[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
ASIA: THE CYBER SECURITY BATTLEGROUND
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON ASIA AND THE PACIFIC
OF THE
COMMITTEE ON FOREIGN AFFAIRS
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
JULY 23, 2013
__________
Serial No. 113-42
__________
Printed for the use of the Committee on Foreign Affairs
Available via the World Wide Web: http://www.foreignaffairs.house.gov/
or
http://www.gpo.gov/fdsys/
______
U.S. GOVERNMENT PRINTING OFFICE
82-145 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON FOREIGN AFFAIRS
EDWARD R. ROYCE, California, Chairman
CHRISTOPHER H. SMITH, New Jersey ELIOT L. ENGEL, New York
ILEANA ROS-LEHTINEN, Florida ENI F.H. FALEOMAVAEGA, American
DANA ROHRABACHER, California Samoa
STEVE CHABOT, Ohio BRAD SHERMAN, California
JOE WILSON, South Carolina GREGORY W. MEEKS, New York
MICHAEL T. McCAUL, Texas ALBIO SIRES, New Jersey
TED POE, Texas GERALD E. CONNOLLY, Virginia
MATT SALMON, Arizona THEODORE E. DEUTCH, Florida
TOM MARINO, Pennsylvania BRIAN HIGGINS, New York
JEFF DUNCAN, South Carolina KAREN BASS, California
ADAM KINZINGER, Illinois WILLIAM KEATING, Massachusetts
MO BROOKS, Alabama DAVID CICILLINE, Rhode Island
TOM COTTON, Arkansas ALAN GRAYSON, Florida
PAUL COOK, California JUAN VARGAS, California
GEORGE HOLDING, North Carolina BRADLEY S. SCHNEIDER, Illinois
RANDY K. WEBER SR., Texas JOSEPH P. KENNEDY III,
SCOTT PERRY, Pennsylvania Massachusetts
STEVE STOCKMAN, Texas AMI BERA, California
RON DeSANTIS, Florida ALAN S. LOWENTHAL, California
TREY RADEL, Florida GRACE MENG, New York
DOUG COLLINS, Georgia LOIS FRANKEL, Florida
MARK MEADOWS, North Carolina TULSI GABBARD, Hawaii
TED S. YOHO, Florida JOAQUIN CASTRO, Texas
LUKE MESSER, Indiana
Amy Porter, Chief of Staff Thomas Sheehy, Staff Director
Jason Steinbaum, Democratic Staff Director
------
Subcommittee on Asia and the Pacific
STEVE CHABOT, Ohio, Chairman
DANA ROHRABACHER, California ENI F.H. FALEOMAVAEGA, American
MATT SALMON, Arizona Samoa
MO BROOKS, Alabama AMI BERA, California
GEORGE HOLDING, North Carolina TULSI GABBARD, Hawaii
SCOTT PERRY, Pennsylvania BRAD SHERMAN, California
DOUG COLLINS, Georgia GERALD E. CONNOLLY, Virginia
LUKE MESSER, Indiana WILLIAM KEATING, Massachusetts
C O N T E N T S
----------
Page
WITNESSES
Phyllis Schneck, Ph.D., vice president and chief technology
officer, Global Public Sector, McAfee, Inc..................... 6
Mr. James Lewis, director and senior fellow, Technology and
Public Policy Program, Center for Strategic International
Studies........................................................ 15
Mr. Karl Frederick Rauscher, chief technology officer and
distinguished fellow, EastWest Institute....................... 23
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Phyllis Schneck, Ph.D.: Prepared statement....................... 9
Mr. James Lewis: Prepared statement.............................. 17
Mr. Karl Frederick Rauscher: Prepared statement.................. 25
APPENDIX
Hearing notice................................................... 56
Hearing minutes.................................................. 57
ASIA: THE CYBER SECURITY BATTLEGROUND
----------
TUESDAY, JULY 23, 2013
House of Representatives,
Subcommittee on Asia and the Pacific,
Committee on Foreign Affairs,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:24 p.m., in
room 2172, Rayburn House Office Building, Hon. Steve Chabot
(chairman of the subcommittee) presiding.
Mr. Chabot. The committee will come to order.
Good afternoon. I would like to welcome everyone, my
colleagues and our distinguished witnesses, to the Subcommittee
on Asia and the Pacific hearing this afternoon. The ranking
member Mr. Faleomavaega and I will make opening statements, and
then other members of the subcommittee will be recognized for
making 1-minute statements should they wish to do so.
Over the course of the last few years, there has been
growing acknowledgment of the need for an international cyber
security policy. The growing interdependence of the world by
way of the Internet and vast frequency and similarity of cyber
attacks reported in nearly every corner of the Earth
illustrates why.
As they say, cyberspace knows no borders. This implies that
cyber security is only as good as its weakest link. In other
words, we can work tirelessly to build up the defenses of our
critical infrastructure systems and networks here in the U.S.,
but back doors could still be found in overseas routing points
and links in the global supply chain, for example, through
which adversaries can find ways to attack U.S. Government
systems and private companies. This is why the U.S. must engage
its allies around the world to promote the preservation of
global network functionality, in addition to establishing
confidence-building measures that foster trust and reliability
with nations that have become Wild West havens for cyber
criminals so that we can close these back doors.
As an effort to recognize cyber security's growing
international attention and importance, the State Department
established the Office of the Coordinator for Cyber Issues in
2011 to more effectively coordinate global diplomatic
engagement on cyber issues. It was around the same time that
the White House issued its International Strategy for
Cyberspace.
While we are not here today to discuss the progress or
effectiveness of this relatively new State Department office, I
think at the very least it is an acknowledged step in the right
direction, even if they could not somehow provide anyone to
brief the subcommittee on its activities before this afternoon.
Even so, today's hearing is part of our efforts here in
Congress to examine how to advance this strategy in such a
critical region of the world as Asia.
Almost every day U.S. businesses are victims of cyber
exploitation and theft by nation-state actors such as China.
Theft of intellectual property not only takes away American
jobs and hurts innovation and competitiveness, but it costs
U.S. businesses anywhere between $200 billion and $400 billion
a year. In order to engage American economic prosperity and
security, the integrity and openness of our networks must be
maintained. And as we discuss this afternoon the evolving
threats and a growing number of cyber challenges facing our
Nation, I recognize this will be no easy task.
Asia is a region beset by some of the world's most
aggressive cyber actors. I think it is fitting that today's
hearing calls the region the cyber security battleground,
because as Asia has become the most economically dynamic region
in the world, it has also become the hub of cyber conflict.
Alternatively, while Asia is not an actual battleground as we
know one to be or in the throes of a drawn-out war, this term
symbolizes that the region is faced with many serious threats
and actors that are unstable, uncertain and volatile.
It is unlikely for a real cyber war to start between Asian
nations at this point, but it is critical to note how
cyberspace has become a source of great economic and military
rivalry, as well as the primary medium for political activism.
As we know, in many Asian nations political dissent via the
Internet is obstructed by ruling governments and considered a
threat. An issue we discuss here frequently, this is a source
of great internal conflict and human rights abuses.
Nevertheless it is the networked interconnection of our
lives, information, financial systems and institutions that is
enabling global business to expand and thrusting growing Asian
economies forward, providing before-unavailable economic
opportunities to people throughout the world. Competition is
growing, and with the growth of competition has come the growth
of malicious activities aimed at stealing economic and military
secrets for groups and nations to get ahead. Nearly every
military in Asia will eventually have some level of cyber
capability, if they don't already, and because of cyberspace's
lack of security or an established set of norms, the risk of
miscalculation only grows. This is why regional engagement on
cyber is imperative because building trust capacity and
security is not going to be easy and it will take time.
The ``cyber powers'' in Asia include the U.S., China,
Taiwan, South Korea, North Korea and Australia. Just like many
other issues in Asia, the growth of cyber capabilities in these
countries and other Asian nations revolves around China's
strength and growing desire for influence. China has been
called by numerous high-level officials in the Obama
administration an advanced cyber actor and an aggressive
practitioner of economic espionage against the U.S., and no
doubt, our allies in Asia as well.
The instances in which China was behind cyber attacks or
intrusions of U.S. Government systems and companies are
endless. While I think that opening dialogue with the Chinese
about cyber crime, theft and espionage is good, establishing
some sort of norms or principles to guide actions in cyberspace
that the Chinese can agree to will be incredibly difficult.
China will continue to deny accusations, and its behavior is
unlikely to change.
Similarly, North Korea's behavior has shown its aversion to
change; however, the Kim regime is not only unstable,
irrational, and erratic, but it is also risk averse. North
Korea's growing cyber capabilities present the greatest
likelihood of a cyber conflict in Asia. Earlier this year it
demonstrated its capabilities in South Korea, where it crippled
the operations of banks and news agencies by wiping the hard
drives of thousands of computers. While McAfee's report on what
is now called Operation Troy does not attribute these attacks
to North Korea, it could not be clearer who was responsible.
North Korea is not only a nuclear threat, but it a serious
cyber threat as well.
Lastly, we cannot forget the cyber threats emerging from
Pakistan that challenge the national security of the U.S. and
its neighbor, India. Mutual distrust dominates the
relationship, which severely hampers opportunities for
bilateral cooperation. As home to numerous terrorist groups,
the cyber risks materializing from Pakistan are exceedingly
multifarious. Just the other day the Director of the National
Security Agency said, ``Terrorists use our communications
devices. They use our networks . . . they use Skype, they use
Yahoo, they use Google . . . and they are trying to kill our
people.'' Cyber terrorism is real.
I look forward to hearing the witnesses' testimonies today,
and I thank each of you for making the time to be here. The
private sector's role in building cyber collaboration and
awareness in Asia is just as important as what our
administration is doing, so I am glad we have a diverse panel
here this afternoon.
I now yield to my good friend, the gentleman from American
Samoa, the ranking member, Mr. Eni Faleomavaega.
Mr. Faleomavaega. Thank you, Mr. Chairman. And I do
appreciate your leadership and especially for calling this
hearing this afternoon.
I also want to welcome personally our distinguished guests
and members of the panel, who are pretty capable experts in
this area of cyberspace or cyber security.
Cyberspace is a global infrastructure that has become the
backbone of the world economy, but as we know, it is badly
secured and governed. Asia Pacific is a focal point for
cyberspace, and the information technology industry is mostly
Pacific-based with the U.S., India and other Asian countries
creating the most digital products.
While this kind of technology is providing economic
opportunity in the region, there is also a downside when it
comes to cyber conflict. Cyber conflict involves the planning
for military and strategic competition, and asymmetric warfare
and engagement, and economic espionage to gain long-term
economic and trade advantages. Cyber powers include the United
States, China, Taiwan, South Korea, North Korea, and Australia,
and New Zealand. And Japan and India are exploring military
cyber capabilities as well.
China and the United States are engaged in the strategic
competition: How do we plan ahead of establishing rules of the
road in cyberspace? Interesting to note, Mr. Chairman, there
are some 500 million people in China are Internet users, with
some additional 300 million use Twitter, like our version of
Twitter. So it is very interesting that the fact that out of
the total population of some 7 billion people living on this
planet, over 50 percent of the world's population reside in the
Asia Pacific region, and I think it is quite obvious that this
region is very important.
I recall a couple of years ago when the People's Republic
of China had developed a missile that was capable of shooting
the satellite, Chinese satellite, that was traveling some
18,000 miles per hour, and they were able to do it. Oh, there
was a tremendous uproar about China violating whatever it was.
The fact of the matter is the United States and Russia were
about 20 years ahead of China as far as this kind of cyberspace
security technology that we have developed.
I think it is important that in terms of what is happening
in countries like China, I am a little more optimistic to the
fact that because of this number of Internet users, despite the
problems with security and the way the government controls this
technology, the fact of the matter is I don't see how any
government is going to be able to control public demand and the
wanting to use the way it is done right now in China, and I
think it is going to come out with better results in terms of
greater freedom and greater access to the Chinese consumers and
whatever it is that they want to do as far as developing and
improving their economic well-being.
With that, Mr. Chairman, I look forward to hearing from our
witnesses this afternoon. Thank you.
Mr. Chabot. Thank you.
We will now recognize members in case they would like to
make opening statements. We will do it in the order they
arrived once we started.
The gentleman from Pennsylvania, Mr. Perry, is recognized.
Mr. Perry. Thank you, Mr. Chairman.
Gentlemen, ladies, thank you for your time and testimonies
today in advance.
Consumers in government, private companies have grown
increasingly reliant on cyberspace to manage projects, reach
potential clients, serve their constituents and disseminate
mission-critical information. Unfortunately, as you know, cyber
threats have more than kept pace, and, according to reports
this year, will be an even more sophisticated assault on
business, private citizens and government organizations.
Former Secretary of Defense Panetta warned government and
business leaders to be prepared for an escalation of cyber
attacks. Rather than simply being prepared for disruption in
organizations' activities in cyberspace through denial-of-
access regimes, leaders need to develop strategies to handle
destructive behavior that cripple systems or corrupt data.
There has been no shortage of recommendations to address
this concern because of the immense value of information shared
on secured networks and systems. Private-sector companies have
a financial and competitive incentive to safeguard their
intellectual property and to ensure novel innovations are
brought to market. Public-sector entities must safeguard
sensitive information, including intelligence reports,
citizens' personal information, and financial data, and
national security information, to keep it secure and protect it
from those who wish to harm our people and our economy.
In light of our military and economic strategic shift to
the Asian Pacific region, it is increasingly important that we
put great focus on this area of the world when considering
cyber security policy.
Thank you. I look forward to your testimony, and I yield
back.
Mr. Chabot. Thank you. The gentleman's time has expired.
The gentleman from California, Mr. Bera, is recognized.
Mr. Bera. Thank you, Mr. Chairman, and thank you, Ranking
Member, and thank the witnesses.
We live in an interconnected world. We live increasingly in
a world and an economy that is global and interconnected, and
that does create more marketplaces. It does create more
efficient opportunities for us to move information, for us to--
a more efficient financial marketplace.
But with that interconnectiveness are real threats and
vulnerabilities, and the opportunity for us to come together as
democratic countries, as freedom-loving countries, you know,
particularly countries like the U.S., India, Taiwan, South
Korea, Japan, to really protect this interconnectedness and
protect what the future looks like, but at the same time be
very cognizant of the threats and vulnerabilities.
I look forward to hearing from the witnesses on how we
allow this marketplace to grow, how we allow this
interconnectedness to grow, but, again, being vigilant of the
threats that they pose and how we protect us from those
threats.
So thank you. I yield back.
Mr. Chabot. Thank you. The gentleman yields back.
If there are no other members who wish to make opening
statements, we will go ahead and introduce the panel at this
time.
Our first witness will be Dr. Phyllis Schneck. Dr. Schneck
is the chief technology officer for public sector at McAfee,
Inc. In this role she is responsible for the technical vision
for public-sector applications of security and global threat
intelligence, cyber security technology, and policy strategies,
leading McAfee security and intelligence initiatives in
critical infrastructure protection and cross-sector cyber
security.
She has served as a commissioner and a working group co-
chair on public-private partnership, and co-chaired the
Critical Infrastructure Protection Congress. She is also the
chairman of the board of directors of the National Cyber
Forensics and Training Alliance. Previously, Dr. Schneck served
for 8 years as chairman of the national board of directors of
the FBI's InfraGard program and founding president of InfraGard
Atlanta.
Named one of the Information Security Magazine's top 25
women leaders in information security, she has briefed the
Governments of Japan, Australia and Canada on information
sharing and infrastructure protection. Dr. Schneck has also
served as vice president of research integration for Secure
Computing, vice president of Enterprise Services for
eCommSecurity, vice president of Corporate Strategy for
SecureWorks, Inc., and was founder and chief executive officer
of Avalon Communications, among many others. She received her
Ph.D. in computer science from Georgia Tech. We welcome her
here this afternoon.
Next, I would like to introduce James Lewis, who is a
senior fellow and program director at CSIS, where he writes on
technology, security and international relations. Before
joining CSIS, he worked at the Departments of State and
Commerce. He has also served as the Rapporteur for the 2010,
and the 2012-2013 United Nations Group of Governmental Experts
on Information Security. His current research examines the
political effects of the Internet, asymmetric warfare,
strategic competition and technological innovation. Dr. Lewis
received his Ph.D. from the University of Chicago. We welcome
you here this afternoon.
Finally, we have Karl Frederick Rauscher, who is a
distinguished fellow and the chief technology officer of the
EastWest Institute. Leading the institute's Worldwide
Cybersecurity Initiative, he oversees strategic track 2
bilaterals among the world's cyber superpowers--China, India,
EU, Russia and the U.S.; pioneers--policy for norms of behavior
for cyber conflict, advances emergency preparedness for crises
in cyberspace, and helps foster innovative problem solving in
the private sector. He recently led and authored reports for
three major bilaterals between the U.S., China, and Russia.
He previously served as executive director of the Bell Labs
Network Reliability and Security Office of Alcatel-Lucent. Mr.
Rauscher has also served as an advisor for senior government
and industry leaders on five continents, including as vice
chair of the U.S. President's National Security
Telecommunications Advisory Committee industry executive
committee and as leader of the European Commission-sponsored
study on the Availability and Robustness of Electronic
Communications Infrastructures.
Mr. Rauscher is the founder and president of the nonprofit
Wireless Emergency Response Team, which led search-and-rescue
efforts using advanced wireless technology in the disaster
sites of September 11th, 2001, and the 2005 Hurricane Katrina
New Orleans flood.
We welcome all three of our witnesses here this afternoon.
You will each be given 5 minutes to testify. There is a
lighting system on the desk. The yellow light will let you know
you have 1 minute to wrap up. The red light will let you know
that your time has expired. We would ask you to wrap up by that
time. Then we will have 5 minutes to ask questions.
Dr. Schneck, we will go to you first. You are recognized
for 5 minutes.
STATEMENT OF PHYLLIS SCHNECK, PH.D., VICE PRESIDENT AND CHIEF
TECHNOLOGY OFFICER, GLOBAL PUBLIC SECTOR, MCAFEE, INC.
Ms. Schneck. Thank you, and good afternoon, Chairman
Chabot, Ranking Member Faleomavaega, and other members of the
subcommittee. As said, I am Phyllis Schneck, VP and chief
technology officer for global public sector for McAfee. We
really appreciate the subcommittee's interest on these issues
and the security threats as well as the solutions on certainly
how we keep that economy going to the point before.
My testimony today will focus on three areas: The threat
landscape; and, as the chairman mentioned, the attacks against
South Korea that McAfee investigated and named Operation Troy;
and recommended security solutions. Again, how do we allow this
economy to grow?
A little bit about McAfee. Our role in cyber security is to
protect our customers worldwide from these cyber threats. We
are headquartered in Santa Clara, California; Plano, Texas; and
a wholly owned subsidiary of the Intel Corporation. And we are
the largest dedicated security company in the world focused on
protecting against those threats with products, services, and,
as I will describe in a moment, deep investigations of that
threat which help us understand how to go out and protect
against an adversary that moves faster than we do, because they
have no lawyers, they have no laws, and they have plenty of
money. So we have to find ways to maintain our economies and
execute even faster.
I am going to focus on a little bit different today.
Instead of just the threat that we hear about from the Asia
Pacific region, let us talk a little bit about the threat to
the region as we saw in Operation Troy demonstrated against
South Korea. As was mentioned, the Asia Pacific region has a
large economy. It affects a lot of our global marketplace
today, and so many of those businesses that are impactful there
are based on Internet, Internet communications, which makes
cyber security so important so that we build in resilience and
keep those markets up for the rest of the globe.
We heard about on March 20th the attacks against South
Korea against the banking and financial institutions. McAfee
led an investigation we called Operation Troy. I do want to
call out my colleagues, one for McAfee Labs, Ryan
Sherstobitoff, for the record; and one from Office of the CTO
with me was Jim Walter, who really led and dove into this
investigation.
I also want to start out by defining ``malware.'' Malware
is an enemy's instruction or a malicious instruction that
executes on someone else's machine, thus giving someone else
control of your cyber. Their instruction is next to execute
memory, and that is important, and I will get to that in a
moment.
But on March 20th, in the end of an operation that we
discovered was actually a covert operation of espionage
spanning 4 years, Operation Dark Seoul landed instructions on
machines in South Korea that erased the disk drives of many of
those machines, and also you hear in the news it said
it, quote, deg. ``wiped the master boot record.'' That
means it disabled or erased the record that would have been
used by that machine to even start up. So the industry term is
it bricked them, it destroyed the machines. And what we
discovered is that this had been going on about 4 years. This
was the seventh variant. That is just sort of a different
version of malware that had been used over those 4 years.
And here is how we actually investigated that. If you look
at two things, one we call fingerprints, what it looks like.
Actually we discovered the same file path, or directory, or
names in malware going back all the way to December 2009 used
by campaigns all the way, again, through 4 years, winding up in
this attack. And the second thing we look at is called
footprint. So, again, not what it looks, the fingerprint; the
footprint is how the thing moves.
So over the past 4 years, the adversaries had used
dedicated machines to send the instructions to the malware. So
they were literally shipping instructions to malware that was
embedded in machines in South Korea. And it is important to
note this malware got to the machines in South Korea likely by
a first victim clicking on a link in what they call a spear
phish, or a custom-made email that looks like it is just for
you. Then the instructions would be sent in from a dedicated
machine, and we believe that the malicious code was propagated
to the other machines from that; and then a second stage
through a regular software update. So it looked like you were
improving the security of your software when really you were
downloading more enemy code. And, again, the footprint of this
or how they did it for the first 4 years was having a dedicated
machine to feed the malicious instructions.
The more modern, sophisticated version that they landed in
Dark Seoul in South Korea was through the use of a botnet, a
more dynamic system which made actually the adversary more
resilient. You take out one machine, there are thousands of
others you can use.
So on the more optimistic side, what can we do to keep
economies up? At McAfee we believe very strongly in connected
security systems. Every component of your network should be a
producer and consumer of information. Don't let instructions
execute that should not. Have networks run resilience, like the
human body and immune system behaviorally attack viruses or
disease or things that we know are bad without knowing their
name. And all computer systems should learn from events from
others, having them connected in real time. And we are active
worldwide in these types of operations to ensure that we share
information and, again, keep these economies alive.
So again, thank you very much for requesting McAfee's views
on these issues, and happy to answer any questions.
Mr. Chabot. Thank you very much.
[The prepared statement of Ms. Schneck follows:]
----------
Mr. Chabot. Dr. Lewis, you are recognized for 5 minutes.
STATEMENT OF MR. JAMES LEWIS, DIRECTOR AND SENIOR FELLOW,
TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC
INTERNATIONAL STUDIES
Mr. Lewis. Thank you, Mr. Chairman. I thank the committee
for the opportunity to testify.
Weak cyber security creates the risk of conflict in Asia.
In cyber security, as in so many other issues, China's behavior
is the central strategic issue. North Korea's cyber actions are
worrisome, but China's actions have a destabilizing regional
and global affect.
The U.S. response to this should have four elements. One,
we need to engage with China to reduce cyber espionage and the
risk of a cyber incident escalating into armed conflict. Two,
we need to modify existing alliances with Australia, Japan and
Korea to make collective cyber defense a reality. Three, we
have to expand formal cooperation with ASEAN countries and
India on cyber security. And four, we need to make Asia a
central part of the global effort to build common
understandings on the secure cyberspace.
The most important thing we can do to increase stability is
to reach agreement on norms for responsible state behavior, the
rules, practices and obligations that states observe in their
dealing with each other and with the citizens of other states.
In June of this year, a 15-nation group at the U.N., a
group of government experts that included the U.S., China,
India, Indonesia, Australia, Japan and Russia, agreed on rules
for cyber security. They agreed that the U.N. Charter applies,
that international law applies, the principle of state
responsibility applies, and that national sovereignty is
applicable in cyberspace, which means you can define borders.
This U.N. Agreement is a significant step forward. China
agreed to this only reluctantly and after considerable
pressure. Cyber security is a fundamental task of China's
willingness to play by the rules and will determine if its rise
will be peaceful. China can choose to play the game by the
rules, or it can ignore them. This choice will influence future
relations with China and the stability of Asia.
The U.S. can influence China's decision with persistence
and the right strategy. We have done this before in the 1990s
and later, and while China is now more powerful than it was
then, we can again persuade it to change its behavior to save
global norms.
Military competition between the U.S. And China is
increasing, but there is no military solution for cyber
security. No Asian country, including any of our allies, wants
a cold war with China. Asian nations will consider both their
relations with the U.S. And their relations with China. They
want to find some way to balance both. China is too important
as a market, and the U.S. is too important as a guarantor of
regional stability. Asian nations would prefer not to have to
choose between the two.
Political issues will complicate efforts to reach agreement
on cyber security. Many Asian nations want to regulate content,
citing pornography and online gambling as examples of Web
services they would like to block. It is also too early to
measure the affect of Snowden revelations on U.S. efforts to
build international agreement on cyber security.
Making sure that Asia does not become a cyber security
battleground will require sustained engagement with China and
cooperative arrangements with other Asian nations on cyber
security. Reaching agreement will not be easy, nor will it be
quick, but it is the best and probably the only way to advance
U.S. interests.
I thank the committee and look forward to your questions.
Mr. Chabot. Thank you very much.
[The prepared statement of Mr. Lewis follows:]
----------
Mr. Chabot. Mr. Rauscher, you are recognized for 5 minutes.
STATEMENT OF MR. KARL FREDERICK RAUSCHER, CHIEF TECHNOLOGY
OFFICER AND DISTINGUISHED FELLOW, EASTWEST INSTITUTE
Mr. Rauscher. Good afternoon, Mr. Chairman, members of the
committee and fellow panelists. My name is Karl Frederick
Rauscher, and I am the chief technology officer and a
distinguished fellow of the EastWest Institute, where I lead
the institute's Worldwide Cybersecurity Initiative and its new
Cyber Policy Lab. I am pleased to be before the committee today
to testify about cyber in Asia.
I submitted my full statement to the committee, which I ask
to be made part of the hearing record.
Mr. Chabot. Without objection, so ordered.
Mr. Rauscher. Thank you on that. I now move to give a brief
opening statement.
I am an electrical engineer that has spent over 25 years in
the Bell Labs environment. In the course of my career, I have
provided guidance on ultra-high reliability and ultra-high
security applications to senior governments on five continents.
As the primary challenges of reliability and security have
shifted in recent years from technology to policy, my primary
association is now with the EastWest Institute. EWI is a global
think-and-do tank whose board of directors comes from highest
levels of government, business and civil society, and has had
bipartisan and international representation from the East and
the West, allowing it to maintain its neutrality and fiercely
guarded independence.
My recent publications include India's Critical Role in the
Resilience of the Global Undersea Communications Cable
Infrastructure; Fresh Tracks for Cybersecurity Policy
Laterals--Updating the Track 1 and Track 2 Paradigm to Tracks
Kappa, Epsilon and Phi; a Russia-U.S. Bilateral on Critical
Infrastructure Protection: Rendering the Geneva and Hague
Conventions in Cyberspace; and a China-U.S. Bilateral on
Cybersecurity: Fighting Spam to Build Trust. Perhaps of
interest to the committee, this last publication was recently
singled out by the New York Times editorial board as
recommended reading for Presidents Obama and Xi prior to their
recent June 2013 California talks.
The point of my testimony today is that policy innovations
that break through the East-West ideological gridlock are
essential for the stability of cyberspace. I see solutions to
the current predicament between the U.S. and China that are
based on a major overhaul of ideological and political regimes
as having a low probability of success. Thus my focus is on
real, tangible steps to progress that will actually make
cyberspace better for all of us.
There are four key aspects of navigating the solution
space: First, recognizing that the U.S. and China have both
shared and unshared, or simply different, interests. This is
what makes the world interesting and also very dangerous.
Second, regarding the shared interests, there is potential
for cooperation; however, the current environment of growing
mistrust impedes straightforward understanding of each other's
interests.
Third, the contour of cooperation can be optimized if we,
(A) extend cooperation into new areas based on enlightened
understanding of actual shared interest; and, (B) pull back
cooperation where shared interests are not, after careful
examination, in reality enjoyed.
And fourth, an optimized contour of cooperation of shared
interest can reset the tone for discussions, giving both sides
the confidence the relationship can improve as steps of new
cooperation are taken. As we have found with the success of the
fighting spam work, we can now move into arenas of higher
complexity and higher consequence.
I offer some tangible evidence that demonstrates the
doability of breaking through policy gridlocks with Asia and
cyberspace by pointing out examples of recent successes. We are
encouraged that to date we have forged 27 innovative
recommendations that break through policy roadblocks. And most
encouraging, we have seen within a short period of time an
uptake of these recommendations by major companies and
governments. In fact, over 50 percent of the innovative
recommendations are being implemented, and over a quarter are
now institutionalized for long-term sustainability.
The first examples I draw attention to are the 2
recommendations and 46 best practices of the Fighting Spam to
Build Trust report, which was prepared jointly by a combined
dream team of Chinese and U.S. subject-matter experts and
stakeholders. Spam can make up as much as 95 percent of email
messages sent and is often a vehicle for malicious code, as was
referred to earlier.
The report's two recommendations have not only been
implemented, but their continued, sustained implementation has
been institutionalized by the highly recognized international
Messaging, Malware and Mobile Anti-Abuse Working Group, also
known as the M3AAWG.
I pivot now in my remarks to facing the future. What are we
going to go do next? As we look at the U.S.-China relationship,
I submit that we would do well to remember a lesson from our
great American sport of baseball. Home runs are hard to come by
and if there are many people swinging for the fence and
striking out. In contrast, consistently hitting singles, and
keeping a good batting average is still a great strategy for
putting points on the board. I humbly submit that these
examples are proof that striking out is not inevitable, and
that we can get on base.
In conclusion, the top priority for engaging Asia and
specifically China at this time is to make genuine, tangible
progress. Policy breakthroughs with Asia are needed for the
safety, stability and security of cyberspace. Policy
breakthroughs have been shown to be possible, and more policy
breakthroughs in key areas are also possible.
Thank you, Mr. Chairman and committee members, for the
opportunity to appear before you today. I stand ready to answer
any questions that you may have.
Mr. Chabot. Thank you very much.
[The prepared statement of Mr. Rauscher follows:]
----------
Mr. Chabot. Before we get into the 5-minute questioning by
panel members, the Chair would like to call on the gentleman
from Georgia to be recognized for a moment. Mr. Collins.
Mr. Collins. Mr. Chairman, I do appreciate it. And, Dr.
Schneck, I just wanted to--from Georgia, so I could not let it
pass by. Although I represent the University of, Georgia Tech
is a wonderful institution. She would--for those in the
audience don't know, Go, Dogs. But Tech is also my heart as
well. But just your expertise in the way you have represented
in your doctorate coming from Georgia Tech, and the
instruments, and where you played in this field, and the
expertise that you give give your alma mater a wonderful name,
and I just wanted to say that for the record.
This a huge issue. It is the defining issue, I believe, for
the next number of years, and not only in our warfare, but also
in our relations between countries. And I could not let it go
without recognizing your accomplishments and achievements from
the fine institution of Georgia Tech.
Mr. Chabot. Any response?
Ms. Schneck. I would love to say thank you. You know the
response I need to give someone from Georgia. I cannot say that
in this venue. But thank you so very much for your comments,
and I did really love my time in Georgia.
Mr. Collins. Well, I am going to be having to leave, so I
wanted to make sure I recognized that fact.
Ms. Schneck. Thank you so much.
Mr. Chabot. Thank you.
I now recognize myself for 5 minutes.
I mentioned in my opening statement that establishing cyber
confidence-building measures with our allies and friends in
Asia is critically important. There has been much discussion,
mostly negative, about creating a global treaty, and that this
goal is impractical and unenforceable. The large number of
actors and new and fast-changing technologies in cyberspace
increases the complexity of collaborating to resolve issues
domestically and internationally in a timely manner.
Because of the cross nature of cyber security, different
countries in Asia have different interests concerning privacy,
openness, and regulation of cyberspace--vastly different in
some cases. As a result, what is the best way to go about
establishing greater trust and confidence? While many efforts
to enhance cooperation have taken a bilateral approach, what
form would you see cyber cooperation in Asia taking in the
future? How much influence does the U.S. have in actually
building capacity and security in cyberspace? Lastly, how do
you think broad security concerns about revealing intelligence
sources and methods will prevent cooperation from advancing,
especially considering China's growing presence and
aggressiveness in the region?
I will go down the line and ask each of you to take a
relatively brief shot at those questions. Dr. Schneck, we will
begin with you.
Ms. Schneck. Thank you very much.
When it comes to how much influence the U.S. has in
building that cooperation, I look at cyber security and cyber
resilience: How do you keep our networks up while they are
being attacked? They will always be attacked.
Right now we are setting, I think, a beautiful example in
the U.S. with the work that is being done by NIST and with the
Department of Homeland Security and across interagency in
combining information in people time and in machine time. So
building ways--and we need liability protections, of course,
for companies to share information in good faith about cyber
threat, but also building ways for people to get together
across, transcending those boundaries between competition in
companies as well as transcending private-sector and industry
boundaries.
And in machine time the Department of Homeland Security is
actually crafting protocols to build that Internet ecosystem
that I mentioned, which would allow cyber threat indicators--if
you see something behaviorally strange or off, computers could
communicate to other computers around the Internet just as your
body communicates and fights a disease without knowing its
name, so that you build an ecosystem that is learning where an
adversary is trying to attack before it propagates so much that
it causes damage.
I think the U.S., between our academic institutions, our
industry, and our government, is doing a very good example of
taking the first couple of steps at building that framework to
foster global innovation instead of regulation, which is always
so many years behind.
And we are also setting a great example working with many
in the Asia Pacific community, many in the EU to really build
those protocols, because the competitor is not the adversary
anymore in industry, government is not an adversary, other
countries are not adversaries necessarily. It is all about how
we keep these networks up to sustain our way of life. And to
wrap that part of your question, I think the U.S. is doing a
beautiful job in that way, and we have a lot of work to do
globally on that.
Mr. Chabot. Can I stop you there so I can include the
others? I have about 1\1/2\ minutes left, so I will give you
about 45 seconds, Dr. Lewis, and about 45 seconds to Mr.
Rauscher.
Mr. Lewis. Okay. I should note that for the last 3 years I
have led semiformal talks with the Chinese Government, with the
Ministry of State Security and the PLA. State was able to go to
them along with DOD. And what we found in those talks is that a
global treaty just isn't possible. One morning is the Russians
are the guys proposing a global treaty. That alone should be
enough to tell us it is a bad idea.
There is a meeting coming up in Korea this October that is
part of a process begun by the U.K. To get agreement on norms
and confidence-building measures. We are not going to get a
treaty; we can get agreement on norms and confidence-building
measures, and the U.S. is a leader in this.
Mr. Chabot. Thank you.
Mr. Rauscher.
Mr. Rauscher. Yes, I think there are several opportunities
that are ripe for the picking. The first deals with the
underpinning of cyberspace, how we are connected between North
America and the major financial center, Hong Kong, in China,
and that is through undersea cables that all come together
underneath in the Luzon Strait, and that is a choke point.
A recommendation in this ROGUCCI report suggests that we
need geographic physical diversity and a route around the west
side of Taiwan, very sensitive waters, that will land in North
America would bring great stability to our two economies. This
is really something that needs to be done. The Chinese need to
take a step where they would give assurances to investors, but
in North America we need to make it clear that the United
States has places that cables could land.
Another great opportunity for a confidence-building measure
is to implement priority international communications. This is
a capability at a national level that was critical for us, but
we do not have an extension of it internationally. We are
increasingly dependent on each other, and yet we cannot
communicate in a crisis like Fukushima or 9/11 because there is
massive congestion that works particularly internationally.
This is a great opportunity.
I think there are other opportunities in areas that we are
exploring. Perhaps I will have a chance to address that later
in the hearing. Thank you.
Mr. Chabot. Thank you very much.
I will now recognize the ranking member, the gentleman from
American Samoa, Mr. Eni Faleomavaega.
Mr. Faleomavaega. Thank you, Mr. Chairman.
I have become somewhat apprehensive about the idea that
China is the new monster, you have to be very careful, you have
to watch out for them. The fact is I think they are not that--I
mean, it seems to me, in my opinion, they are not really up to
the same capacity in terms of the advancements that we have
made as far as cyber security is concerned, and technology has
been primarily still between Russia and the United States.
Correct me if I am wrong on that.
And, Dr. Schneck, you mentioned something about the
activities that the McAfee Company has operated on this
Operation Dark Seoul as well as Troy. I am not very good in
your technical explanations that you gave. What exactly
happened? Was it a virus, or how--and did it come from China?
Where is the source of this virus that seemed to have gotten
Seoul really upset in the month of March?
Ms. Schneck. In a nutshell, malicious instructions,
computers were given direction to erase their hard drives. They
were rendered useless. So that takes down systems of----
Mr. Faleomavaega. Who was doing this?
Ms. Schneck. When we focus these investigations, we don't
like for attribution. We look for how to protect our customers.
We leave the attributions, the corporate decision, to law
enforcement, who are trained to get that right. Our
investigation is about protecting the networks worldwide that
are being bombarded with these literally instructions that say,
erase now, which can cause damage.
Mr. Faleomavaega. So you were able to save it, but you
don't know the source--who originated the virus and all of
that. Am I correct on this? I am a little confused here.
Ms. Schneck. We don't know that definitively. I can go back
and get the actual guides from the lab to see what else they
know. Our corporate direction and our mission is to protect. So
we focus on what is the damage being done, how is it being
done, and how do we make sure that no one else on the planet
has to take it from this particular attack, and how do we learn
it from that.
Mr. Faleomavaega. Dr. Lewis?
Mr. Lewis. The Chinese are pretty good, and we don't want
to underestimate them. They are not as good as the U.S. in
offensive capabilities. And the big problem for China is that
they use pirated software, and pirated software just can't be
made safe. So they are in a weaker position, and they are a
little afraid of us, but they are also not constrained in
engaging in cyber espionage, and that is really the big
problem.
So we don't want to paint them as a monster, but they are
also not entirely innocent when it comes to this stuff.
Mr. Faleomavaega. No different than the Russians or any
even of our allies.
Mr. Lewis. The Russians are at the top of league, and one
of the reasons you see China in the paper all the time and not
Russia is just because the Russians are better at not being
caught.
Mr. Faleomavaega. And the United States as well.
Mr. Rauscher. Cyberspace has inherent, intrinsic
vulnerabilities in the ingredients that make it up. And so, in
fact, if you removed Asia from the map, if Asia didn't exist,
the fact is, we must face it, America, our government, our
businesses, our personal information is still exposed just as
it is now. And so we are fundamentally at risk because of the
intrinsic vulnerabilities within the ingredients that make up
cyberspace, the networks that connect us, the software that
controls things, and hardware that obeys the commands that it
is given.
So reliance on cyberspace is the first-order problem. The
malicious actors who take advantage of vulnerabilities in
cyberspace no matter where they come from are the second-order
problem.
Mr. Faleomavaega. I mentioned earlier the fact some 500
million Chinese have access to the Internet. That is a pretty
good number as far as potential marketing, business, consumer,
and demands and all of that. If were you to do it in terms of
proportions, how would any government be able to put any kind
of controls on that number of people are currently using the
Internet even alone here in the United States? I seem to look
at this as a positive trend rather than saying that it is bad
that people have access to the Internet is something that we
should be careful about. I don't know, maybe you could help me
on that.
I have 30 seconds left now.
Mr. Rauscher. My observations are that China's primary
concern regarding hacking is unlike ours. They are concerned
about the insider threat. They do have--they are very
challenged about controlling their own citizens.
On the other hand, quickly, to contrast with India, they
well are the third largest country in terms of online
population, yet they have a very low penetration rate. Only 10
percent of them are online. And so malicious actors are able to
exploit the relatively low maturity of their ICT (information
communications technology) in their country.
Mr. Faleomavaega. I am sorry, my time is up.
Thank you, Mr. Chairman.
Mr. Chabot. Thank you.
The gentleman's time has expired. The gentleman from
Pennsylvania, Mr. Perry, is recognized for 5 minutes.
Mr. Perry. Thank you, Mr. Chairman.
So since we know what China is interested in and what they
are not interested in, they are not interested in having their
population informed. They are interested in stealing
intellectual property from various countries, including ours,
and they have been pretty prolific as far as we know and expect
and announce.
Should it be our policy to hit them where it hurts, to coin
the phrase, I mean, to find a way? I imagine there is a way to
open up the Internet to free information for the Chinese
people. I mean, what would you say should be our plan from a
national security standpoint regarding cyber security and
diplomacy with China to avert? Because all the warnings, all
the discussions, all the announcements seem futile; they do
what they--they disavow it, and they continue to do it. So what
should be our plan?
Mr. Lewis. In private they are they aren't disavowing it
anymore. So it is interesting to see that their public posture
and their private posture has changed.
We went through something like this with China before
regarding nonproliferation, and the steps we used there
probably will work in this case. You need to engage the Chinese
directly and tell them, this isn't what responsible nations do.
You need some kind of agreement on what is responsible
behavior, and the U.S. is helping to build that. You need your
allies and partners to come in and say the same thing. That was
very helpful before.
And it is going to be a long process. It is going to be
hard. You will need to think of measures that will help
encourage the Chinese to think the right way, and some of the
things that do this could include putting people on Treasury
lists to prevent them from banking in the U.S., putting them on
no-fly lists, sanctioning Chinese companies.
I always found the Hill very helpful when I had to
negotiate with them, because what I would say is, you have got
to help me out here, you got to give me something, because I
can't control those crazy people on the Hill. And that was a
good tactic, because they know our system, and they know that
the Congress is going to be a little more assertive.
And so putting together a package of engagement, allies,
and possibly some kind of sanctions, including information or
sanctions like were you talking about, I think that will get us
there. It will take a number of years, but I don't see an
alternate path.
Mr. Rauscher. I think the Internet is going to win. First,
the power of the devices in the system that we have, so to
speak, is their connectivity. And so if you limit the
connectivity, you are not going to be as competitive in
research or in business. So at the global level, countries are
going to want to be connected to the Internet to be
competitive. Once they do that, there is going to be the free
flow of information.
No matter how good you are, its just simple mathematics,
once you are connected, if you think of that as a 1, your
filtering can only be something less than 1. Perfect filtering
would be a 1. So if you are at 95 percent, and you are really
good at filtering, that 5 percent of information on the
Internet is a vast amount of information, incomparable to
anything that, you know, we dealt with like in the Cold War in
the 1950s and such.
So I think with that amount of information that the
Internet delivers, the Internet will win. And so if we are able
to keep the Internet as it is now, as a robust place for the
marketplace and for education and learning, it is going to be a
powerful force, even more so in the future than it has been to
date.
Mr. Perry. So the Budapest agreement says that retaliation
by, let us say, U.S. companies, retaliation against cyber
crimes is disallowed, right?
Mr. Lewis. Yes.
Mr. Perry. What are United States companies supposed to do
to proactively protect themselves as opposed--understanding
they buy McAfee, right? That is a great line for you. But, you
know, to me I feel like we are dealing with something on a
higher level, and once all your information is gone, or your
proprietary information or your employee information has been
compromised, it is too late, and you can't unring the bell. So
what proactively can they do? Is there some method of some type
of retaliation that would be authorized?
Ms. Schneck. So I think--look, this is about making
everybody more secure and more resilient and safer, because the
Internet is a wonderful thing, and it is not going anywhere. It
makes life better.
What we need to do is reduce the profit model. Right now
the adversaries are doing very well, and we are not putting
anything in between that. But yet we look at bank robbery, and
that has pretty much stopped because it is not worth it, you
know you are going to get caught. And I think what companies
can do is work with government to make it harder for the
adversaries to win this. We keep our Internet, but we also
build in better controls.
It is not about products; it is about how you assess your
risk, how you make boardroom-level decisions to make things
safer whatever you buy and whatever you do. But that is a
global private-to-government discussion that needs to be had
very powerfully right now.
Mr. Chabot. The gentleman's time has expired.
The gentleman from California Mr. Bera is recognized for 5
minutes.
Mr. Bera. Thank you, Mr. Chairman.
The problem with bank robbery, though, is the penalties are
pretty stiff if you get caught. I think that goes to my
colleague's concern.
I have got two questions, first for Dr. Schneck. McAfee's
perspective is really one of protection, how do you protect
your customers, how do you identify those vulnerabilities and
threats and proactively protect as opposed to seek out who the
person who is threatening you are.
What steps should this body take to strike that right
balance of, you know, having a thriving, open marketplace where
we are open for business, but at the same time knowing that we
want to keep the Internet open, and we are seeing these
threats? Are there some specific actions that you would like to
see us discuss here in Congress?
Ms. Schneck. I think it is so important to, number one, as
I mentioned before, have the protections for companies to be
able to share information with each other about what we are
learning and what we are seeing. We have seen before, worried
about the threat of a lawsuit the next day, we were not able to
share information about certain oil and gas companies and the
fact they are being targeted. Our lawyers didn't let us because
they worried we would get sued the next day if the stock prices
of the energy sector went down. And there is legislation in
Congress, or had been, that looked at how do you protect
companies, all companies, in that situation.
I think the second is incentivizing the private sector to
really look at how do you do a risk-based assessment of cyber
security and consider your network as a critical asset, because
the Internet is so important, and how do you invest in that
from the boardroom? This is not necessarily a technology
discussion. It doesn't even have to do with technology
providers. This is about how does business protect themselves,
and how does the government--what you can do is help
incentivize that, and that will actually foster creative
innovation for new and better and less expensive methods.
Mr. Lewis. We did a report about 6 months ago that found
that most corporate networks are tremendously insecure, and it
actually doesn't take very much effort to break in. In fact,
when we did the research, I was feeling sorry that I had gone
into the wrong line of business.
Here is a good example we came up with this morning in our
discussion with DOD. When you buy equipment, the password
default is ``password,'' and 90 percent of the time people
remember to change the password. That is great, except the
remaining 10 percent you are in. So finding a way to get
companies to do more--and it is not rocket science--do more to
secure their networks is crucial.
Mr. Bera. I have got a follow-up question, Dr. Lewis. If we
use the example of the World Trade Organization, you know, with
regards to trade, their norms of trade and their treaties that
have been negotiated, and there is mechanisms if we feel
someone is engaging in unfair trade practices where we can take
a country and have a system of an arbiter.
Now, you have already commented that you don't think a
treaty is doable at this juncture at the international level,
but you talked in terms of creating norms and confidence
builders. Can you talk about some of those norms and confidence
builders and then a mechanism, though, still if bad actors or
bad state actors act out of those norms and confidence
builders, there does--you know, again, using the bank robber
analogy, there has to be some system of penalty to incentivize
good behavior.
Mr. Lewis. True, that is a good question. And you might
want to look at the Budapest Convention as an example of why a
treaty won't work. About 80 nations, I think, have signed up to
it. The pace of getting more signatories is slow.
But what you could do is think of ways to agree on what
responsible behavior is, and one of them would be that the
international commitments you have in the physical world also
apply in cyberspace, and you exchange information on what you
are doing, military white papers, for example. And if people
don't observe those norms, then we need to think about
penalties. And an organization you might want to look at, it is
called the Financial Action Task Force. That is an example. If
you do money laundering and you are a country, guess what? It
is going to be harder for you to change money. It is going to
be a little harder for your central bank. We may have to think
about measures like that, making it harder to do business on
the Internet if you don't play by the rules.
Mr. Rauscher. The malicious actors are taking advantage of
the lack of cooperation in this space. As an engineer I think
of policy in this arena as the ability for entities to
anticipate the behavior of other entities, whether they be
machines, or governments, or individuals, or enterprises. And
we just don't have the tight coordination that we need, and so
there is a gap, and that is what is being taken advantage of.
What we have been doing at the institute is convening some
40 countries or more annually at an international summit. Our
next one this year in November is hosted by Stanford, in
Silicon Valley. We will be convening government and business
leaders from 40 countries and going head on addressing these
issues to try to tighten up that coordination.
Mr. Chabot. Thank you.
The gentleman's time has expired.
The gentleman from Indiana, Mr. Messer, is recognized for 5
minutes.
Mr. Messer. Thank you, Mr. Chairman. Thank you to members
of the panel.
I think you are getting close to the end of your
presentation. I think there is at least a question or two more,
but obviously, this is a very important issue. The cost to the
American economy is billions of dollars. The national security
threats are large and growing. You--there is little doubt--
there is no doubt that rogue nation states are participating in
these attacks, and that it is a complex problem that is going
to complex solutions that require a lot of cooperation.
You have talked a little bit, each of you in the panel,
about the role of business and the role of government in
solving this problem. Is it more business or more government?
Mr. Rauscher. Well, I guess I will start. You know, for
traditional issues like security and trade, for military
issues, that has to be the government, and part of the reason
for that is that other countries expect it to be the
government. The Chinese once told me there is really no such
thing as the private sector, you know, it is all government. So
for those issues, trade, security, armed conflict, it has got
to be government.
For other issues it is not so clear. When we talk about
innovation or technical standards or business relationships,
that probably should be a private-sector lead.
Mr. Messer. And as you answer, you cited the need for
cooperation. Could you cite any examples of where cooperation
has occurred, because I think some of those examples might be
illustrative of the question.
Mr. Rauscher. I can cite an example. As I mentioned earlier
in my testimony, we have a Track 2 bilateral that we have done
with the Chinese on fighting spam, and we have many individuals
and corporations supporting this with their contributions of
mind share, and very rigorous analysis in their actions with
the Chinese on this. And this was able to be the result, I
think, because of the trusted facilitation that a third party
could do.
I actually did an analysis of how we were successful over
the last couple of years. I mentioned earlier that we had 27
recommendations, and over half are implemented. And the
comparative benchmark really is zero percent, because these are
really hard issues that, if you look at what we have taken on,
these are issues people aren't trying to address because they
think they are impossible. And in the analysis, why these
issues were stuck was governments have a difficulty at the
international level because they are appropriately representing
the national security interests that they have of their
individual countries, and so every other country is a little
suspect of what is happening. And then commercial entities are
appropriately protecting the fiduciary responsibilities that
they have toward their share owners, and so there is a little
suspicion sometimes about the commercial interests they may
have.
Now, both of these entities, governments and the private-
sector, companies that are commercially oriented are capable,
in many ways, of solving most of their problems. But there are
niches where there are really intractable problems that you
can't get into, and that is where a third-party entity that is
philanthropic and internationally overseen is able to create
the necessary trust to get over that hump. And so for the
really difficult problems, I think using NGOs that are oriented
toward action in trying to get breakthroughs is the right
solution and approach.
Ms. Schneck. So to this point on the NGOs, I have been
running these partnerships most of my adult life as a
volunteer, and one of them that I chair now, the National
Cyber-Forensics and Training Alliance, brings in the top-flight
analysts from banks, pharmaceutical companies, telecoms, et
cetera, and teams with other governments, and is anchored by
our U.S. Federal Bureau of Investigation.
So with all the legal agreements finally worked out over 10
years, it helped arrest over 400 cyber criminals worldwide, and
I think that is an example of how when you get the right
partnership, you get the expertise that each side brings, and
you maintain the swim lanes, from the points earlier. There are
things that government is better trained and better able to do,
and there are a lot of things, such as innovation, that are
going to survive quickly in the private sector.
Mr. Messer. One other question, a bit of a hot potato, but
I am going to go ahead and throw it out, which is just to what
extent, if any, do you think the recent revelations on the NSA
online surveillance activities have impacted and complicated
negotiations on these topics?
Mr. Lewis. With the bilateral negotiations with China, they
haven't had that much effect, largely because the U.S. has
previously told the Chinese, espionage is a two-way street, all
big countries do it; what we object to is the commercial
espionage. So the Chinese weren't particularly surprised or
didn't learn much from Snowden.
We don't know how it will play out internationally. It has
gotten a considerable reaction in Europe, less of a reaction in
Asia. One thing to bear in mind is most countries do things
like this, so it is not--it is a little--some of our European
friends are a bit hypocritical, and I hope they will calm down
a little bit and think about what their own agencies do.
So far not that much effect.
Mr. Chabot. The gentleman's time is expired.
The gentleman from Virginia, Mr. Connolly, is recognized
for 5 minutes.
Mr. Connolly. Thank you, Mr. Chairman.
Thank you to our panelists for being here.
I happen to believe cyber security probably is one of the
most important challenges, maybe the biggest threat, we face,
tied in with terrorism and superseding it.
Let me ask, Mr. Lewis, I read your testimony, and you said
in your testimony, cyber security as an issue for international
security is best addressed using diplomatic and trade tools. It
shouldn't be an item that leads to armed clash. And I think in
an ideal world, that is true. But it seems to me, dealing both
with the Russians and with the Chinese, there have to be some
understandings about red lines.
Red lines are dangerous things because sometimes they get
crossed, and we still don't react. But take the Cold War as a
parallel. I mean, during the Cold War both sides tested each
other as to the limits. So when the Soviets blocked surface
transportation to and from West Berlin, President Truman
launched the Berlin airlift and outlasted the Soviets. Now,
what the Soviets understood was they could buzz, they could try
to jam aircraft flying into Berlin, but they could not attempt
to shoot them down. That would be casus belli. So with respect
of that, back when we had planes that crashed, they even
returned the bodies of our airmen in the midst of this clash
between the two powers. So, there were unwritten rules, there
was always testing, but there was respect for something even
ill-defined that was a red line.
Clearly I think you would agree that if, for example,
organized cyber security attacks by a foreign government or
agents of a foreign government were to detonate a nuclear
weapon here in the United States by manipulating technology,
that would be a cause of war. That is not okay, and that is not
going to be solved by diplomatic means.
If you shut down--now, so where is that line? What are the
examples--we don't want to be too specific by implying that
everything else is okay, but I guess I am worried that maybe
the Chinese and, for that matter, the Russians, in testing us
and in exploiting the vulnerability of technology, they are
perhaps underestimating the backlash that can occur here that
can most certainly lead to armed conflict, and, by the way, in
some cases will.
I wonder if you would comment on that, because I know you
didn't mean forever, no matter what, and under all
circumstances.
Mr. Lewis. Three quick points. We do have red lines. Then-
Secretary Panetta laid them out in a speech last October. If a
cyber attack looks like it will cause the death of American
citizens or do significant economic harm to the U.S., we will
use military force preemptively. So those are our red lines:
Death, significant economic harm. Everybody knows that.
China, Russia, and others have been very, very careful not
to cross that line, not to use force, and we have the best
cyber offensive capability in the world. It has zero ability to
deter espionage or crime, zero. We are--zero to deter espionage
or crime, right. So we can keep people from attacking the U.S.
in a military sense, but we can't keep them from doing other
things.
The country that is testing us, and this is the worrisome--
this is the part I worry about. The country that is testing us
is Iran, and so Secretary Panetta's speech was aimed at Iran.
They backed down. And it was funny because the Iranian
activities went down for a couple of weeks, and they went right
back up, and they continue to this day. So we are being tested,
but it is by a country that is not as stable in its
decisionmaking as Russia and China. They know the rules. They
are not going to do anything that----
Mr. Connolly. One quick question, any of you. Do we need
some kind of international regime comparable to the WTO on
trade or the International Court of Justice in the Hague to
help govern the rules of engagement with respect to this
subject and--or not? Would that help or not?
Mr. Rauscher?
Mr. Rauscher. I see three spheres. I see humanitarian,
national security, and commercial. I think that the first two
have rules that can pretty much be aligned, and I think the
commercial one does need more cooperation. I am not sure if--
the type of entity, what it should look like, whether it is
intergovernmental or otherwise.
Mr. Connolly. Mr. Chairman, would you allow the other two
panelists to be able to respond, and I am done?
Mr. Chabot. Yes. Without objection, we will give them an
additional minute.
Mr. Connolly. I thank the chair.
Mr. Lewis. Well, the official U.S. position is that we
don't need a new institution, and it is already the case that
we use some of the existing institutions, the ASEAN Regional
Forum, the Organization for Security and Co-operation in
Europe, the U.N., as a way to address this. But one of the
things you see from other countries, including a lot of
countries in Asia is, yeah, maybe we will need some kind of
institution to deal with this, probably anchored in the U.N.
So it is sort of an open question. I think the U.S.
approach is right. First, let us agree on the rules, the
general rules, and then let us figure out how we want to
enforce them.
Ms. Schneck. So, we believe in global conversation. We
think there needs to be more conversation and commend some of
the recent efforts like those in the U.N. But these four, like
that mentioned by Dr. Rauscher and others, these are good
starts to that global forum, and we are committed to the
opportunity to participate in those and think that there is a
place for government and industry across the world, and this is
a conversation that is just beginning and really needs to
happen.
Mr. Connolly. Thank you.
Thank you, Mr. Chairman.
Mr. Chabot. Okay. Thank you. And the gentleman's time has
expired.
We will go into a second round of questions. I will
recognize myself for 5 minutes.
We spend a great deal of time talking about cyber threats
in East Asia, but as we are all aware, South Asia plays an
important role. In some cases it is not very positive. Pakistan
has joined with China and Turkey and Malaysia to counter cyber
threats posed by Western nations. The terrorism angle adds a
different perspective to this cooperation. My question is,
should we be worried about these nations, Pakistan, China, and
Turkey, for example, coordinating their cyber policies with
each other? Anyone may answer the question.
Mr. Lewis. Well, if the--the Malaysian effort you are
referring to is an organization called IMPACT. That hasn't
developed quite as much as you--they might have hoped, so I
don't think we have to worry about that.
It is interesting to ask whether the Pakistanis, the Turks,
the Chinese will come up with some competitive model that will
compete with the U.S. and its allies in how we should order
cyberspace. That is unlikely, but it is something certainly
that the Chinese are interested in.
The Indians are more likely to end up on our side. They are
a democracy, they like free speech, we have close commercial
ties.
So very complex diplomatic landscape, but I think that when
you look at places like Turkey, Pakistan, India, these are
countries whose views we do have to take into account now, that
we do have to find an arrangement with.
Mr. Chabot. Let me focus on India. They have been quite
active of late establishing its National Cyber Coordination
Center last month and releasing its National Cyber Security
Policy earlier this month. It calls the U.S. one of its biggest
threats, next to China, after the information revealed by Mr.
Snowden. However, India maintains a wide-ranging surveillance
program of its own that monitors its citizens' emails, phone
calls, social media activity, and Web searches without judicial
oversight.
Cooperation with India is an important aspect of U.S.
efforts to rebalance toward Asia, especially in regards to
trade and military cooperation. How do you think disagreements
on cyber will affect the overall U.S.-India relationship? What
is your opinion of the way India is handling cyber security? Do
you think these recent initiatives or policies could possibly
negatively affect its already hostile bilateral relationship
with Pakistan?
Yes, Mr. Rauscher.
Mr. Rauscher. I have some insights that might be useful on
some of this. We held our annual summit last year in New Delhi,
so I spent a lot of time in New Delhi working with government
leaders and the industry there, and certainly the step you
cite, this National Cyber Coordination Center, is in the right
direction.
A key word there is ``coordination.'' There is a lot of
coordinating to do, but there are also limitations in the
capacity. As I mentioned earlier, the penetration rate, it is
still fairly early in that country, about 10 percent, and so
there is a lot of capacity to be built to coordinate both in
the government and in the private sector.
Whether or not this is a role model for other countries in
the region is unclear yet, but what is a role model is a highly
functioning CERT, the Computer Emergency Readiness Team, that
is a model that works consistently effectively, and also the
MAAWG.
There is a private-sector organization being set up in
Mumbai to deal proactively with botnets that are being set up
there by external actors of the country. Spam is identified as
the leading producer of international spam. India is recognized
as the leading producer of international spam. And, again, as I
mentioned earlier, it is a vehicle for malicious code, and
their coordination with external experts to root out these
botnets and sources of spam is really critical not only for
India, but the rest of the world, particularly in English-
speaking countries.
Mr. Chabot. Thank you.
I have about 1 minute left if either of the other panel
members want to weigh in on either issue.
Mr. Lewis. Sure.
Mr. Chabot. Mr. Lewis?
Mr. Lewis. The Indians' primary concern in cyber security
is with Pakistan and Pakistani nonstate actors or state-
sponsored actors launching some kind of attack against India.
Their second concern is Chinese espionage, and one of the
things that works in our favor is they aren't particularly
friends with the Chinese all the time, and they worry a lot
about it, so we have an opportunity to work with India. The
thing we have to avoid in doing that is giving the impression
that we are trying to contain China. The Chinese worry about
this a lot. We do need to build a partnership with India, but
we have to do it in a way that doesn't appear to be
deliberately trying to contain China.
Mr. Chabot. Thank you very much.
The gentleman from American Samoa, Mr. Faleomavaega, is
recognized for 5 minutes.
Mr. Faleomavaega. Thank you, Mr. Chairman.
We are in a dilemma here, and maybe I am not on the right
track, and somewhat of an irony here that we are concerned
about our national security. At the same time how do we go
about making sure that government does not intrude into
fundamental, basic constitutional rights and freedom?
And I guess you know where I am headed at. Right now before
us is a situation where an American citizen has decided that
total violation of the right of the American people to know
what is going on. I am talking about Mr. Snowden. How do we put
Snowden's situation here with what we are talking about as far
as cyber security, intelligence, the spying, the espionage, and
all that is going on? And by the way, it seems that it is not
just toward China, but our own allies. And, of course, our own
allies spy on us, too. So, where do we--where do we measure the
sense of balance in what was raised earlier when we talk about
cyber security in that regard? Please.
Mr. Rauscher. Well, I think it has been humbling for us as
Americans who travel abroad and talk about these issues--what
is happening in our own country. And I am proud when I go
anywhere in the world to talk about our ideals. I think we have
the best country that has been set up in history. And I think
if we look back to our Founding Fathers and the challenges they
have given us in the Constitution, we could get some direction
to answer your question.
I know when we look at this issue, we are often looking at
the Fourth Amendment. But this is a bit bold, and pardon me a
little bit, I am an electrical engineer here, but I actually
think that information is power, and when I look at the Second
Amendment, that is the place where our Founding Fathers boldly,
you know, set up this power balance with the people. And I
think that we should look for the analogy from the Second
Amendment to say, as the government seeks to use technology to
enhance its ability to protect national security legitimately,
that it needs to look at how it affects the balance with the
power that the people have--not independent courts that are
kind of private, but actual people, the public--have in terms
of information regarding what the government's activities are.
So I think there is some insight. It is not a completely
traced proposal, but I think that there is something--a
principle there in our Bill of Rights that gives us some
insight about how we should handle that.
I think it is important for us to continue to carry the
mantle of freedom. We have done that for generations now in our
country, and we need to continue to do that for the rest of the
world.
Mr. Faleomavaega. The only thing that disturbs me about Mr.
Snowden's situation is the fact that when you are in this kind
of a relationship in terms of your employment with the national
government, and you are given an oath to swear as far as
security interests of the country, and especially putting the
lives of our men and women at risk in terms of when you get
into the intelligence, when you get into espionage, when you
get into the kind of activity the National Security Agency is
involved--and by the way, this administration simply followed
what the PATRIOT Act provisions provide, allowing the President
to do what he is doing, and there is nothing illegal in what
the President in this administration has done as far as putting
out these feelers, if you want to call it, whether it be in our
European Union country allies or any other country in the
world.
But what--again, it goes back again, does Mr. Snowden
really believe that what our Government has done is beyond the
rights that have been given under the Constitution of our
country as far as the freedom to know?
Mr. Lewis. Mr. Snowden is kind of a naive child. I mean, if
he had a brain, he would have gone to Brazil, right, where they
don't have an extradition treaty. But he did bring us to a
debate that maybe we should have had, and it has to be an open
debate over the balance between surveillance and privacy.
It would hurt--it wouldn't hurt to have greater
transparency, you know, where you could publish FISA findings
with things blacked out, but we have to recognize--and this is
getting lost--there is a trade-off between privacy and
security. And what I worry is that we will overreact to
Snowden's foolish revelations and constrain our ability to
protect American citizens. We need that debate, greater
transparency would be good, but let us not forget this is what
it is protecting us.
Mr. Faleomavaega. Dr. Schneck.
Ms. Schneck. Yes. There is nothing more important than that
balance of privacy and security for our national security and
for our country. All the other stuff aside, information
protects information, and we need security and privacy to
protect each other. That is what we are here to protect is our
way of life and our way of life as global citizens and as
Americans, and that takes data, and it takes data to protect
data, and we need to find the right way to make sure that we
maintain that in an electronic world.
Mr. Faleomavaega. Again, Mr. Chairman, I truly want to
thank our panel of experts here this afternoon. They have been
a most entertaining and educational experience for me in
understanding more about cyber security. Thank you, Mr.
Chairman, and I want to thank the panel as well.
Mr. Chabot. Thank you very much.
We will conclude with the gentleman from Virginia for 5
minutes.
Mr. Connolly. Hello again.
Mr. Lewis, let me pick up on something you said and play
devil's advocate, and I do genuinely mean devil's advocate.
You said that, yeah, we need to work with India, but we
have to be very careful that the perception is not that we are
somehow tilting against the Chinese or ganging up on them.
Chinese are very sensitive about that. Devil's advocate
question: Why should we care?
I mean, here is a country that is cheating. They are
cheating on intellectual content, they are cheating on
protections of intellectual property, I mean, from Starbucks
coffee to software. It is breathtaking. Rather than invent
their own, they just steal it from us, let us do the R&D
investment. They are stealing military secrets using cyber
security hacking attacks. It is systematic. It is not rogue
elements running around in China who can control them. This is
actually headquartered in the military compound, run by
elements of the Chinese People's Liberation Army.
It is wholesale, state-supported theft, and a direct threat
to the national security of this country as well as some
others. So why wouldn't we openly cooperate with India to send
a message that we are prepared to protect our interests and
work with those who want to work with us, and, yeah, it is at
your expense. You have been engaged in all kinds of things at
our expense. Why should we be so sensitive to China?
Mr. Lewis. No, that is a good point, and the Chinese would
probably say--I am starting to play devil's advocate--is you
guys don't care about our feelings, and you are trampling over
them anyhow, and you are trying to contain us.
I think I look at it from the perspective of, you know, we
are in the phase now where we need to persuade the Chinese to
change their behavior. We cannot coerce them. They are too big
a country. The only way you are going to coerce them is if we
go to a war. That is in no one's interest.
So we need to persuade them, we need to avoid conflict. And
the Chinese are paranoid. One of the things, I think, that
would be useful is if the Chinese, especially the PLA, moved
away from the sort of Maoist heritage of everyone is trying to
get out--everyone is trying to get us.
So in thinking about how to shape the Chinese internal
politics, I think that, you know, this open approach, we have
just started to try it, we have just started engagement, let us
see how it works. There are factions in China that want to work
with the U.S., that want to move in the right direction. Let us
encourage them. Three years from now, 4 years from now, if it
hasn't worked, then we can think about stronger measures.
Mr. Connolly. I guess I would suggest to you that my own
observation over four decades is the Chinese respect power and
sometimes little else, so the ``there, there, now, now, let's
try to work this out, and my, my, try not to do that again''
approach is not one that is very efficacious, and not one that
is respected in Beijing. And at some point, it seems to me, we
have to protect our own interests, economic, political,
military.
I am not arguing for a forceful, you know, armed conflict,
but I am arguing for much tougher enforcement and teeth with it
than has occurred heretofore.
Mr. Lewis. No, I think that is right. I think we will get
to the point where we will need to use punitive measures to
encourage the Chinese, but we want to do it in a careful
fashion. They are afraid of us, right? They look at us, and
they know we are infinitely more capable than them.
We are all over their networks, right? Their networks can't
be defended. So we are ready. We don't have to send the
message, we are mad at you, and we could overpower you. They
already know it. So I want to find a way to work with them. If
that doesn't pan out, you know, give it a few years, and if we
get into a harder place, sure, think of harder measures. But we
don't have to scare them; they are already afraid.
Mr. Connolly. Final question: What is your assessment of
the talks between the new President of China and President
Obama on this subject?
Mr. Lewis. Well, the State Department says the talks went
very well, so I know that comes as a news flash. And I think
actually they did. In some of the preparatory meetings, Chinese
officials told us that China is reconsidering its position in
light of the changes in the international environment. The
Chinese know they have a problem; they know they have to
change. How much they will change will depend on how
consistently and persistently we press them.
Overall I am confident if we can maintain this effort for 3
or 4 years, we will be in a different place. If we back off,
you are right, the Chinese will just revert to their normal
behavior. But they are interested in saying, how do we get to a
deal with U.S., what does a deal mean? It is true that their
first thing was, okay, we agreed to a working group, doesn't
that make you happy, right? And I think that Americans thought
it was good in saying, no, it is nice that we have a working
group, but we need to do more. And they agreed to more talks,
they agreed to work on norms. So we are on the right path.
It is a big country. It is going to take a while to talk
them out of it. When we did this in proliferation, it took 4 or
5 years to get them to change.
Mr. Connolly. You know, Mr. Chairman, Mr. Lewis' answer to
me at the beginning, the State Department said the talks went
very well, reminded me of that famous incident with Ronald
Reagan when he was President. He was on the White House lawn,
and a scrum of reporters were shouting out questions. He either
couldn't or feigned he couldn't hear, and he was with Nancy
Reagan at one point, and so she says in his ear, but it gets
picked up, ``We are doing the best we can,'' and he goes, ``We
are doing the best we can.''
Mr. Chabot. I remember that.
Mr. Connolly. The talks went very well.
Thank you very much.
Mr. Chabot. God bless Ronald Reagan.
I want to thank the panel for their testimonies this
afternoon. It has been very helpful to the committee. Without
objection, members will have 5 days to submit questions or
revise remarks.
If there is no further business to come before the
subcommittee, we are adjourned. Thank you.
[Whereupon, at 3:45 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing RecordNotice deg.
\\ts\