of customers; \ntherefore, the risk profile will influence the objectives, techniques, \nand tools to effectively manage cybersecurity.\n    Information Sharing and Situational Awareness.--We desire a defined \ncollaborative process to share information in a quick, secure, and non-\nprejudicial fashion. That process should educate us in ways that we can \nbe proactive and not reactive. Throughout many conferences, meetings, \ncalls, and other interactions, we continue to hear that the ICS-CERT \nserves as a strong template for developing a working model of \ncollaboration. ``Boots-on-the-ground'' security team members find this \nof great value in their efforts in the cyber war. We believe this is an \nexample of information sharing that provides actionable information, \nsupport to our industry, and brings value to public-private \npartnership.\n    Leveraging Tools and Techniques.--Although we, and many others, \nemploy market-leading technologies and information solutions, we \nbelieve our effort would be greatly enhanced by leveraging cyber \ntechnologies and solutions utilized by Governmental organizations and \nfellow industry members. We recognize there are many obstacles, but \ntoday's cybersecurity challenges require us to remove these obstacles \nand provide a repeatable and supportable path to facilitate results. \nEach day of delay is another day of opportunity for advanced persistent \nthreat actors.\n    Security Clearance.--Expanded security and expedited clearance for \nappropriate personnel within the private sector and expedited \ncommunication of critical information is critical to the ability of \nowners and operators to be proactive and responsive to emerging \nthreats. We were pleased to see such a provision in the President's \nExecutive Order on cybersecurity.\n    Cybersecurity Regime.--A cybersecurity framework must prioritize \nthe principle that agility is the key to responding to cyber threats. \nAn overly burdensome and prescriptive regulatory regime will be \nincreasingly challenged to keep pace with evolving cyber threats. A \nbeneficial framework not only defines capabilities, but provides \nlearning, methodologies, objectives, and techniques (tools and \nmeasures) to achieve the required results. In conjunction with risk-\nbased analysis, that type of framework can be leveraged by all \nparticipants to mitigate threats.\n    Incident Management.--The reality is advanced persistent threat \nactors are not going away and the risk of a cyber incident will remain \ntop of mind for the foreseeable future. Increased situational awareness \ncoupled with response and recovery plans will be incorporated into \nexisting emergency operating procedures.\n    A leading effort on incident management comes under the auspices of \nthe National Infrastructure Advisory Council (NIAC) report, several \nelectric utility CEOs are engaged in an on-going partnership with the \nWhite House National Security Staff and senior officials throughout the \nGovernment, including Department of Energy Deputy Secretary Daniel \nPoneman and Department of Homeland Security Deputy Secretary Jane Holl \nLute. This collaboration has resulted in several Government-industry \ninitiatives, one of which is to identify roles and responsibilities \nthat will expedite response and recovery should a major power \ndisruption occur.\n    Collaboration.--All of these themes require partnerships with \nindustry and Government. Collaboration is essential to our combined \nmission of protecting the public, customers, employees, critical \ninfrastructure, intellectual property, and National security. Notable \nexamples demonstrating the strength of collaboration between public and \nprivate sectors include the Industrial Control Systems Joint Work Group \n(ICS-JWG) and the TSA-sponsored public-private partnership which \nsupports the National Infrastructure Protection Plan (NIPP).\n    To illustrate further, I offer the case of our interstate gas \ntransmission pipelines where the cyber collaboration with the Federal \nGovernment began through our work with INGAA and AGA. After the \nSeptember 11 attacks, and before the TSA or the DHS were created, we \nvoluntarily collaborated through INGAA and AGA with the then-Research \nand Special Programs Administration within the Department of \nTransportation (DOT) to develop the initial Pipeline Security \nInformation Circular. This collaborative approach to developing and \nimplementing security measures continues to this day in our \ncollaboration with the TSA. Since that time, gas pipeline owners and \noperators have worked with TSA to safeguard and protect our \ninfrastructure's security--both from physical and cyber attacks. As a \nresult of years of work and collaboration between owners and operators \nand the TSA we have a strong, trust-based collaboration--a public-\nprivate partnership. This approach, and the relationship it fostered, \nproduced robust, thorough cyber guideline development for natural gas \ntransmission pipelines even before the ``911 Act'' became law.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ Implementing Recommendations of the 9/11 Commission Act.\n---------------------------------------------------------------------------\n    TSA is using a voluntary partnership approach because it works. TSA \nand the private sector partner in order to leverage the collective \nexpertise and experience of the Government and private industry in \nfinding practical solutions to cybersecurity. This approach and the \nrelationship it has fostered have produced robust cybersecurity \nguidelines and best practices for natural gas transmission pipelines.\n    The TSA approach builds on what has been proven through experience: \nPublic-private partnerships for cybersecurity generate solutions. A \nCongressional Research Service August 2012 report, ``Pipeline Cyber \nSecurity: Federal Policy,'' stated that ``TSA officials assert that \nsecurity regulations could be counter-productive because they could \nestablish a general standard below the level of security already in \nplace at many pipeline companies based on their company-specific \nsecurity assessments.'' Moreover, the report notes that ``[b]ecause TSA \nbelieves the most critical U.S. pipeline systems generally meet or \nexceed industry security guidance, the agency believes it achieves \nbetter security with voluntary guidelines, and maintains a more \ncooperative and collaborative relationship with its industry partners \nas well.''\n    We believe that the key to effective cybersecurity is the trust \ndeveloped in partnerships like the one with TSA. The dynamic solutions \nthat are born of the public and private sector coming together are not \npossible when the Government is only acting as a regulator and \nenforcer. The cybersecurity world moves too quickly for such \ntraditional regulatory models to be beneficial or productive.\n                               conclusion\n    We take seriously the responsibility of protecting our customers, \nemployees, assets, and communities in which we operate, and thus \ncybersecurity is a top priority for CenterPoint Energy. We also \nrecognize the importance of critical infrastructure to our National \nsecurity. Because cyber threats are constantly changing and evolving, \nwe support voluntary programs that encourage partnership, \ncollaboration, sharing of information and technology, and the \npreparedness necessary to mitigate and respond to the ever-changing \nnature of cyber attacks. We will not succeed in this effort alone. The \nstrengthening and expansion of industry and Government partnerships \nprovides our best front in this cyber war.\n    Chairman McCaul, Ranking Member Thompson, and Members of the \ncommittee, we appreciate the opportunity to share our perspectives and \nstand ready to assist you in your efforts to protect our critical \ninfrastructure.\n\n    Chairman McCaul. Thank you, Mr. Hayes. I appreciate your \nanalogy. It is well taken.\n    Now the Chairman now recognizes Ms. Richardson for her \ntestimony.\n\nSTATEMENT OF MICHELLE RICHARDSON, LEGISLATIVE COUNSEL, AMERICAN \n                     CIVIL LIBERTIES UNION\n\n    Ms. Richardson. Chairman McCaul, Ranking Member Thompson, \nthank you for the opportunity to testify today on the \nDepartment of Homeland Security's role in cybersecurity.\n    This hearing is very timely. DHS is currently running major \ncybersecurity programs in order to secure critical \ninfrastructure and Congress will likely vote on legislation \nfurther defining its role in the coming months.\n    One of the most important decisions Congress will make is \nwhether domestic cybersecurity programs will remain in the \nhands of civilian agencies, like DHS, or be ceded to the \nmilitary. Under long-standing American legal requirements and \npolicy traditions, the military is restricted from targeting \nAmericans on American soil.\n    Yet some are now arguing that cybersecurity should be the \nexception and the National Security Agency should be empowered \nto collect more information about internet users in order to \nrespond to on-line threats. Doing so would create a significant \nnew threat to Americans' privacy and must be avoided.\n    The NSA has developed extraordinary powers and has been \ngranted incredible legal leeway, all under the premise that its \nspying would be turned outward against foreign enemies. Setting \nit free to collect American information for cybersecurity would \nbe unprecedented.\n    This warning seems dire but that is because the \nconsequences are dire. If domestic cybersecurity programs are \nceded to the NSA, this committee, rank-and-file Members of \nCongress and the American public will never hear of it again. \nKeeping cybersecurity within DHS and within the jurisdiction of \nthis committee would enhance privacy and accountability in very \nconcrete ways.\n    In addition to being a bad deal for privacy, placing new \nprograms outside of DHS isn't even necessary from a security \nperspective. The highest ranks of the intelligence community \nagree that DHS should retain authority over civilian cyber \nprograms.\n    NSA Director Alexander has stated that his agency should \nnot be the public face of domestic cybersecurity and that DHS \nshould be the entity to deal directly with civilians, the \nprivate sector, and the domestic internet.\n    The Obama administration continues to empower DHS and other \ncivilian agencies to pursue cybersecurity for critical \ninfrastructure in the public. The other panelists discussed in \ntheir statements the many different existing programs and \ninformation sharing hubs that are working successfully through \nDHS and other agencies.\n    Its involvement in this area is only going to grow in light \nof the recent Executive Order. For example, the much-touted \nDefense Industrial Base Pilot Program, now known as the \nEnhanced Cybersecurity Program, will be expanded to all \ncritical infrastructure and run by DHS. That program will \norganize and facilitate the flow of information from the \nGovernment to critical infrastructure.\n    Also under the Executive Order, DHS will conduct the first \ninter-agency privacy analysis of cyber information sharing. As \nnoted by the other panelists, there are dozens of information-\nsharing bodies within and outside of the Government, all \nsharing different data pursuant to different statutes. No one \nhas ever reviewed those programs for their effect on privacy.\n    The President endorsed the Fair Information Privacy \nPrinciples and that heartens us, and we look forward to DHS's \npublic report, due back next year. This committee could help \nbring pressure to bear on the agencies in its jurisdiction to \nensure that they conduct a full and meaningful privacy analysis \nas part of that product.\n    Since civilian control is decidedly better for privacy, \nworks from a security perspective, and is already being \nimplemented through current programs, it is disappointing that \na legislative proposal that would fundamentally alter this \nbalance is being considered.\n    The Cyber Intelligence Sharing and Protection Act, known as \nCISPA, would create a cybersecurity exception to all privacy \nlaws, so that companies can share Americans' internet data with \neach other and with the Government, even in the absence of a \nwarrant, subpoena, or emergency, and share that information \ndirectly with military agencies like the NSA.\n    In its veto threat, the administration argued this bill, \n``effectively treats domestic cybersecurity as an intelligence \nactivity and thus significantly departs from long-standing \nefforts to treat the internet and cyber space as civilian \nspheres.''\n    We hope the House will refer that bill to this committee or \nthat you will otherwise consider taking up legislation of your \nown.\n    Thank you for this opportunity to testify. We look forward \nto working with this committee going forward on DHS's role in \ncybersecurity.\n    [The prepared statement of Ms. Richardson follows:]\n               Prepared Statement of Michelle Richardson\n                             March 6, 2013\n    Good morning Chairman McCaul, Ranking Member Thompson, and Members \nof the committee. Thank you for the opportunity to testify on behalf of \nthe American Civil Liberties Union (ACLU), its more than half-a-million \nmembers, countless additional activists and supporters, and 53 \naffiliates Nation-wide, about the role of the Department of Homeland \nSecurity (DHS) in protecting the cybersecurity of critical \ninfrastructure.\n    The topic of today's hearing is very timely. DHS is currently the \nlead agency running major cyber programs on behalf of the Government \nand critical infrastructure, but Congress is considering establishing a \nnew information-sharing regime that could collect cyber information \nnotwithstanding any of the privacy laws currently protecting Americans' \nsensitive and personal data, and some proposals are unfortunately \nquestioning the role of DHS. Most Americans would agree that the \nenhancement of on-line security is a worthy and appropriate goal for \nthose vested with the responsibility for safeguarding the interests of \nall Americans. Protecting the right to internet privacy--a right with \nroots in our Constitutional principles opposing unreasonable search and \nseizure and assuring limited Government--is as critical a goal as \nenhancing on-line security, and DHS is the agency best positioned to \nhandle such new authority in an effective and accountable manner. We \nlook forward to working with this committee to ensure that these new \ncyber programs remain under civilian, rather than military control, and \nthat Congress conducts extensive oversight of all DHS programs to \nensure protection of privacy rights.\n    Cybersecurity programs can and must be run in accordance with the \nConstitution and American values.\\1\\ The internet is an incredibly \nuseful and empowering tool that enhances public knowledge, broadens the \nreach of our free speech rights, and eases and facilitates daily \nbusiness and personal activities. As a result, internet data is rich in \nintimate details of our private and professional lives, such as where \nwe go, with whom we associate, what we read, our religious faith, \npolitical leanings, financial status, mental and physical health, and \nmore. Protecting privacy is necessary for the public to feel confident \nin continuing to engage with new and developing technology; any \ncybersecurity initiatives should make protecting that privacy a \nparamount goal.\n---------------------------------------------------------------------------\n    \\1\\ The American Civil Liberties Union's letters to Congress, \ncomments to Federal agencies, blogs, and other cybersecurity materials \nmay be found at http://www.aclu.org/cybersecurity.\n---------------------------------------------------------------------------\n    Many existing and proposed cyber efforts do not threaten the \nprivacy or civil liberties of every day internet users, and we urge \nthis Congress and the administration to pursue those programs and to \navoid alternative proposals that risk creating major new and \nunnecessary surveillance programs. Appropriate programs for \nCongressional or administrative action include those to secure \nGovernment and military networks, educate the public on hygiene issues, \nprosecute internet-based financial crimes, invest in research and \ndevelopment, secure the supply chain of hardware, and share targeted \nthreat information with critical infrastructure.\n  i. the importance of keeping domestic cybersecurity programs within \n                           civilian agencies\n    Under long-standing American legal requirements and policy \ntraditions, the military is restricted from targeting Americans on \nAmerican soil. Instead, domestic intelligence and law enforcement \nactivities are run by civilian authorities. Some are now arguing that \ncybersecurity should be the exception, and that military agencies like \nthe National Security Agency (NSA) should be empowered to collect more \ninformation about every-day American internet users in order to respond \nto on-line threats. Doing so would create a significant new threat to \nAmericans' privacy, and must be avoided.\n    To date, the military vs. civilian debate has been skewed by the \nintense focus on cybersecurity threats posed by hostile foreign \ngovernments, or international terrorists, and the comparative \ninattention to threats unrelated to National security. While advanced \npersistent threats from foreign actors are real and require a \nmultifaceted response from the Government, it does not follow that all \ncybersecurity incidents impacting domestic internet users should merit \na military response. Even by intelligence community estimates, those \ndangers represent a small portion of the threats that affect American \ninternet users. Malware, financial crimes, and other threats that do \nnot rise to the level of international incidents make up the \noverwhelming majority of malicious conduct on the internet. The \nconflation of foreign spying and potential sabotage, with corporate \nespionage, everyday internet crime, political statements, and \nessentially prank behavior has inflated every internet malfeasance into \na potential National disaster. This hyperbole is simply not factually \naccurate, and only serves to encourage policy decisions with serious \nprivacy and civil liberties implications.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ See, for example, Howard Schmidt, Price of Inaction Will Be \nOnerous, NYT, Oct. 18, 2012, available at http://www.nytimes.com/\nroomfordebate/2012/10/17/should-industry-face-more-cybersecurity-\nmandates/price-of-inaction-on-cybersecurity-will-be-the-greatest.\n---------------------------------------------------------------------------\n    Placing cyber programs under the jurisdiction of domestic civilian \nagencies like DHS has real and far more positive consequences for \ntransparency and accountability. DHS's lead competition for cyber \nprograms--the NSA--is a black hole of information. Programs housed \nthere, like in the rest of the intelligence community, are not subject \nto any meaningful public oversight. The NSA's activities appear to be \npresumptively classified, and whatever oversight that takes place is \ncabined in the Intelligence Committees, which conduct most of their \nbusiness behind closed doors.\n    One only need look to intelligence wiretapping for an example of \nthe dangers posed if Congress hands control over domestic cybersecurity \nto the NSA. In 1978, Congress established the Foreign Intelligence \nSurveillance Act (FISA) to govern foreign intelligence electronic \nsurveillance. Federal judges meeting in a secret court issued opinions \ninterpreting Americans' Constitutional rights and developed a secret \nbody of law that the American public has not been allowed to read. The \nextreme secrecy around such intelligence programs helped conceal a \nprogram of illegal and warrantless wiretapping for over 6 years. \nCongress eventually amended the FISA to permit this warrantless \nsurveillance to continue, but included a sunset provision that was \nscheduled to expire at the end of last year. Congress reauthorized it \nwithout having a single open hearing with administration witnesses to \nexplain how this expansive authority affects Americans' privacy. While \nsome claim this evolution of expanded wiretapping as a success of the \nintelligence oversight process, it reflects the limits and consequences \nof housing these programs behind the intelligence wall.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ The Supreme Court recently ruled in Amnesty v. Clapper that \nACLU clients lacked standing to challenge the FISA Amendments Act of \n2008, because they could not prove that surveillance of their \ncommunications under the act was ``certainly impending,'' all but \nforeclosing meaningful judicial review of that statute's \nconstitutionality.\n---------------------------------------------------------------------------\n    If cybersecurity--with a set of programs dominated by non-military \nand non-National security concerns--is ceded to the NSA, this \ncommittee, rank-and-file Members of Congress, and the American public \nwill never hear of it again. Keeping cybersecurity within DHS and other \ncivilian agencies, and within the jurisdiction of this committee would \nenhance, not harm, both security and privacy.\n    ii. the current role of the department of homeland security in \n                             cybersecurity\n    Developments over the last several years have rightly steered \ndomestic programs into the DHS or other civilian agencies. In 2010, the \nSecretary of DHS and the director of the National Security Agency (NSA) \nsigned an agreement that put DHS in charge of cybersecurity in the \nUnited States, with the NSA providing support and expertise.\\4\\ The \nPresident's recent Executive Order 13636 continues this approach, \nputting DHS and the National Institute of Standards and Technology atop \nthe domestic cyber hierarchy, with consultation from the Attorney \nGeneral, the Privacy and Civil Liberties Oversight Board, and the \nOffice of Management and Budget.\\5\\ These major structural and policy \ncommitments add to long-standing DHS programs that share information \nwith companies and infrastructure operators, educate the public, and \nsecure Government systems.\n---------------------------------------------------------------------------\n    \\4\\ MEMORANDUM OF AGREEMENT BETWEEN THE DEPARTMENT OF HOMELAND \nSECURITY AND THE DEPARTMENT OF DEFENSE REGARDING CYBERSECURITY, \nSeptember 27, 2010, available at http://www.dhs.gov/xlibrary/assets/\n20101013-dod-dhs-cyber-moa.pdf.\n    \\5\\ Executive Order 13636, Improving Critical Infrastructure \nCybersecurity, 78 Fed. Reg. 11739, February 12, 2013 [hereinafter \nExecutive Order].\n---------------------------------------------------------------------------\n    DHS's role in the collection, use, and dissemination of \ncybersecurity information has substantially grown over the last several \nyears. With the recent Executive Order, its participation will expand \nagain, especially in two areas. First, DHS will run the Enhanced \nCybersecurity Services program and facilitate the sharing of threat \nindicators with critical infrastructure owners and operators.\\6\\ \nInformation sharing in this direction--from Government to private \nsector--has far fewer privacy implications than the reverse. It does \nhowever cement DHS' role in information sharing and publicly available \nPrivacy Impact Assessments suggest that the agency is imposing \nmeaningful privacy protections for the personally identifiable \ninformation (PII) coming into its possession. For example, PII is not \nmaintained in a system of records, and therefore is not searchable by \nname or other identifiers, and information is not retained unless it is \n``directly relevant and necessary'' to address a cyber threat.\\7\\\n---------------------------------------------------------------------------\n    \\6\\ Id. at 4(c).\n    \\7\\ PRIVACY IMPACT ASSESSMENT FOR ENHANCED CYBERSECURITY SERVICES, \nJanuary 16, 2013, available at http://www.dhs.gov/sites/default/files/\npublications/privacy/privacy_pia_nppd_ecs_jan2013.pdf, at 7.\n---------------------------------------------------------------------------\n    Second, DHS will coordinate a review of current information sharing \nprograms to determine whether they meet the ideas in the Fair \nInformation Practice Principles (FIPPs).\\8\\ Currently, there is little \npublicly available information about what agencies are currently doing \nwith cybersecurity information and this annual report will be the first \noverarching review of these programs.\n---------------------------------------------------------------------------\n    \\8\\ Executive Order at (5).\n---------------------------------------------------------------------------\n  iii. emerging domestic information-sharing programs must be run by \n                     civilian agencies such as dhs\n    Congress is considering a significant expansion of the Government's \nauthority to collect cybersecurity information, and if the expansion \nmoves forward, it is critical for civil liberties that they be run by \ncivilian agencies such as DHS. H.R. 624, the Cyber Intelligence and \nSharing Protection Act (CISPA), would exempt cybersecurity information \nsharing from all privacy laws and reverse decades of statutory \nprotections for sensitive information like our communication, \nfinancial, and internet information. It would permit corporations to \ndetermine what information pertains to cybersecurity and allow them to \nshare it with the Government--including military agencies like the \nNSA--and other corporations without making a reasonable effort to \nshield or scrub out personally identifiable information that is \nunnecessary to address the threat at hand. Companies would then be free \nto use Americans' sensitive private information as they see fit, and \nthe Government could use it for certain reasons other than \ncybersecurity. When one of those reasons--National security--is wholly \nundefined, we are especially concerned that the military and \nintelligence agencies accessing that information would consider \nthemselves to have free reign over such private records, under ever \nexpanding arguments of what National security includes. These and other \nfundamental problems are why the ACLU continues to oppose CISPA.\n    One of the biggest problems with CISPA is that it does not require \ncompanies that participate in this new information sharing regime to \nwork with civilian agencies, and instead allows them to share sensitive \nand personal information directly with the NSA and other military \nagencies. The bill's sponsors claim that American corporations insist \non dealing with the NSA and may withhold this information from the \nGovernment altogether if directed to go elsewhere. This assertion does \nnot stand up, especially considering that the companies in question are \nnot part of the defense sector, and primarily offer services to the \npublic and the private sector. Companies that actually have defense \ninformation are already permitted to participate in a NSA-run \ninformation regime, and other potentially targeted sectors can continue \nto work with the agencies that have long regulated them.\n    CISPA insists on giving the companies the authority to share \ndomestic, civilian internet information directly with the NSA even \nthough it neither wants nor needs it. NSA Director General Keith \nAlexander has stated that his agency should not be the public face of \ncybersecurity and does not need to directly receive domestic cyber \ninformation.\\9\\ In fact, the House Intelligence bill is an outlier. The \nadministration's Statement of Administration Policy on CISPA in the \n112th Congress, said that the bill:\n---------------------------------------------------------------------------\n    \\9\\ Jennifer Martinez, General: Nation Needs DHS Involved in \nCybersecurity, THE HILL, Oct. 21, 2012, available at http://\nthehill.com/blogs/hillicon-valley/technology/259547-general-nation-\nneeds-dhs-involved-in-cybersecurity-, (``I see DHS as the entry point \nfor working with industry,'' [General Keith ] Alexander said at an \nevent hosted by the Wilson Center and National Public Radio . . . \nAlexander stressed that protecting the Nation's critical infrastructure \nrequires a team effort from the Government, including the involvement \nof DHS. ``Where I sit, it's our job to help them be successful. I think \nthey're taking the right steps and it's the right thing to do,'' \nAlexander said. ``Our nation needs them to be in the middle of \nthis.''); Kim Zetter, DHS, Not NSA Should Lead Cybersecurity, Pentagon \nOfficial Says, WIRED, Mar. 1, 2012, available at http://www.wired.com/\nthreatlevel/2012/03/rsa-security-panel/ (`` `Obviously, there are \namazing resources at NSA, a lot of magic that goes on there,' said Eric \nRosenbach, deputy assistant secretary of Defense for Cyber Policy in \nthe Department of Defense. `But it's almost certainly not the right \napproach for the United States of America to have a foreign \nintelligence focus on domestic networks, doing something that \nthroughout history has been a domestic function.' Rosenbach, who was \nspeaking at the RSA Security conference in San Francisco, was adamant \nthat the DHS, a civilian agency, should take the lead for domestic \ncybersecurity, with the FBI taking a strong role as the country's \ndomestic law enforcement agency.'').\n\n`` . . . effectively treats domestic cybersecurity as an intelligence \nactivity and thus, significantly departs from long-standing efforts to \ntreat the internet and cyberspace as civilian spheres. The \nadministration believes that a civilian agency--the Department of \nHomeland Security--must have a central role in domestic cybersecurity, \nincluding for conducting and overseeing the exchange of cybersecurity \ninformation with the private sector and with sector-specific Federal \nagencies.''\\10\\\n---------------------------------------------------------------------------\n    \\10\\ OFFICE OF MANAGEMENT AND BUDGET, EXECUTIVE OFFICE OF THE \nPRESIDENT, STATEMENT OF ADMINISTRATION POLICY, H.R. 3523, CYBER \nINTELLIGENCE SHARING AND PROTECTION ACT, April 25, 2012, available at \nhttp://www.whitehouse.gov/sites/default/files/omb/legislative/sap/112/\nsaphr3523r_20120425.pdf.\n\n    The Senate's most recent information-sharing legislation, Title VII \nof the Cybersecurity Act of 2012, also made clear that cybersecurity \ninformation should only go to a civilian agency.\\11\\ While a handful of \namendments to CISPA passed on the House floor last year, none of them \naddressed this point. Members of the Intelligence and Homeland Security \nCommittees filed amendments that would have required new domestic \ninformation sharing to be routed through civilian agencies, but they \nwere not made in order and did not receive a vote.\\12\\ The \nadministration, the Senate, and the privacy community are in agreement \nthat civilian control of these programs is not only good for civil \nliberties, but workable from a cyber and National security standpoint. \nCISPA stands alone in failing to follow this common wisdom.\n---------------------------------------------------------------------------\n    \\11\\ S. 3414, The Cybersecurity Act of 2012, 112th Cong. (2012).\n    \\12\\ CISPA amendments filed with the with the House Rules Committee \nare available at http://rules.house.gov/Legislation/\nlegislationDetails.aspx?NewsID=812. Amendment 19 by House Permanent \nSelect Committee on Intelligence Member Representative Jan Schakowsky \n(D-IL) and amendment 21 by House Homeland Security Committee Ranking \nMember Bennie Thompson (D-MS) would have ensured that new sharing under \nCISPA would have gone to civilian agencies and DHS respectively.\n---------------------------------------------------------------------------\n     iv. further areas for committee oversight of dhs cybersecurity\n    Because of the House's imminent efforts to expand information \nsharing and the importance of keeping those programs in civilian hands, \nthis statement has focused on that proposal and how it fails from a \ncivil liberties and privacy perspective. But we also urge this \ncommittee to undertake oversight activities of existing cybersecurity \nprograms. In particular, we urge the committee to review the \nimplementation of the EINSTEIN program, which works with providers to \nscan Government systems for known cyber threats. The last Privacy \nImpact Assessment on EINSTEIN was written in 2010 and there is little \npublic information about the broader application of the program and the \neffectiveness of privacy requirements. The committee should also make \nsure that agencies are participating meaningfully in the FIPPs review \ndiscussed above so that DHS can do an overarching analysis of whether \nprivacy is protected in current programs.\n                             v. conclusion\n    Thank you for the opportunity to share our views on cybersecurity \nand the role of DHS. The administration is giving DHS increasing \nresponsibilities in this area and we hope that if information \ncollection programs expand, they too are housed in DHS. We look forward \nto working with you on this and other civil liberties issues in the \nfuture.\n\n    Chairman McCaul. Thank you, Ms. Richardson. This committee \nis, again, committed to taking up legislation. I think you \nraised some valid points and concerns in terms of a civilian \nversus military space.\n    Let me start with Mr. Bhimani. Your sector has been perhaps \none of the most successful stories in terms of working with DHS \nand protecting your critical infrastructure. Yet, has been \nunder attack, as you know, by countries like Iran and others \nquite extensively.\n    Could you share with this committee your experiences with \nyour sector's participation with the NCCIC and how that has \nworked for your industry?\n    Mr. Bhimani. Yes. Thanks very much for that recognition. I \nthink our Members obviously think that we should very seriously \ndevote thousands of people towards this problem. But \nindividually, you can only go so far.\n    So with all the challenges that maybe have been facing this \nsector, I shudder to think what it would have been like if we \nhadn't been sharing with each other and hadn't had that \npartnership with both Treasury and DHS.\n    I think our presence on the NCCIC floor has really sped \nthat partnership significantly, being able to get information \nboth from the NCCIC as well as from our members to the NCCIC.\n    Chairman McCaul. Would you recommend--would it be your \nrecommendation--well, first of all, it has been successful for \nyou, your relationship with DHS and the NCCIC, is that correct?\n    Mr. Bhimani. Yes, it has. I think there is always ways to \nimprove any sort of partnership, but it is--if I compare it \nwith the relationship we had with various agencies years ago, \nit is light-years ahead.\n    Chairman McCaul. Would you recommend in getting full \nparticipation from the 16 ISECs out there to participate on the \nNCCIC floor? Would that be helpful?\n    Mr. Bhimani. Yes. The same way I said that I think that we \nas a sector recognize that us individually really have \nresponsibility for the whole sector, if you look at all those \nsectors, there is a tremendous amount of dependency from one \nsector onto another. We have as much dependency on the \nelectricity sector, the telecom sector, as we do on each other, \nright.\n    So I do think that there is a certain--and with as much \nprogress as we made within the sectors, not just financial, but \notherwise, sharing with each other, I do think doing that would \nsignificantly enhance cross-sector sharing, yes.\n    Chairman McCaul. I think that is going to be one of the \ngoals of this committee, is to get full participation from the \nprivate sector.\n    Mr. Hayes, you obviously represent the energy side of the \nhouse. Obviously, the Mandiant report out there talks about \nChina targeting our energy sector. Can you tell us about your \nexperience with DHS and the NCCIC and why that would be \nvaluable to codify that relationship into law?\n    Mr. Hayes. Sir we have had a good relationship with DHS, \nprimarily around the ICS-CERT. When I go to meetings within the \nindustry group and talk to the boots-on-the-ground security \npeople, it is probably one of the security organizations that \nthey reference the most in terms of the benefit it brings to \nthem.\n    In terms of the NCCIC, we are learning about that. We want \nto understand that capability around situational awareness. As \nI mentioned, it is better to see the storm coming, to deal with \nit than have to react to it after the fact.\n    So those are the things that our industry is working with. \nWe are working also with NIAC through both DOE, NSA, DHS, and \nseveral others, to look at a response plan for our industry as \nwe move forward.\n    Chairman McCaul. Well, that is good because we always talk \nabout the electric grid and how shutting that down would \npotentially cause more damage than Sandy or other hurricanes, \nif done effectively.\n    Ms. Richardson, I wanted you to expand, as you correctly \nnoted, that General Alexander, the director of NSA, sees DHS \nhaving an important role with cybersecurity, particularly, as \nhe put it, being a civilian interface to the private sector. \nCan you explain to this committee why that civilian interface \nis so important?\n    Ms. Richardson. Sure. A lot of the press around \ncybersecurity has really focused on foreign actors and attacks \nat a very high level on our defense information, corporate \nespionage.\n    But overwhelmingly, the cybersecurity programs that affect \neveryday Americans are about everyday cyber crime, insecure \nnetworks, things like that. Those do not merit a military \nresponse. They should be handled by civilian agencies and the \ncapability has certainly been built up there.\n    We can certainly look over the last decade that, as the \nGovernment has expanded its intelligence authorities, once you \ngo behind that intelligence curtain, there isn't oversight and \nthere isn't accountability and it operates in almost complete \nsecrecy, with even Members of the intelligence committees \nsaying that they don't have basic information on how these \nprograms are run.\n    We don't see that happening nearly as much in programs that \nare run under DHS and are presumptively public.\n    Chairman McCaul. So do you believe that civilian \nauthorities over, say, the dot-com and the critical \ninfrastructures, as has been put forth by both President Bush \nand Obama, is the better route to go?\n    Ms. Richardson. Absolutely. That doesn't necessarily \ndetract from the NSA and Defense working in its own sphere. \nThey have their own authorities and they will continue to build \nthem out.\n    However, as we turn to the public internet that everyday \nAmericans are using, it absolutely has to be controlled by \ncivilian agencies like DHS.\n    Chairman McCaul. We are trying--I was looking at that \nbubble chart earlier, just trying to figure out the roles \nbetween the--I believe they all have roles and there is plenty \nwork for everybody. I think it is clearly defining these roles \nbetween the three agencies that is highly important. We need to \nget this right before we pass legislation.\n    On the issue of privacy, Chairman Meehan and I are looking \nfor ways to ensure that privacy is protected under the \nConstitution. We have looked at the Executive Order language as \na possible starting point.\n    I know that your group, the ACLU, for the most part has \nbeen supportive of the language, in terms of the adoption of \nthe Fair Information Practice Principles for internal \ninformation sharing. Is that a fair statement?\n    Ms. Richardson. Yes. We were very happy to see the \nExecutive Order embrace the FIPs. They represent principles \nlike transparency, accountability, minimization, control over \nyour own information. Those should be the bedrock going forward \nfor information-sharing programs.\n    Chairman McCaul. Okay. Well, thank you very much. That is \nall I have for now. I now yield to the Ranking Member.\n    Mr. Thompson. Thank you very much, Mr. Chairman. I am most \nappreciative of having other people talk about cyber, other \nthan just in a classified setting or some other kind of setting \nwhere we can't talk about it.\n    Well, that kind of puts a muzzle on Members of Congress \nfrom going forward and trying to do the right thing, because it \nis presented to us in a manner where we can't talk about it.\n    So for this hearing, it has allowed us to hear from not \njust DHS, but also people who either do it everyday or people \nwho review policy everyday. What I would like to do for each \none of our witnesses is to say we are not trying to reinvent \nthe wheel. Most private sector businesses' best practice says \nwe have to have a secure network as best we can.\n    We are not trying to create a bureaucracy on top of that, \nso no ``you have to do it this way because the Government says \nto do it this way.''\n    Now that being said, do I hear from the private sector that \nit is important for a civilian coordinating role to be part of \nthis cybersecurity policy?\n    Mr. Hayes, we can start with you and we will go from there.\n    Mr. Hayes. Yes, I believe it is very important to have that \nclear role. I think there was the discussion earlier with Ms. \nLute about the FEMA. We utilize the FEMA ICS formats in our \nstructure, so clear command in incident situations are \nimportant.\n    It is also equally important as we work with our \npartnership and organizations across our industries and our \nagencies, that it is clear in how we are dealing with that. \nWhat information can be shared, what information can be shared \nopenly, fairly, quickly, responsibly? Those are things that are \nvery, extremely important to us, because those are the things \nwe react to.\n    As my other speaker talked about, actionable items, how do \nwe get to actionable items? That is what we do on a daily \nbasis. So without the clarity of roles and responsibilities \nacross those organizations, then we are providing multiple \nperspectives. Just to give you an idea, as we track the number \nof entities, and that could be Governmental or industry or \nwhatever, we are well over 70 different groups that are \nfocusing on cybersecurity. So as a single company, you can't \nsupport 70 types of activities. You have got to focus on the \nones that are providing the value, creating the value, \nproviding the information that you can respond to and actually \nbenefit both your company and the customers that you serve.\n    Mr. Thompson. Mr. Bhimani.\n    Mr. Bhimani. I do believe it is important to have a \ncivilian agency involved. What I would say, just echoing Mr. \nHayes's comments, is it is often difficult for those of us in \nthe private sector to navigate the various agencies and \ndepartments involved in cybersecurity.\n    We have benefited tremendously in the financial industry \nfrom having the Treasury Department and their critical \ninfrastructure protection office do that for us. So I strongly \nbelieve that there be a single organization to be that conduit. \nI think, the call-out of sector-specific agencies in the \nPresidential directive, I think is a step towards that.\n    I think, as I mentioned before, our partnerships with DHS \nhave been very strong, both with the NCCIC as well as with the \nIntelligence and Analysis Directorate.\n    What I would say is what we care most about is that we are \nable to receive actionable, timely information from whoever has \nit, and not necessarily be limited to those agencies we can \nspeak with as dictated by what we need.\n    Mr. Thompson. Ms. Richardson, I would say on top of that, \nhow would the need for transparency and oversight impact \nperhaps what we have heard from these other two witnesses?\n    Ms. Richardson. Well, I think often transparency, \noversight, privacy are conceptualized as opposite to timely \nsharing and agility that is needed in this area. That is not \nnecessarily the case.\n    There are ways to conduct information sharing that \nabsolutely builds in all of the privacy principles that are so \nimportant to protect this very sensitive data. So it is very \npossible to do a very targeted information-sharing program that \nclearly defines what can be shared, who can receive it, and \nwhat can be done with it.\n    The answers to those questions are just technical data, \nstripped of the personal information, with civilian agencies \nwho can then use it just for cybersecurity purposes. The devil \nwill be in the details, but there is nothing inconsistent with \nproviding these guys with what they need and doing it in a way \nthat protects privacy.\n    Mr. Thompson. Thank you. I yield back, Mr. Chairman.\n    Chairman McCaul. Thank you.\n    The Chairman now recognizes the Chairman of the \nCybersecurity, Infrastructure Protection, and Security \nTechnologies Subcommittee, Mr. Meehan.\n    Mr. Meehan. Thank you, Mr. Chairman.\n    Thank you for this very distinguished panel taking the time \nnot only to be before us today but for the work that you are \ndoing out there in the private sector, in all matters of it.\n    Because as we have identified in numerous aspects of \ntoday's hearing, this is a true public-private partnership and \nin more ways than perhaps in any other in Government, because \nwe are tied together so significantly. I look forward to \nworking with you, each of you, as we move forward.\n    Mr. Bhimani, let me ask you a question because I think you \ntouched on something that is important in my understanding. It \nis as much to educate those who are out there, taking very \nseriously the important points that have been made by Ms. \nRichardson and the recognition that you and I think the banking \nindustry have for the security of private information and other \nkinds of things, a long history of being able to do that.\n    You spoke a little bit in your testimony about what may be \nnecessary for you, and I think there are two points that I want \nyou to speak to. It is necessary so it is real and actionable. \nBut you also don't want to be getting a lot of information that \nas you, in your words, if it is stale it is a waste of time.\n    We also appreciate that a lot of times we are talking about \nfractions of seconds within which the speed of this game is \nmoving before somebody can be violated.\n    So can you speak to a little bit more about what the nature \nof that information that you are looking for, how it can be \nactionable but yet at the same time not necessarily be \nidentifiable in a way that would create concerns for people who \nmight be the subjects of some of that?\n    Mr. Bhimani. Sure, I would be happy to.\n    Let's go back to when we think about any sort of an attack, \nwhat do we care most about? We care most about the method of \nthe attack, the nature of the attack and, frankly, the \nmotivation of the attacker, right?\n    There is a term that we use a lot in cybersecurity, it is \ncalled an indicator of compromise, or an IOC. So sharing those \nindicators of compromise from one firm to another. Hey, we saw \nsome activity from this address. Those sorts of things are very \nuseful from that perspective.\n    One other example might be we----\n    Mr. Meehan. So it may not be--it is not necessarily \ncontent-specific?\n    Mr. Bhimani. No.\n    Mr. Meehan. It is really--could you just talk for a \nsecond--like----\n    Mr. Bhimani. Sure. Sure. So----\n    Mr. Meehan. So what is that information? Is it--or what?\n    Mr. Bhimani. Yes, so it might be--yes, it might be an IP \naddress. It might be a specific vulnerability in a system that \nwas exploited. It might be----\n    Mr. Meehan. Back door, so to speak, or something like that?\n    Mr. Bhimani. I am sorry?\n    Mr. Meehan. A back door, so to speak.\n    Mr. Bhimani. A back door, so to speak, yes.\n    Mr. Meehan. We understand the soft way. This is the way it \nis being exploited.\n    Mr. Bhimani. Exactly. So basically, what is the attack \ntechnique used around that, right? I think that, if I go back \nto something I mentioned before, the GISF, right? One of the \nthings that was most valuable out of that was, look, we can't \ntell you why or where this is, but if you see something coming \nfrom this IP address, be worried. That is something you should \nblock. That is the kind of stuff that we need, right? So what \nwe don't need to do is--you know, back to this--a majority of \nwhat we need tends to be machine-level data, right, IP \naddresses, vulnerabilities in software, specific attack \npatterns or things like that, that have nothing to do with an \nindividual's information or an individual's data.\n    In fact, in most cases, those things sit in two different \nsystems within our organizations, right? So even by sharing \none, you are almost physically barred in some cases from \nsharing the other one, because it comes from a completely \ndifferent place.\n    Mr. Meehan. Well, thank you. This is an issue that I want \nto explore. I appreciate the points that have been made by Ms. \nRichardson, as well, and I think we are going to be looking to \nexplore ways in which privacy can be protected, but we can be \nactionable in an appropriate fashion.\n    Just, Mr. Hayes, you represent not just the energy \nindustry, but in my mind, the broad spectrum of kind-of, sort-\nof utilities and otherwise, so it could be water, it could be a \nwhole variety of things. There is also sophistication that has \nbeen identified. Your industry, Mr. Bhimani's industry, are \nreally at the cutting edge of this, but there is a lot of \nthings, municipal water supplies. I mean, they are paid for by \ntaxpayer, rate-payer dollars. They have got systems that are 20 \nand 30 years old. They are not built for the current level of \ncybersecurity.\n    How are we going to be able to include all of the important \npartners in this at the same time, you know, without creating \nor--you know, standards that become check the box or become \nproblems in which we talked about clutter? It almost becomes \ncounterproductive. I am interested in your observations on how \nwe can encourage people to participate and at what point in \ntime the relationship starts to become counterproductive, \nbecause it becomes overly bureaucratic.\n    Mr. Hayes. So I think it was hit on earlier about how we \nare integrated together, that all the systems are such that we \ntouch each other and have dependencies. I mentioned earlier \nthat, you know, there are companies--small municipal water \nfacilities, small electric companies, rural electric \ncooperatives who may have one person in their IT department. \nHow does that one person stay up with all of what is happening \nfrom that perspective?\n    It is going to have to look at a risk-based profile. Are \ntheir actions as necessary as perhaps the actions of a large \nutility serving millions of customers? They may be of equal \nconsequence in some ways, but the overall major consequences \nthat could occur may be different. So I think developing the \nskill sets and knowledge to do risk-based analysis helps us \nunderstand how to prioritize and focus those areas where we \nneed to make the best investments.\n    Now, stepping away from that, we participate with \norganizations and industry groups in a variety of all sizes. \nMany of those will come to the seminars or the learning \nsessions, and if we learn, we share those best practices, and \nthose people are willing to go back and incorporate those \nthings within to their environments, within their risk profile, \nso I think it goes back to not only info sharing, information \nsharing, like we have talked about, but even within our \nindustry groups, continuing to broaden the bigger footprint of \nthhe needs and necessities for information sharing in those \nareas.\n    Mr. Meehan. Well, thank you. Thank you for the work that \nyou do, and look forward to working with you collectively in \nthe time ahead to do what we can in this public-private \npartnership to get it right. Thanks.\n    Thank you, Mr. Chairman. I yield back.\n    Chairman McCaul. I thank you. Let me just, in closing, \nsince we don't have any other Members asking questions, if I \ncould just give each of you just a couple minutes to highlight \nthe most important points as you see it and particularly as we \nmove forward with legislation, what you believe to be the most \nimportant pieces to that legislation?\n    We will start with Mr. Bhimani.\n    Mr. Bhimani. I would just echo--reiterate the importance of \nbeing able to get actionable, timely information out to the \nprivate sector from whatever the source, right? I do recognize \na lot of the challenges between the civilian and the \nintelligence agencies, right? But at the end of the day, you \nknow, we need to know what is going on and what is affecting us \nin a way that makes sense, so that is the first thing I would \nsay.\n    The second thing I would say in conjunction with that is, \njust reiterating my earlier point that it can often be very \ndifficult for private-sector entities to navigate the number of \nagencies and the number of departments within agencies that do \nthis, so having a conduit, like in our case Treasury, to serve \nas that point of contact for the industry I think is \ninvaluable.\n    Mr. Meehan. [Off mike.]\n    Mr. Hayes. I think what is necessary is for the clarity of \nroles. I know that was talked about a lot today, and I think \nthat is very beneficial. Anything that considers that helps us \nunderstand how do we interact helps in that process.\n    It has got to be practical and immediate. This is a timely \nissue. The people and what we are dealing with are things that, \nas mentioned, need to be actionable. We need to come back and \nbe able to do things and apply technologies and techniques and \nintelligence against solving this problem.\n    Risk-based, one-size-fits-all is not appropriate. We have \ngot to think about how we can address that small municipal all \nthe way up to the larger utility infrastructures. Timely--and \nit is going to be timely in the fact that, how do we move from \nbeing reactive to being proactive to being predictive? How do \nwe get the game where we are understanding that we might see \nthese things coming earlier, often referred to as situational \nawareness? The other one is scalable. So what we need to do is \nit goes to my point. We have got to be able to apply this \nacross the spectrum of our industry so it is effective to all.\n    When we talk about legislation, just simply, it has got to \nbe to where I don't have to go to my legal department or my \nregulatory department to address an issue. So if it creates \nthose constructs--and I don't go and work in those constructs--\nbut if it creates those constructs, it makes information \nsharing difficult, slows the process down. So keep that in mind \nas we move forward.\n    Last, it has got to be peer-to-peer and collaborative. We \nhave talked about that throughout, and I heard that \ntremendously through the session, that is built on the trust \nthat we both are going to react responsively in this effort to \nsolve the problem around cybersecurity.\n    Chairman McCaul. Thank you.\n    Ms. Richardson.\n    Ms. Richardson. Thank you. When we are evaluating \ncybersecurity legislation, we are very happy to report that \nlargely it doesn't affect civil liberties, and there are a lot \nof things that the Government and Congress can be doing that \nare civil liberties-neutral, like building up capacity at DHS \nor education programs, research and development, securing the \nsupply chain, and we really hope the Government will focus on \nthose programs and not the ones that implicate civil liberties.\n    To the extent, though, that the Government does want to \nincrease information sharing and write laws that are going to \ncontravene long-standing privacy statutes, there are a couple \nof things that have to happen. No. 1, those programs have to be \ncivilian-run and by an agency like DHS. No. 2, those programs \nhave to minimize the collection of personally identifiable \ninformation. No. 3, those programs have to absolutely tamp down \nthe use of that information once it is collected, so that it is \nnot purposed for things outside of cybersecurity.\n    I think the last thing is just to urge you to take the time \nto get this right. I think we have seen that once the \nGovernment is formally given authority, it is almost impossible \nto get it back. So if Government now overreaches and allows too \nmuch information to be shared, I don't know how fixable it will \nbe, so we hope that Congress makes sure that there is a very \ntargeted, tailored approach going forward.\n    Chairman McCaul. This has been very insightful. I want to \nthank the witnesses for your testimony.\n    Pursuant to Committee Rule 7-E, the record will be held \nopen for 10 days. Members may have additional questions in \nwriting.\n    Without objection now, the committee stands adjourned.\n    [Whereupon, at 12:42 p.m., the committee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n      Questions From Honorable Susan W. Brooks for Jane Holl Lute\n    Question 1. Has the Department released the National Level Exercise \n2012 After-Action Report? If not, when will the Department release the \nreport?\n    Answer. The final National Level Exercise 2012 After-Action Report \nis currently in clearance and FEMA will provide a copy to Congress once \nit is approved. However, the NLE 12 Quick Look Report (attached) has \nbeen released and is publicly available.*\n---------------------------------------------------------------------------\n     * The document has been retained in committee files and is \navailable at https://www.llis.dhs.gov/sites/default/files/\nNational%20Level%20Exercise%202012%20Quick%- 20Look%20Report.pdf.\n---------------------------------------------------------------------------\n    Question 2. Last year FEMA released the National Preparedness \nReport (NPR), which showed that significant gaps still remain in our \nNation's Cybersecurity capability. The NPR reported that the Nation was \nnot even half-way to the desired capability level for cybersecurity. \nWhat should we do to educate and train our Federal, State, local, and \nprivate-sector partners to help build and mature the Nation's \ncybersecurity capability?\n    Answer. Emerging cyber threats require the engagement of the entire \nNation--from Government and law enforcement to the private sector and \nmost importantly, the public. Raising the cyber education and awareness \nof the general public creates a more secure environment in which the \nprivate or financial information of individuals is better protected. \nDHS advocates for a safe and secure cyber environment by conducting \noutreach and awareness efforts to educate and inform the general public \nabout cybersecurity opportunities to enhance their confidence to \nprotect themselves on-line.\n    In 2011, DHS released the Blueprint for a Secure Cyber Future, \nwhich calls for a coordinated effort across the homeland security \ncommunity to protect America's critical information infrastructure and \nbuild a safer and more secure cyber ecosystem. Such tools and resources \nthat promote cybersecurity education include the DHS/NSA Centers for \nAcademic Excellence, the CyberCorps Scholarship for Service Program, \nthe Integrated Cybersecurity Education Communities Program, and the \nFederal Virtual Training Environment, which provides on-line access to \ncybersecurity training for State, local, territorial, and Tribal \ngovernments.\n    DHS recognizes that partnership and collaboration are crucial to \nensuring that all Americans take responsibility for their actions on-\nline. To that end, we are continuing to grow the Department's public-\nprivate partnerships through the Stop.Think.Connect.<SUP>TM</SUP> \nCampaign, which is a year-round National public awareness effort \ndesigned to engage Americans and encourage them to join the effort to \npractice and promote safe on-line practices. In addition, National \nCyber Security Awareness Month (NCSAM) is an opportunity to engage \npublic and private-sector stakeholders--as well as the general public--\nto create a safe, secure, and resilient cyber environment.\n    The Department promotes cybersecurity in grades K-12 and higher \neducation. Key programs provide established undergraduate and graduate \nspecializations at designated universities and scholarships in exchange \nfor Federal service after graduation. DHS, in coordination with the \nNational Initiative for Cybersecurity Education, is currently \ninstitutionalizing and delivering tools and resources through the \nNational Initiative for Cybersecurity Careers and Studies (NICCS) \nportal. The NICCS public website is a comprehensive on-line resource \nfor cyber education and training for Federal employees and the general \npublic.\n    DHS is building strong cybersecurity career paths within the \nDepartment and in partnership with other Government agencies. To \naccomplish this critical task, we have created a number of competitive \nscholarship, fellowship, and internship programs to attract top talent, \nincluding computer engineers, computer scientists, analysts, and IT \nspecialists. For example, the Homeland Security Advisory Council Task \nForce on Cyber Skills provided recommendations in October 2012 that \nwill help DHS develop the next generation cyber workforce. The \nDepartment has worked to fulfill recommendations that expand the \nNational pipeline of men and women with advanced cybersecurity skills, \nenable DHS to become a preferred employer for the talent produced by \nthat pipeline, and position the Department to help make the United \nStates safer, more secure, and more resilient.\n    Finally, the Multi-State Information Sharing and Analysis Center \n(MS-ISAC) provides managed security services to States and local \ngovernments, education and training services, and resources to non-\nmember SLTT governments on a fee-for-service provision and to the \npublic. The MS-ISAC has since grown to include all 50 States, three \nU.S. territories, the District of Columbia, and more than 200 local \ngovernments.\n    In addition, the National Computer Forensic Institute has trained \nmore than 1,000 State and local law enforcement officers since 2009 to \nconduct network intrusion and electronic crimes investigations and \nforensic functions. Several hundred prosecutors and judges as well as \nrepresentatives from the private sector have also received training on \nthe impact of network intrusion incident response, electronic crimes \ninvestigations, and computer forensics examinations.\n    Question 3. In February, the Emergency Alert System of two \ntelevision stations in Montana was compromised and a fake emergency \nalert message warning of a zombie apocalypse occurring in several \ncounties. While this incident did not cause any harm, my concern is \nthat the American people rely on public information during crisis and \ndisasters to help guide their actions and hacking into the system could \ncause great harm or confusion. What are some measures that can be taken \nto prevent this from occurring again and assure the American people the \ninformation we provide through the emergency alert system is accurate?\n    Answer. A Federal Communications Commission's (FCC) investigation \nof the false emergency alert messages identified several standard best \npractices that could have prevented this event. The FCC's review \nrevealed that the broadcasters were using off-the-shelf technology, but \nhad not acted on the manufacturer's recommendation to change the \ndefault password and user ID codes. The default user ID and passwords \nare contained in the manufacturer's on-line manual and are easily \ndiscoverable. In addition, critical portions of the broadcaster's \nnetwork were accessible through the public internet and were not \nisolated by a firewall. The following security best practices, \npublished by the National Association of Broadcasters, would greatly \nreduce the possibility of future similar events:\n    (1) Follow the manufacturer's installation instructions;\n    (2) Change manufacturer passwords immediately upon installation of \n        the purchased equipment;\n    (3) Employ a strong password model (using combinations of letters, \n        numbers, and symbols) that must be changed periodically; and\n    (4) Install firewall software to protect critical internal networks \n        from easy public access.\n    Implementation of these basic security practices would help to \nprevent future abuses. Further, the National Protection and Programs \nDirectorate/Office of Cybersecurity and Communications is engaging with \nthe Federal Communications Commission and the Federal Emergency \nManagement Agency to examine system configuration and recommending \nadditional measures for consideration and implementation by \nmanufacturers and broadcast system owners and operators to increase \nsecurity and system integrity.\n        Questions From Honorable Scott Perry for Jane Holl Lute\n    Question 1a. When a company from the private sector chooses to \nreport that they fell victim to a cybersecurity crime, what is the \nprocess by which they go about doing that? Specifically, what is the \ndepartment or agency they report to?\n    Answer. Successful response to dynamic cybersecurity crime requires \nleveraging homeland security, law enforcement, and military authorities \nand capabilities, which respectively promote domestic preparedness, \ncriminal deterrence and investigation, and National defense. DHS, the \nDepartment of Justice (DOJ), and the Department of Defense (DOD) each \nplay a key role in responding to cybersecurity crimes, with each \ndepartment having areas with overlapping jurisdiction regarding law \nenforcement, protection, and response. Regardless of which agency \nreceives an initial incident report, these Federal entities regularly \nshare incident information in a manner that protects privacy and civil \nliberties, and coordinate on response activities such that ``a call to \none is a call to all.''\n    Question 1b. If the Government substantiates the claim, what \ninformation can be provided to the company? Specifically, is the \ncompany given tools to prevent future attacks; do they receive the \norigin of the attack?\n    Answer. If a company requests that DHS evaluate a suspected \nintrusion, the company may voluntarily provide network or system log \ndata to the NCCIC for technical review to ascertain the characteristics \nof an incident. The NCCIC will analyze the log data and provide the \ncompany with a detailed analysis, classified and/or unclassified as \nappropriate, and recommend mitigation strategies. Other agencies, like \nthe FBI, may also coordinate with DHS to share information with the \ncompany.\n    The Department's enhanced cybersecurity and communications \ncollaboration, situational awareness, and everyday response \ncapabilities through the NCCIC allow for information sharing across all \nlevels of government and the private sector for cyber incident \nsituational awareness and coordinated response and recovery efforts. \nDHS routinely shares threat knowledge in anonymized, non-attributable \nformats, with the private sector to enable effective computer network \ndefense during steady states as well as in response to a more \nparticularized threat. In response to an incident, DHS frequently \nprovides analysis to assist in mitigating the activity or preventing \nfuture attacks. In addition, the NCCIC shares timely and actionable \nincident data with the affected company as well as interagency partners \nand across multiple sectors to enable alert and warning activity, \nhelping other partners protect themselves before they are impacted. For \ninstance, the Cybersecurity Information Sharing and Collaboration \nProgram allows for sharing and receiving anonymized actionable threat \ndata: With participating private-sector entities that provides \nprotection for information submitted and enables collaboration with \nother entities in response to cybersecurity threats and incidents.\n    DHS also offers a number of voluntary programs to increase an \nentity's cybersecurity posture upon request. These include the Cyber \nSecurity Evaluation Tool, which is a self-assessment tool downloadable \nfrom www.us-cert.gov and a library of recommended practices that a \ncompany can follow to increase their cybersecurity posture. \nAdditionally, critical infrastructure owners and operators can request \nan on-site Cyber Resilience Review of their organization's overall \ncyber posture or an assessment of their control systems' security from \nthe Industrial Control Systems Cyber Computer Emergency Response Team.\n    Question 2. Currently, it is in the best fiscal interest for many \ncompanies not to report cyber attacks on their networks. In drafting \nlegislation, can any confidentiality safeguards be implemented that \nwould encourage more companies to come forward when they have fallen \nvictim to cyber attacks?\n    Answer. The Department of Homeland Security (DHS) has a long \nhistory of responding to cyber and physical security incidents \ninvolving critical infrastructure and protecting the confidentiality of \nsensitive information through the Protected Critical Infrastructure \nInformation program (PCII). PCII is an information-protection program \nthat enhances voluntary information sharing between infrastructure \nowners and operators and the Government. If the information submitted \nsatisfies the requirements of the Critical Infrastructure Information \nAct of 2002, it is protected from disclosure under the Freedom of \nInformation Act; State, Tribal, and local disclosure laws; use in \nregulatory actions; and use in civil litigation. PCII can only be \naccessed in accordance with strict safeguarding and handling \nrequirements. Only trained and certified Federal, State, and local \ngovernment employees or contractors may access PCII.\n    Designating information as PCII also provides a level of protection \nthat facilitates DHS's ability to work directly with the infrastructure \nowners and operators to identify vulnerabilities, mitigation \nstrategies, and protective measures. Homeland security partners can be \nconfident that sharing their information with the Government will not \nexpose sensitive or proprietary data, while the Government can still \nbenefit from increased information sharing by analyzing and securing \ncritical infrastructure and protected systems, identifying \nvulnerabilities and developing risk assessments, and enhancing recovery \npreparedness measures. Furthermore, timely reporting of serious cyber \nincidents allows for companies, or the Department, to provide \nmitigation assistance as soon as possible, often limiting the damage \nthat can be caused and potentially saving on remediation costs.\n    The Executive Order on Improving Critical Infrastructure \nCybersecurity also initiates key information sharing improvements by \nincreasing the security clearances provided to critical infrastructure \npersonnel and expanding a program that enables advanced sharing of \ncyber threat information to assist participating critical \ninfrastructure companies in their cyber protection efforts. While there \nis bipartisan consensus on the need for additional information-sharing \nlegislation, the administration is focused on ensuring that the text of \nany such law fully addresses several key objectives. Specifically, \ninformation-sharing legislation must:\n  <bullet> Carefully safeguard privacy and civil liberties, including \n        properly defining the type of information that can be shared, \n        the purposes for which such sharing can occur, establishing \n        adequate oversight, and procedures to remove identifying \n        information unrelated to cybersecurity threats;\n  <bullet> Provide targeted liability protections that explicitly \n        authorize legitimate action without creating unintended \n        consequences;\n  <bullet> Leverage all of the Government's cybersecurity capabilities, \n        while preserving the long-standing, respective roles and \n        missions of civilian and intelligence agencies; and\n  <bullet> Clarify the type of assistance that DHS can provide to \n        quickly help a private-sector company, State, or local \n        government when that organization asks for its help.\n       Question From Honorable Susan W. Brooks for Gary W. Hayes\n    Question. In February, the Emergency Alert System of two television \nstations in Montana was compromised and a fake emergency alert message \nwarning of a zombie apocalypse occurring in several counties. While \nthis incident did not cause any harm, my concern is that the American \npeople rely on public information during crisis and disasters to help \nguide their actions and hacking into the system could cause great harm \nor confusion. What are some measures that can be taken to prevent this \nfrom occurring again and assure the American people the information we \nprovide through the emergency alert system is accurate?\n    Answer. Response was not received at the time of publication.\n\n                                 <all>\n\x1a\n</pre></body></html>\n"