b"<html>\n<title> - CYBER THREATS AND SECURITY SOLUTIONS</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n                  CYBER THREATS AND SECURITY SOLUTIONS\n\n=======================================================================\n\n\n\n                                HEARING\n\n                               BEFORE THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 21, 2013\n\n                               __________\n\n                           Serial No. 113-45\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n82-197                    WASHINGTON : 2013\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          FRED UPTON, Michigan\n                                 Chairman\nRALPH M. HALL, Texas                 HENRY A. WAXMAN, California\nJOE BARTON, Texas                      Ranking Member\n  Chairman Emeritus                  JOHN D. DINGELL, Michigan\nED WHITFIELD, Kentucky                 Chairman Emeritus\nJOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts\nJOSEPH R. PITTS, Pennsylvania        FRANK PALLONE, Jr., New Jersey\nGREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois\nLEE TERRY, Nebraska                  ANNA G. ESHOO, California\nMIKE ROGERS, Michigan                ELIOT L. ENGEL, New York\nTIM MURPHY, Pennsylvania             GENE GREEN, Texas\nMICHAEL C. BURGESS, Texas            DIANA DeGETTE, Colorado\nMARSHA BLACKBURN, Tennessee          LOIS CAPPS, California\n  Vice Chairman                      MICHAEL F. DOYLE, Pennsylvania\nPHIL GINGREY, Georgia                JANICE D. SCHAKOWSKY, Illinois\nSTEVE SCALISE, Louisiana             JIM MATHESON, Utah\nROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina\nCATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia\nGREGG HARPER, Mississippi            DORIS O. MATSUI, California\nLEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin \nBILL CASSIDY, Louisiana                  Islands\nBRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida\nPETE OLSON, Texas                    JOHN P. SARBANES, Maryland\nDAVID B. McKINLEY, West Virginia     JERRY McNERNEY, California\nCORY GARDNER, Colorado               BRUCE L. BRALEY, Iowa\nMIKE POMPEO, Kansas                  PETER WELCH, Vermont\nADAM KINZINGER, Illinois             BEN RAY LUJAN, New Mexico\nH. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York\nGUS M. BILIRAKIS, Florida\nBILL JOHNSON, Missouri\nBILLY LONG, Missouri\nRENEE L. ELLMERS, North Carolina\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Marsha Blackburn, a Representative in Congress from the \n  State of Tennessee, opening statement..........................     1\n    Prepared statement...........................................     3\nHon. Henry A. Waxman, a Representative in Congress from the State \n  of California, opening statement...............................     4\n    Prepared statement...........................................     5\nHon. Fred Upton, a Representative in Congress from the State of \n  Michigan, prepared statement...................................   152\n\n                               Witnesses\n\nPatrick D. Gallagher, Under Secretary of Commerce for Standards \n  and Technology, and Director, National Institute of Standards \n  and Technology.................................................     6\n    Prepared statement...........................................     9\n    Answers to submitted questions...............................   153\nDave McCurdy, President and CEO, American Gas Association, and \n  Former Chairman of the House Intelligence Committee............    38\n    Prepared statement...........................................    41\n    Answers to submitted questions...............................   157\nJohn M. (Mike) McConnell, Vice Chairman, Booz Allen Hamilton, and \n  Former Director of National Intelligence.......................    55\n    Prepared statement...........................................    56\n    Answers to submitted questions...............................   160\nR. James Woolsey, Chairman, Woolsey Partners LLC, and Former \n  Director of Central Intelligence...............................    72\n    Prepared statement...........................................    74\n    Answers to submitted questions...............................   162\nMichael Papay, Vice President and Chief Information Security \n  Officer, Northrop Grumman Information Systems..................    79\n    Prepared statement...........................................    81\n    Answers to submitted questions...............................   164\nPhyllis Schneck, Vice President and Chief Technology Officer, \n  Global Public Sector, McAfee, Inc..............................    88\n    Prepared statement...........................................    90\nCharles Blauner, Global Head of Information Security, Citigroup, \n  Inc., on Behalf of the American Bankers Association............    99\n    Prepared statement...........................................   101\n    Answers to submitted questions...............................   167\nDuane Highley, President and CEO, Arkansas Electric Cooperative \n  Corporation, on Behalf of the National Rural Electric \n  Cooperative Association........................................   112\n    Prepared statement...........................................   114\n    Answers to submitted questions...............................   169\nRobert Mayer, Vice President, Industry and State Affairs, United \n  States Telecom Association.....................................   121\n    Prepared statement...........................................   123\n    Answers to submitted questions...............................   171\n\n\n                  CYBER THREATS AND SECURITY SOLUTIONS\n\n                              ----------                              \n\n\n                         TUESDAY, MAY 21, 2013\n\n                  House of Representatives,\n                  Committee on Energy and Commerce,\n                                            Washington, DC.\n    The committee met, pursuant to call, at 10:05 a.m., in room \n2123 of the Rayburn House Office Building, Hon. Marsha \nBlackburn (vice chairman of the committee) presiding.\n    Present: Representatives Blackburn, Shimkus, Pitts, Walden, \nTerry, Rogers, Murphy, Burgess, Scalise, Latta, Harper, Lance, \nCassidy, Olson, McKinley, Gardner, Pompeo, Kinzinger, Griffith, \nBilirakis, Johnson, Long, Ellmers, Dingell, Rush, Eshoo, Green, \nDeGette, Capps, Doyle, Schakowsky, Matheson, Butterfield, \nBarrow, Matsui, Castor, McNerney, Braley, Tonko, and Waxman (ex \nofficio).\n    Staff present: Nick Abraham, Legislative Clerk; Carl \nAnderson, Counsel, Oversight; Gary Andres, Staff Director; \nCharlotte Baker, Press Secretary; Ray Baum, Senior Policy \nAdvisor/Director of Coalitions; Mike Bloomquist, General \nCounsel; Matt Bravo, Professional Staff Member; Patrick \nCurrier, Counsel, Energy and Power; Neil Fried, Chief Counsel, \nCommunications and Technology; Brad Grantz, Policy Coordinator, \nOversight and Investigations; Gib Mullan, Chief Counsel, \nCommerce, Manufacturing, and Trade; Andrew Powaleny, Deputy \nPress Secretary; David Redl, Counsel, Telecom; Krista \nRosenthall, Counsel to Chairman Emeritus; Chris Sarley, Policy \nCoordinator, Environment and the Economy; Peter Spencer, \nProfessional Staff Member, Oversight; Dan Tyrrell, Counsel, \nOversight; Lyn Walker, Coordinator, Admin/Human Resources; Phil \nBarnett, Democratic Staff Director; Jeff Baron, Democratic \nSenior Counsel; Shawn Chang, Democratic Senior Counsel; Patrick \nDonovan, FCC Detailee; Margaret McCarthy, Democratic Staff; \nRoger Sherman, Democratic Chief Counsel; and Kara van Stralen, \nDemocratic Policy Analyst.\n\nOPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF TENNESSEE\n\n    Mrs. Blackburn. The subcommittee will come to order. As we \nopen our hearing today, I am certain we all are mindful and \nremembering and are prayerful for those in Oklahoma, and our \nformer colleague, Governor Mary Fallin, who is addressing that \ntragedy today with the storms there in Oklahoma. I recognize \nmyself for 5 minutes for an opening statement.\n    American companies, the U.S. government and private \ncitizens are facing new challenges in the fight to protect our \nNation's security, economy, intellectual property and critical \ninfrastructure from cyber attacks.\n    Today the Energy and Commerce Committee is exploring how \nthe private sector and our government are responding. We will \nalso review the implementation of the President's Cybersecurity \nExecutive Order 13636.\n    Cyber attacks have grown in scope and sophistication to \ninclude nearly every industry and asset that makes America \nwork. That is why this committee is well positioned to lead, \noversee and review policies and solutions to these wide-ranging \nand evolving threats. Last year an al-Qaeda video surfaced \ncalling for a covert cyber jihad against the United States. On \nSunday, the New York Times reported that hackers sponsored by \nChina's People's Liberation Army have resumed attacks on U.S. \ntargets. According to the GAO, the number of cyber incidents \nreported by federal agencies to U.S. Computer Emergency \nReadiness Teams has increased by 782 percent over 6 years.\n    As vice chairman of the full committee, I offered a \ndiscussion framework, the SECURE IT Act, to provide our \ngovernment, business community and citizens with the tools and \nresources needed to protect themselves from those who wish us \nharm. The five major components that make up the Secure IT Act \nare, number one, allow the government and the private sector to \nshare cyber threat information in a more transparent fashion; \nnumber two, reform how our government protects its own \ninformation systems; number three, create new deterrents for \ncyber criminals; number four, prioritize research and \ndevelopment for cybersecurity initiatives; and number five, \nstreamline consumers' ability to be notified when they are at \nrisk of identity theft and financial harm.\n    One of the things we know is that cybersecurity is uniquely \nill suited for federal regulation. Rapid changes in technology \nguarantee the failure of static, prescriptive approaches. Our \nfocus should be on developing consensus public policy that puts \nAmerican businesses in the driver's seat and allows cooperation \nand collaboration, not top-down and one-size-fits all mandates.\n    NIST's written testimony on implementing the framework of \nthe Executive order states, ``Any efforts to better protect \ncritical infrastructure need to be supported and implemented by \nthe owners and operators of this infrastructure. It also \nreflects the reality that many in the private sector are \nalready doing the right things to protect their systems and \nshould not be diverted from those efforts through new \nrequirements.'' Private solutions--not government \npresumptions--offer the best prospect for our future cyber \ndefenses.\n    As we explore ways to incentivize the private sector to \ndiminish our exposure to cyber threats, we must ensure the \nExecutive order stays true to a voluntary, cooperative \nstandard. Likewise, Congress and the executive branch should \nrefrain from further exploring legislative regulatory proposals \ngiving DHS authority to impose critical infrastructure \nrequirements as our government is purportedly already in the \nmidst of working with the private sector to draft a voluntary \ncybersecurity framework.\n    I look forward to the testimony and appreciate each and \nevery one of our nine witnesses' thoughtful answers to our \nquestions this morning.\n    [The prepared statement of Mrs. Blackburn follows:]\n\n              Prepared statement of Hon. Marsha Blackburn\n\n    American companies, the U.S. government, and private \ncitizens are facing new challenges in the fight to protect our \nnation's security, economy, intellectual property, and critical \ninfrastructure from cyber attacks.\n    Today the Energy and Commerce Committee is exploring how \nthe private sector and our government are responding. We will \nalso review the implementation of the President's Cybersecurity \nExecutive Order 13636.\n    Cyber attacks have grown in scope and sophistication to \ninclude nearly every industry and asset that makes America \nwork. That is why this committee is well-positioned to lead, \noversee, and review policies and solutions to these wide-\nranging and evolving threats. Last year an al-Qaeda video \nsurfaced calling for a covert cyber jihad against the United \nStates. On Sunday the New York Times reported that hackers \nsponsored by China's People's Liberation Army have resumed \nattacks on U.S. targets. According to the GAO, the number of \ncyber incidents reported by federal agencies to US Computer \nEmergency Readiness Team has increased by 782 percent over 6 \nyears.\n    As vice chairman of the full committee, I offered a \ndiscussion framework--the SECURE IT Act--to provide our \ngovernment, business community, and citizens with the tools and \nresources needed to protect themselves from those who wish us \nharm. The five major components that make up the Secure IT Act \nare: 1) allow the government and the private sector to share \ncyber threat information in a more transparent fashion; 2) \nreform how our government protects its own information systems; \n3) create new deterrents for cyber criminals; 4) prioritize \nresearch and development for cybersecurity initiatives; and 5) \nstreamline consumers' ability to be notified when they are at \nrisk of identity theft and financial harm.\n    One of the things we know is that cybersecurity is uniquely \nill-suited for federal regulation. Rapid changes in technology \nguarantee the failure of static, prescriptive approaches. Our \nfocus should be on developing consensus public policy that puts \nAmerican businesses in the driver's seat and allows cooperation \nand collaboration, not top-down and one-size-fits-all mandates.\n    NIST's written testimony on implementing the framework of \nthe Executive order states, ``Any efforts to better protect \ncritical infrastructure need to be supported and implemented by \nthe owners and operators of this infrastructure. It also \nreflects the reality that many in the private sector are \nalready doing the right things to protect their systems and \nshould not be diverted from those efforts through new \nrequirements.'' Private solutions--not government \npresumptions--offer the best prospect for our future cyber \ndefenses.\n    As we explore ways to incentivize the private sector to \ndiminish our exposure to cyber threats, we must ensure the \nExecutive order stays true to a voluntary, cooperative \nstandard. Likewise, Congress and the executive branch should \nrefrain from further exploring legislative regulatory proposals \ngiving DHS authority to impose critical infrastructure \nrequirements as our government is purportedly already in the \nmidst of working with the private sector to draft a voluntary \ncybersecurity framework.\n    I look forward to the testimony and appreciate all nine of \nour witnesses' thoughtful answers to our questions this \nmorning.\n\n                                #  #  #\n\n    Mrs. Blackburn. At this time, is there any member seeking \nthe remainder of the time? I yield back my time, and Mr. \nWaxman, you are recognized for 5 minutes.\n\nOPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. Waxman. Thank you very much, Madam Chair, for holding \nthis hearing today on cyber threats to the Nation's critical \ninfrastructure.\n    Cybersecurity is a vital concern for sectors that span the \ncommittee's jurisdiction, from the electric grid and natural \ngas pipelines to telecommunications networks and health care. \nOur committee should be playing a key role in developing \npolicies to enhance the cybersecurity of the infrastructure we \ndepend on every day for power, drinking water, communications \nand medical care. All of these sectors are essential to the \ndaily operation of our economy and our government, but I want \nto focus on one in particular: the electric grid.\n    The Nation's critical infrastructure and defense \ninstallations simply cannot function without electricity. The \ncommittee has a special responsibility to ensure that the \nelectric grid is properly defended from cyber and physical \nattacks. The Executive order we are examining today is a step \nin the right direction but we also need new legislation.\n    In January, Representative Ed Markey and I wrote to more \nthan 150 electric utilities to ask about their efforts to \nprotect the electric grid from cyber attacks, physical attacks \nand geomagnetic storms. We received responses from over 60 \npercent of those utilities.\n    Today, we are releasing a report analyzing the responses we \nreceived. The findings are sobering. Many utilities reported \nthat the electric grid is a target of daily cyber attacks. Some \nutilities explained that they are under a ``constant state of \nattack.'' One utility reported that it was the target of \napproximately 10,000 attempted cyber attacks each month. The \nutilities did not report any damage from these attacks to date, \nbut the threat is growing.\n    An industry organization called the North American Electric \nReliability Corporation, or NERC, develops mandatory \nreliability standards for the electric grid through a \nprotracted consensus-based process. NERC also recommends \nvoluntary actions to utilities. Our report finds that most \nutilities comply only with the mandatory cyber security \nstandards, which mostly focus on general procedures. They have \nnot implemented the voluntary NERC recommendations, which are \ntargeted at specific threats. For example, only 21 percent of \ninvestor-owned utilities reported implementing NERC's \nrecommended actions to protect against the Stuxnet virus.\n    The failure of utilities to heed the advice of their own \nindustry-controlled reliability organization raises serious \nquestions about whether the grid will be adequately protected \nby a voluntary approach to cybersecurity. When specific threats \narise, prompt action is needed, but utilities are apparently \nnot responding to the alerts from this organization.\n    We also asked utilities about geomagnetic storms, which can \ninterfere with the operation of the electric grid and damage \nlarge electric transformers. Most utilities have not taken \nconcrete steps to reduce the vulnerability of the grid to \ngeomagnetic storms. Only one-third of investor-owned utilities \nand one-fifth of municipal utilities or rural electric co-ops \nreported taking specific mitigation measures, such as hardening \ntheir equipment. The Federal Energy Regulatory Commission is \naware of this vulnerability to geomagnetic storms. Last week, \nit directed NERC to address the issue. Yet FERC lacks the \nauthority to make sure that NERC's actions are sufficient.\n    In 2010, Congressman Fred Upton and Congressman Ed Markey \nintroduced the bipartisan GRID Act to provide FERC with \nauthority to address cyber threats and vulnerabilities. The \nlegislation also provided FERC with the authority to protect \nthe grid against physical attacks, electromagnetic pulses and \ngeomagnetic storms. There was a bipartisan consensus that \nnational security required us to act. That bill was reported \nout of this committee by a vote of 47 to nothing, and then it \npassed the full House by voice vote. However, the Senate did \nnot act on the legislation.\n    Madam Chair, we need to work together in a bipartisan way \nto protect the electric grid. Nothing in the executive order we \nare examining today will address the regulatory gaps that \nprevent FERC from acting decisively to tackle these dangers. I \nhope that today's hearing will be the first step in rebuilding \nthe bipartisan consensus we had on the need for legislative \naction. Thank you, Madam Chair.\n    [The prepared statement of Mr. Waxman follows:]\n\n               Prepared statement of Hon. Henry A. Waxman\n\n    Mr. Chairman, thank you for holding today's hearing on \ncyber threats to the nation's critical infrastructure. Cyber \nsecurity is a vital concern for sectors that span the \nCommittee's jurisdiction--from the electric grid and natural \ngas pipelines to telecommunications networks and health care. \nOur Committee should be playing a key role in developing \npolicies to enhance the cyber security of the infrastructure we \ndepend on every day for power, drinking water, communications, \nand medical care.\n    All of these sectors are essential to the daily operation \nof our economy and our government, but I want to focus on one \nin particular: the electric grid. The nation's critical \ninfrastructure and defense installations simply cannot function \nwithout electricity.\n    The Committee has a special responsibility to ensure that \nthe electric grid is properly defended from cyber and physical \nattacks. The Executive order we are examining today is a step \nin the right direction. But we also need new legislation.\n    In January, Ed Markey and I wrote to more than 150 electric \nutilities to ask about their efforts to protect the electric \ngrid from cyber attacks, physical attacks, and geomagnetic \nstorms. We received responses from over 60% of those utilities.\n    Today, we are releasing a report analyzing the responses we \nreceived. The findings are sobering. Many utilities reported \nthat the electric grid is the target of daily cyber attacks. \nSome utilities explained that they are under a ``constant state \nof attack.'' One utility reported that it was the target of \napproximately 10,000 attempted cyber attacks each month.\n    The utilities did not report any damage from these attacks \nto date. But the threat is growing.\n    An industry organization called the North American Electric \nReliability Corporation, or NERC, develops mandatory \nreliability standards for the electric grid through a \nprotracted, consensus-based process. NERC also recommends \nvoluntary actions to utilities. Our report finds that most \nutilities comply only with the mandatory cyber security \nstandards, which mostly focus on general procedures. They have \nnot implemented the voluntary NERC recommendations, which are \ntargeted at specific threats. For example, only 21% of \ninvestor-owned utilities reported implementing NERC's \nrecommended actions to protect against the Stuxnet virus.\n    The failure of utilities to heed the advice of their own \nindustry-controlled reliability organization raises serious \nquestions about whether the grid will be adequately protected \nby a voluntary approach to cyber security. When specific \nthreats arise, prompt action is needed. But utilities are \napparently not responding to the alerts from NERC.\n    We also asked utilities about geomagnetic storms, which can \ninterfere with the operation of the electric grid and damage \nlarge electric transformers. Most utilities have not taken \nconcrete steps to reduce the vulnerability of the grid to \ngeomagnetic storms. Only one-third of investor-owned utilities \nand one-fifth of municipal utilities or rural electric co-ops \nreported taking specific mitigation measures, such as hardening \ntheir equipment.\n    The Federal Energy Regulatory Commission is aware of this \nvulnerability to geomagnetic storms. Last week, it directed \nNERC to address the issue. Yet FERC lacks the authority to make \nsure that NERC's actions are sufficient.\n    In 2010, Fred Upton and Ed Markey introduced the bipartisan \nGRID Act to provide FERC with authority to address cyber \nthreats and vulnerabilities. The legislation also provided FERC \nwith authority to protect the grid against physical attacks, \nelectromagnetic pulses, and geomagnetic storms. There was a \nbipartisan consensus that national security required us to act. \nThat bill was reported out of this Committee by a vote of 47 to \nzero. And then it passed the full House by voice vote. However, \nthe Senate did not act on the legislation.\n    Mr. Chairman, we need to work together in a bipartisan way \nto protect the electric grid. Nothing in the executive order we \nare examining today will address the regulatory gaps that \nprevent FERC from acting decisively to tackle these dangers.\n    I hope that today's hearing will be the first step in \nrebuilding the bipartisan consensus we had on the need for \nlegislative action.\n\n    Mrs. Blackburn. The gentleman yields back, and I would like \nto welcome and recognize our first witness today. Dr. Gallagher \nis the Under Secretary of Commerce for Standards and Technology \nand Director of the National Institute of Standards and \nTechnology, or NIST. And everyone knows, Mr. Waxman had all of \nhis acronyms. There is an app for that. You can get an app and \nfollow all of these acronyms. Dr. Gallagher, we are delighted \nyou are here, and you are recognized for 5 minutes for an \nopening statement.\n    Mr. Waxman. Madam Chair, can I just ask a question? Is the \napp able to tell us what a NERC and a FERC is for jerks? Oh, \nbad joke.\n    Mrs. Blackburn. Dr. Gallagher, you are recognized.\n\n   STATEMENT OF DR. PATRICK D. GALLAGHER, UNDER SECRETARY OF \n COMMERCE FOR STANDARDS AND TECHNOLOGY, AND DIRECTOR, NATIONAL \n             INSTITUTE OF STANDARDS AND TECHNOLOGY\n\n    Dr. Gallagher. Thank you, Madam Chair and Ranking Member \nWaxman. I want to thank you and the members of this committee \nfor this opportunity to testify today. My task this morning is \nto briefly summarize NIST's role and our responsibility \nspecifically to develop a framework to reduce cyber risk to \ncritical infrastructure.\n    It may be a surprise to some that an agency of the U.S. \nDepartment of Commerce has a key role in cybersecurity, but in \nfact, NIST has a long history in this area. We have provided \ntechnical support to cybersecurity for over 50 years working \nclosely with our federal partners. Also because NIST is a \ntechnical but non-regulatory agency, we provide a unique \ninterface with industry to support their technical and \nstandards efforts. Today NIST has programs in a wide variety of \ncybersecurity areas including cryptography, network security, \nsecurity automation, hardware roots of trust, identify \nmanagement and cybersecurity education.\n    As directed in the Executive order, NIST will work with \nindustry to develop a cybersecurity framework. This is in \nessence a collection of industry-developed standards and best \npractices to reduce cyber risk to critical infrastructure. The \nDepartment of Homeland Security in coordination with sector-\nspecific agencies will then support the adoption of the \ncybersecurity framework by owners and operators of critical \ninfrastructure and other interested entities through a \nvoluntary program.\n    To be successful, two major elements have to be part of \nthis approach. First, it will require an effective partnership \nacross government to ensure that our work with industry for the \ncybersecurity framework is fully integrated with the mission of \na diverse set of agencies. This will enable a more holistic \napproach to addressing the complex nature of this challenge.\n    Secondly, the cybersecurity framework must be developed \nthrough a process that is industry led and open and transparent \nto all stakeholders. By having industry develop their own \npractices that are responsive to the performance goals, this \nprocess will ensure a robust technical basis but also one \naligned with business interests. This approach has many \nbenefits. It does not dictate a specific solution to industry \nbut it promotes industry offering its own solutions. It \nprovides solutions that are compatible with the market and \nother business conditions, and by leveraging industry's own \ncapacity, it brings more talent and expertise to the table to \ndevelop the solutions.\n    This is not a new or novel approach for NIST. We have \nutilized very similar approaches in the recent past to address \nother pressing national priorities, most notably on the \ndevelopment of a nationwide end-to-end interoperable smart \ngrid, and in the area of cloud computing technologies. We \nbelieve we know how to do this.\n    Since this is industry's framework, the NIST role will be \nto lend its technical expertise and to support their efforts. \nWe will act as a convener, a contributor, and we will work \nclosely with our federal partners to ensure that the effort is \nrelevant and contributes to their missions to protect the \npublic.\n    So what is in this framework? In short, whatever is needed \nto achieve good cybersecurity performance. In practice, we \nexpect that the framework will include standards, \nmethodologies, procedures and processes that can align \nbusiness, policy and technological approaches to address cyber \ncritical infrastructure.\n    Let me touch quickly on the topic of standards and their \nimportance to the success of this effort. By ``standards,'' I \nam using the term as industry does. These are agreed-upon best \npractices or specifications, norms, if you will, that allow \ncompatibility of efforts to meet a goal. These are not the same \nthing as regulation. Industry standards are developed through a \nmulti-stakeholder voluntary consensus process, and it is this \nprocess that gives standards their considerable power, that is, \ntheir broad acceptance around the world. These standards are \nnot static. They can be changed to meet technological advances \nand new performance requirements. Performance-based standards \npromote innovation by allowing new products and services to \ncome to the market in a way that is not a tradeoff with good \nsecurity.\n    Madam Chair, I appreciate the challenge before us. The \nExecutive order requires the framework to be developed within \none year. A preliminary framework is due already within 8 \nmonths, and we have already begun to work on this. We have \nissued a request for information to gather relevant input from \nindustry and other stakeholders, and we are actively inviting \nstakeholders to participate in the cybersecurity framework \nprocess. The early response from industry has been very \ngratifying. Over the next few months, we will convene a series \nof deep dive workshops and use these workshops to develop the \nframework. This forum allows the needed collaboration and \nengagement. The first workshop was held in early April to start \norganizing the process, and next week will be our first full \nworkshop.\n    Last week, we released the initial findings from an early \nanalysis of the responses to the request for information. These \nresponses range from individuals to large corporations and \ntrade association from a few sentences on particular topics to \ncomprehensive responses that ran well over 100 pages. Next week \nat the workshop hosted by Carnegie Mellon University in \nPittsburgh, we will work with the stakeholder community to \ndiscuss the foundations of the framework and this initial \nanalysis, and this will mark the transition to actually \ndeveloping the framework.\n    In a related note, in June the Departments of Commerce, \nHomeland Security, and Treasury will submit reports regarding \nincentives designed to increase participation with the \nvoluntary program. At 8 months we will have an initial draft \nframework including initial list of standards, guidelines and \nbest practices, but even after a year the work will only have \nbegun. Adoption and use of this framework will raise new issues \nthat we need to address. The goal at the end of this process \nwill be for industry to take and update the cybersecurity \nframework themselves, creating a continuous process to enhance \ncybersecurity.\n    The President's Executive order lays out an urgent and \nambitious agenda but it is designed around an active \ncollaboration between the public and private sectors. I believe \nthat this partnership provides the needed capacity to meet the \nagenda and effectively will give us the tools to manage the \ncyber risk we face\n    I really appreciate the committee holding this hearing. We \nhave a lot of work ahead of us, and I look forward to working \nwith you to address these challenges. I am looking forward to \nanswering any questions you may have.\n\n    [The prepared statement of Dr. Gallagher follows:]\n\n\n    [GRAPHIC] [TIFF OMITTED] 82197.001\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.002\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.003\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.004\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.005\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.006\n    \n    Mrs. Blackburn. Thank you. The gentleman yields back, ran a \nlittle bit over time there but that is OK. At this time I will \nbegin the questioning, and I recognize myself for 5 minutes.\n    I want to talk with you first about what you are doing with \nthis framework. Because I think all of us caught, it came to \nour attention that Secretary Napolitano in congressional \ntestimony earlier this year was still seeking legislation \ngiving DHS the authority to impose the critical infrastructure \nrequirements, and it probably struck many of us odd--I know it \ndid me--that you all are working on this and are looking at a \nvoluntary cybersecurity framework. So shouldn't the \nAdministration wait to see whether your process creates an \neffective cybersecurity framework before asking for new \nstatutory authority to impose regulations?\n    Dr. Gallagher. So I think the Executive order lays out a \nclear goal of a voluntary-based system. We agree that the first \npriority is to allow the market to attempt to address this \nneeded level of cybersecurity performance. That being said, the \nExecutive order lays out sort of two goals once the framework \nis in place. One is a program to promote adoption of the \nframework, this voluntary framework by industry, and the other \nis a recognition that some of these sectors are already \nregulated, so we would like to see the framework used as a way \nto harmonize this. I think it would be a mistake if we do all \nthis work on a broad, multi-sector framework for cybersecurity \nand then not have those practices embraced by those existing \nregulatory entities. So it really contains both of those \npieces.\n    Mrs. Blackburn. Well, let me ask you this then. Why do you \nthink the Administration issued the Executive order if they \nknew that you were already working and trying to create the \nframework, and do you think that there is going to be any \nfurther push for legislation? If you have got a year, you are \ngoing to meet a deadline within a year, you say you are 8 \nmonths away from delivering a product. You are holding your \nworkshops, the multi-stakeholder workshops, you are bringing \npeople to the table. So why are they bothering to issue the \nExecutive order and then ask for legislation?\n    Dr. Gallagher. So the Executive order serves to basically \nalign roles and responsibilities across the existing agencies, \nand you see that in the Executive order, that it choreographs \nthe role of Homeland Security, NIST and other players in a \nprocess within our existing authorities. So you are correct: \nwhat we are doing now doesn't require any legislation. My \npersonal view is that the primary need for legislation is going \nto become more important as we look at the implementation and \nthe adoption of the framework. The real win in a framework \nprocess is that cybersecurity--good cybersecurity--is good \nbusiness, and I think what we are going to be looking at is, \nwhat are the obstacles that get in the way of adoption of this \nframework, where are the areas where these practices require \nincentives and other--or maybe removing barriers to adoption, \nand so I think the ongoing discussion that has been happening \nwith Congress will likely continue. The Administration looks \nforward to working with Congress on this, but I think industry \nwon't need our help developing the framework but they may need \nour help looking at areas where there are barriers to putting \nthis into meaningful use.\n    Mrs. Blackburn. Well, and I think that what we are hearing \nfrom industry is that good cybersecurity, solid cybersecurity \nsteps are an imperative. They are not something that is just \ngood business but they are something that are an imperative \nevery single day, whether it is financial networks, whether it \nis the grid, as Mr. Waxman referenced, whether it is some of \nour health IT organizations. When you look at the number of \nattacks and the step-up in that such as the PLA attacks, you \nknow that it is an imperative.\n    With that, Mr. Waxman, I yield you 5 minutes for questions.\n    Mr. Waxman. Thank you very much, Madam Chair. I agree with \nyour last statement. This is an imperative issue.\n    Dr. Gallagher, the President's Executive order of \nCybersecurity applies to all of the critical infrastructure \nsectors. I want to ask you about the one that I talked about in \nmy opening statement, and that is the electric grid, because \nour Nation's critical infrastructure and defense installations \nare almost entirely dependent on the grid for electricity and \nthey simply can't function without it. When Ed Markey and I \nwrote to the utilities asking them about cybersecurity, they \nreported that they feel they are under a constant state of \nattack. They are targets of daily cybersecurity attacks. \nBecause the grid is so critical and is the target of so many \ncyber attacks, I think we need to make sure that we are \nadequately protected. The current industry-controlled approach \nof issuing mandatory electric reliability standards through \nprotracted and consensus-based process has a poor track record. \nWhen it does issue standards, they are at least enforceable, \nbut voluntary standards are not enforceable.\n    Dr. Gallagher, the cybersecurity framework envisioned by \nthe Executive order would be voluntary. Isn't that right?\n    Dr. Gallagher. That is correct.\n    Mr. Waxman. And because there is no way for a federal \nagency to ensure compliance with voluntary standards, isn't \nthat a correct statement that there is no way they can enforce \nit?\n    Dr. Gallagher. That is correct, from a regulatory or legal \nperspective.\n    Mr. Waxman. You can provide incentives for the private \nsector to adopt standards, but there is no actual enforcement. \nIsn't that right?\n    Dr. Gallagher. That is correct.\n    Mr. Waxman. The problem is that recommended voluntary \ncybersecurity measures have not been adopted by most utilities. \nI mentioned that in my opening statement, even to the point \nwhere compliance with voluntary measures to protect against the \nStuxnet computer worm have not been taken, and that is the \nvirus that destroyed uranium enrichment centrifuges in Iran. So \nI don't find these numbers that we have received from voluntary \nreporting by the industry encouraging.\n    The Executive order directs federal agencies to assess \nwhether the cybersecurity regulations governing each sector are \nsufficient. If they are not adequate, the agencies are supposed \nto issue new regulations to mitigate the cyber risk, but that \nraises the question of whether agencies have the necessary \nstatutory authority to issue such regulations. Under the \nFederal Power Act, the Federal Energy Regulatory Commission \nlacks authority to issue regulations to protect the electric \ngrid. Even if they see that it is necessary, they can't do it.\n    Dr. Gallagher, the Executive order doesn't address this gap \nin authority, does it?\n    Dr. Gallagher. It does not address that specific issue, \ncorrect.\n    Mr. Waxman. So a voluntary approach to cybersecurity may \nmake sense for some sectors but experience has shown that it \ncannot be relied upon to protect the electric grid. The FERC \nshould have the authority to address cyber threats to the \nelectric grid. That requires legislation from Congress. I hope \nwe will work together on a bipartisan approach, I hope a \nconsensus on the need for that legislation. This is a national \nsecurity issue and I believe all of us want to work together. \nThat is why we are here today, and we are all expressing our \nconcern about this issue.\n    Madam Chair, I will follow your lead and yield back a big \nchunk of my time.\n    Mrs. Blackburn. Thank you, Mr. Waxman. At this time, \nChairman Walden is recognized for 5 minutes.\n    Mr. Walden. I thank the chairwoman. Thank you very much, \nand Dr. Gallagher, thanks for being here.\n    Dr. Gallagher, networks are obviously very complex and \ninterconnected and themselves rely heavily on information \ntechnology products and consumer information technology \nservices. How clear is the delineation? You have the so-called \nIT exception, and how will that be applied?\n    Dr. Gallagher. So as I understand it, the IT exemption that \nis discussed in the Executive order pertains to whether the IT \nequipment and components are identified themselves as a \ncritical infrastructure. In the framework process, they are \nclearly dependencies. So if we are talking about the energy \nsector or any other critical infrastructure that is depending \non IT--this is about cybersecurity, after all--they will depend \non the performance networks and the performance of IT-based \nequipment. And so the IT sector, the IT companies are already \ndeeply involved with this process. I think the exemption \napplies to whether they are being specifically identified as a \ncritical infrastructure. I don't think it means they are not \ninvolved deeply in the framework.\n    Mr. Walden. So you think they will be then?\n    Dr. Gallagher. Yes, they already are.\n    Mr. Walden. And obviously, flexibility is critical in \nengaging the private sector to respond to the very rapid \nevolving cybersecurity threats, especially since networks are \nthemselves varied and rapidly evolving. I don't have to tell \nyou that. How will the framework incorporate such flexibility?\n    Dr. Gallagher. Well, I think the way it adopts \nflexibilities by relying on the same process that industry \nrelies on to actually develop things like the network itself. \nThe Internet is actually a series of protocols and standards \nthat allow this widespread interoperability. So it has to be as \ndynamic as the technology they are deploying. What we are \nbasically arguing in the framework is, we want to leverage the \nsame thing to address cybersecurity performance. So it is an \nindustry-controlled process with their own technical experts. \nThey can bring their own technologies to the table as part of \nthis multi-stakeholder process, and it can be as dynamic as the \ntechnology is to address this.\n    Mr. Walden. As you may know, our Subcommittee on \nCommunications and Technology held several hearings on the \nissue of cybersecurity and cyber threats, and I think every \nsingle witness we had said be careful in this area to not \noverregulate because if you do, the bad actors will know what \nwe have been instructed to do by statute, they will change up \nfaster than you will ever keep up from a statutory standpoint, \nand that you will bind our hands and misallocate our capital \nand the resources. Is that a view you share?\n    Dr. Gallagher. So I think the tension between regulation \nand standards has always been there. Standards and regulation \ninterplay with each other all the time, and frankly, it leads \nto a lot of confusion in this space. But they really serve \ndifferent purposes. I mean, I am not an expert in this area, \nregulatory issues. We would have to work with Congress anyway. \nWe would want to do that. But very simply, in my view, a \nregulation is needed when the market can't perform. In other \nwords, we are talking about infrastructure whose failure would \ncause a catastrophic impact to the Nation, and so we don't want \nthat to happen. But the advantage of industry doing as much as \nit can is self-evident because of what they bring to the table \nand the fact that so much of this equipment is owned and \noperated and managed by the private sector.\n    Mr. Walden. Well, I think that is the concern that we have. \nLater today we have a hearing subcommittee hearing on supply \nchain vulnerabilities, which, as you know, is a major national \nand international issue, and I don't know if you have any \ncomments regarding some of those reports that have been in the \nnews. Certainly our colleague, Mr. Rogers, and his committee in \na bipartisan way have had some pretty important things to say \nin this area.\n    Dr. Gallagher. Well, let me start by saying we would like \nto work with you on that issue. I think supply chains are one \nof these dependencies that we talk about. The markets for \nequipment, the markets for software are global, they are \ninterconnected, and we need to understand how do we put \ntogether resilient and secure systems out of potentially \nunresilient, low-trustworthy parts and components, how do we \nput trust into a system this heterogeneous and this diverse. It \nis really a very important issue and it is one that has already \ncome up some level in the RFI process for the framework.\n    Mr. Walden. All right. My time is expired. Thank you, Madam \nChair.\n    Mrs. Blackburn. The gentleman yields back. Mr. Dingell, you \nare recognized for 5 minutes, sir.\n    Mr. Dingell. Madam Chairman, thank you. Welcome to you, Dr. \nGallagher. I would appreciate a yes or no response to the \nquestions if you please.\n    Dr. Gallagher, I note Section 7(e) of the Executive Order \n13636 mandates you publish a final version of the cybersecurity \nframework no later than February 2014. Will you be able to meet \nthat deadline? Yes or no.\n    Dr. Gallagher. Yes, sir.\n    Mr. Dingell. Dr. Gallagher, do you believe that in general \nNIST has sufficient resources whether in terms of funding or \nmanpower with which to comply with Executive Order 13636? Yes \nor no.\n    Dr. Gallagher. Yes.\n    Mr. Dingell. Doctor, I note that Executive Order 13636 does \nnot grant agencies additional statutory authority with which to \naddress cybersecurity-related risks. Based on your \nconsultations so far in establishing the cybersecurity \nframework, do you expect the Administration will request the \nCongress to grant it additional cybersecurity-related statutory \nauthority? Yes or no.\n    Dr. Gallagher. Yes.\n    Mr. Dingell. Now, Dr. Gallagher, in general, do you believe \nthat the Administration should be granted additional statutory \nauthority to address cybersecurity-related risks? Yes or no.\n    Dr. Gallagher. Yes.\n    Mr. Dingell. Doctor, do you believe that Executive Order \n13636 alone is sufficient to adequately address the myriad \nnumber of cybersecurity-related threats faced by industry and \nthe government? Yes or no.\n    Dr. Gallagher. No.\n    Mr. Dingell. Now, Doctor, a portion of your written \ntestimony is dedicated to explaining the role of standards in \nExecutive Order 13636. You state the standards are agreed-upon \nbest practices against which we can benchmark performance. \nThus, these are not regulations. Earlier in your testimony, you \nstated, and I quote, ``Many in the private sector are already \ndoing the right things to protect their systems and should not \nbe diverted from these efforts through new requirements.'' Do \nthese statements mean that NIST and the Administration do not \nsupport the establishment of mandatory cybersecurity \nregulations? Yes or no.\n    Dr. Gallagher. Well, I think----\n    Mr. Dingell. And if you explain it--I think you are going \nto have to--please do it briefly. Go ahead.\n    Dr. Gallagher. As I said, I think we strongly prefer a \nprivate-sector-led solution. A voluntary industry-led consensus \nprocess is going to be more dynamic. It is going to be \nadoptable around the world. It can help shape the technology \nand the markets in a way that would not be possible if we took \na regulatory approach. That being said, the final analysis we \nhave to protect critical infrastructure, and so the real test \nis going to be as put into practice is it protective of \ncybersecurity, and if it is not, then I think there is a \nquestion for Congress and the Administration in terms of how \nto----\n    Mr. Dingell. And I would assume that you expect that we are \ngoing to run into many occasions where we are going to have to \nfigure out what we do and whether or not we are going to have \nadditional changes in the executive orders, regulations or \nwhether additional statutory authority is needed. Is that \nright?\n    Dr. Gallagher. I would certainly anticipate this will be \npart of an ongoing discussion, yes, sir.\n    Mr. Dingell. Thank you, Doctor.\n    Now, Madam Chairman, I would like to note in closing that \nSection 4 of the Executive order establishes a limited \ninformation-sharing regime between the federal government and \nindustry. It is my hope that the committee will continue to \nexamine this issue. It is also my hope that we shall hear from \nthe Secretary of Homeland Security, who is important in the \nimplementing of Section 4 about the effectiveness of \ninformation sharing as well as whether the Congress should \nauthorize the liability exemptions that industry claims are \nnecessary to making information sharing function well. I \nanticipate considerable need for us to engage in active \noversight of these matters.\n    I thank you, Madam Chairman, for your courtesy. Doctor, I \nappreciate your courtesy and your assistance. I yield back the \nbalance of my time.\n    Mrs. Blackburn. The gentleman yields back. At this time, \nMr. Terry, you are recognized for 5 minutes.\n    Mr. Terry. I waive.\n    Mrs. Blackburn. Mr. Terry waives. At this time, Mr. Rogers, \nyou are recognized, and you waive. OK. Mr. Murphy, you are \nrecognized for 5 minutes.\n    Mr. Murphy. Thank you. I want to go over with regards to \nworking with the private sector, and you had mentioned Carnegie \nMellon University in your testimony there, and I understand \nthere is a number of things that are classified in that process \nas well. You stated also that many in the private sector are \nalready doing the right things. We would look at health policy \nand financial institutions and agriculture and transportation, \net cetera, and we have a limited amount of time and resources \nto spend on bolstering protections and not spent on burdensome \nother requirements here. Can you assure us that the whole \ncybersecurity framework required by Executive order is not \ngoing to just be a bunch of regulations, it is going to allow \nthese groups to all work with each other as well and to \ninterconnect among them? So the universities, the private \ninstitutions, et cetera.\n    Dr. Gallagher. Well, I can assure you that is our intent, \nand the way we are trying to make sure that intent follows \nthrough is by giving the pen, if you will, to develop the \nframework to industry and these sectors themselves and then \nsupporting that effort. It is really essential that this be \ntheir work product, that this reflects current best practice \nfrom across these sectors that identify cross-cutting issues \nbecause it is going to be a superior product. It is the only \nway to do this in the time frame, and it also allows an answer \nthat can basically be driven into the market actually across \nthe entire world.\n    Mr. Murphy. Thank you. Madam Chair, I yield back.\n    Mrs. Blackburn. The gentleman yields back. Ms. Eshoo is \nrecognized for 5 minutes.\n    Ms. Eshoo. Thank you, Madam Chair. Good morning, Dr. \nGallagher. Thank you for being here. Thank you for your \nleadership at NIST, and I want to thank NIST for being one of \nthe cosponsor of the first-ever hack-a-thon that took place in \nmy congressional district this weekend on public safety apps. \nSo I think some really important ideas are going to come out of \nthat and benefit our country.\n    My first question to you is, you have referred to a \ncritical infrastructure, as have members, and this whole issue \nof regulation, light touch and/or regulation. What do you \nconsider to be critical infrastructure, number one?\n    Dr. Gallagher. Well, I don't read anything past what is is \nin the Executive order itself, which is an operational \ndefinition that defines it as something whose failure would \ncause catastrophic harm to the country, and then there is a \nprocess in the Executive order that allows for a more specific \nidentification process.\n    Ms. Eshoo. And how do you, as part of this framework, how \ndo you intend to address the integrity of the supply chain? \nChairman Walden raised this, and I wanted to go back to it.\n    Dr. Gallagher. So I think from our view, in supporting an \nindustry-led effort, it is going to basically look at how does \nthe market identify trust in software, in components and in \nsystems. We are talking about companies that will be buying \nequipment, presumably from supply chains that may be around the \nworld that are going to integrate those into systems that \ncontrol and manage their critical infrastructure. So the \nquestion is, how do we give them the tools to identify \ntrustworthy components and systems in the context of that \nglobal market. It is one of these major dependencies that just \nis part of this type of a system, and we already see that issue \ncoming up from our industry partners in the framework process.\n    Ms. Eshoo. Now, in this whole issue of cybersecurity, about \n95 percent of it is private sector, 5 percent is the \ngovernment, roughly, and I am pleased that NIST has placed such \na prominent focus on public-private partnerships because they \nare very important. But as you work with the private sector, I \nthink it is very important for you to hear not just from the \nlarge companies or the largest companies in the country but \nsmall and medium businesses because they offer a rather unique \nperspective, and given that the congressional district that I \nrepresent, people think, members, especially, that when they \ncome to my district they visit Google and Facebook and \nMicrosoft and that they have covered the entire ground. They \nhaven't. I am proud that they are there and that I get to \nrepresent them but there is a lot more to it. So how will you \nensure that the input of these small and medium sized \nbusinesses are incorporated into NIST's cybersecurity \nframework? And if you could be specific about this, how you are \ndoing it.\n    Dr. Gallagher. In short, we are trying to do everything we \ncan to ensure that companies of all sizes--it is not just the \nbig companies, as you know. Small companies tend to be leading \ninnovators in many cases. It would be a real problem if they \nwere excluded from the process. But even as owner/operators of \ncritical infrastructure, there are companies of all sizes that \ndo that. What we tried to do is make sure that our engagement \nwith the private sector through this process is not just in one \nmode. In other words, we have the major workshops where we----\n    Ms. Eshoo. But do you go to them? I mean, where do you go? \nDo you invite everybody to come to Washington?\n    Dr. Gallagher. No. In fact, we are going to be holding----\n    Mr. Eshoo. These small startups can't. They don't have time \nor money to come here.\n    Dr. Gallagher. That is correct, so we have done input that \ncan be done electronically. The request-for-information process \nwas completely virtual. And our workshops are going to be \nacross the country, the first one in Pittsburgh, the second we \nanticipate in southern California, and then the third one is \nstill being worked out. So we do recognize the limitations that \nsmaller companies have to do this, and we are trying to design \nthe process so that there is few of barriers as possible to \ntheir participation.\n    Ms. Eshoo. Thank you. I yield back.\n    Mrs. Blackburn. The gentlelady yields back. Dr. Burgess, \nyou are recognized for 5 minutes.\n    Mr. Burgess. I thank the chair, and Dr. Gallagher, thank \nyou so much for spending time with us this morning.\n    On the information that you provided to us, you talk about \ndeveloping the framework and developing the standards that will \nbe used, voluntary compliance by the industries involved, and \none of the panelists we are going to hear from on the second \npanel, former CIA Director, Mr. Woolsey, talks about the danger \nfrom an electromagnetic pulse and talks about the need for \nsurge arrestors to be built into infrastructure. Are you \nsimilarly developing the standards for those arrestors and \nresistors that will be built into the infrastructure for \nprotecting our electrical grid and other systems?\n    Dr. Gallagher. So while remembering, in the United States, \nNIST does not write the standards. By law, federal agencies \nlook to private-sector standards organizations for their needs. \nSo we ourselves would not be developing the standards.\n    The framework process, since it is specific to \ncybersecurity, will probably not have within its scope sector-\nspecific resiliency measures like electromagnetic pulse or \ngeostorm or what have you. However, NIST does support those \nefforts directly. So in the case of a geomagnetic storms, a lot \nof the electrical measurement equipment and technology that is \nneeded by the electrical utilities to provide that protective \nservice is work that we do support from our laboratories.\n    Mr. Burgess. That is the point I was going to make. Many of \nus remember the day in the late 1990s or maybe the early 2000s \nwhen our little card readers at the gasoline pumps stopped \nworking because of some sort of solar event that had interfered \nwith satellite technology, and so you have that ongoing work in \nprocess at NIST. Is that not correct?\n    Dr. Gallagher. That is correct. We think of ourselves as \nindustry's national lab, so as these technical issues come up \nin their standards process where they want resilient equipment \nand services, our job is to work on that technology and support \ntheir efforts.\n    Mr. Burgess. Well, again, we are going to hear a great deal \nmore of this from a witness on our second panel but it just \nseems that it stands to reason as you build that or as you \ndevelop the voluntary compliance standards for that \ninfrastructure that you would build this protection in so that \nindustry and the private sector would be not only aware of the \nnecessity but have a place to go. So often we get into these \nthings and you get overwhelmed by vendors and you don't really \nknow which is the best practice or the best technologies. So \nthat is where I see NIST as really being able to provide some \nof that direction and some of that leadership in going forward \nin this. Is that a fair assessment?\n    Dr. Gallagher. Yes. I think it is ironic that the diversity \nof our approach in the United States, which is one of its \nstrengths, also makes it complicated at times, but that is \ncertainly a role that we would be happy to take on to help \nfacilitate, provide some clarity, particularly in this area.\n    Mr. Burgess. I thank the chair. In the interest of time, I \nam going to yield back.\n    Mrs. Blackburn. The gentleman yields back. Mr. Green, you \nare recognized for 5 minutes.\n    Mr. Green. Thank you, Madam Chairman.\n    Mr. Gallagher, thank you for appearing before our committee \ntoday, and it is important that any framework established \nthrough the Executive order be truly voluntary. Mandated \nregulations could quickly become outdated due to a rapidly \nchanging cyber threat landscape and may result in increasing \nuniformity that may inadvertently add vulnerabilities to \nintricate systems tailored to specific company operations and \nrisk profiles. How will NIST ensure the framework remains a \ntruly voluntary program?\n    Dr. Gallagher. Well, the most straightforward way is, we \nsimply have no regulatory authority of any type that would make \nit compulsory. Insofar as supporting industry's intent to have \nthis be something under their control, one of the things that I \nthink we can do is work with them through the framework process \nto identify how this framework is muscular. I think one of the \nproblems we face is that people are equating the term \n``voluntary'' with ``weak'', and that is not necessarily the \ncase. Most product safety standards in the United States, many \nthings are in fact fully managed by industry, and industry is \nquite capable of putting in muscle--what we call conformity \nassessment tools--to ensure that in business-to-business \ninteractions and so forth that they assure themselves, that \nthey are complying with their own standards and protocols. And \nI think if that is done, it addresses the performance. I think \nif what they do is protective of the critical infrastructure, I \nthink that is the best thing we can do to maintain this as a \nvoluntary industry-led process.\n    Mr. Green. As the framework takes shape, demonstrating \nadherence to the framework should not require submission of \ncompany audit results. Sharing of sensitive information with \nthird parties could greatly compromise cyber systems, so \nspecific information regarding cyber systems must remain \npropriety to protect the information from the public and cyber \ncriminals. Has NIST developed a method to determine adherence \nto the framework, and will they take into consideration the \nsensitive information that different companies and plants may \nprovide?\n    Dr. Gallagher. So NIST itself would not play a role in \nassessing compliance with the framework. Our preference would \nbe for industry to develop as part of the framework the vehicle \nby which they would determine the compliance mechanism. What we \ncan do is share a number of best practices and models where \nthat has occurred in other areas including smart grid and cloud \ncomputing and show them the pros and cons of these different \nmodels. It addresses many of the concerns you just raised, \nwhich is in the business environment, they can set this up so \nthat they are not sharing competitively sensitive information \nand propriety information in a way that they don't want to. In \nother words, the conformance assessment program can be \ncompatible with their business needs.\n    Mr. Green. I appreciate that. I know a lot of us represent \ndifferent entities who have a big stake in this, and they are \nalready doing a lot of things. In my area, my refineries, \nchemical plants, of course, all of us have utility plants, that \nthis cybersecurity threat is being addressed now and they are \nstandards being developed, sometimes by companies, sometimes by \nindustry, and that is my concern, that we make sure that we \ndon't get in the way of some of the innovations that literally \ncan be found out every day.\n    So Madam Chairman, I appreciate the time. Thank you. I \nyield back.\n    Mrs. Blackburn. The gentleman yields back. Mr. Scalise, you \nare recognized for 5 minutes.\n    Mr. Scalise. Thank you, Madam Chair. I appreciate you \nholding this hearing. Dr. Gallagher, thank you for being with \nus today.\n    You mentioned in your testimony that regulatory agencies \nwill review the cybersecurity framework to determine if any \nrequirements, if the current requirements are sufficient but \nalso if there would be any proposed new types of actions. When \nI look at that and I see words like ``requirements'' and \n``actions,'' is that something that is synonymous with \nregulations?\n    Dr. Gallagher. Not to me, but you are not the first person \nthat has noticed the connection.\n    Mr. Scalise. So there are no proposals right now to come \nout with actual regulations when you talk about requirements or \nactions?\n    Dr. Gallagher. So in my experience, here is what I have \nlearned when you are dealing with standard setting that \npotentially touches regulatory agencies. So some of these \nsectors are currently regulated. It would be a mistake for the \nframework to not be germane to what the regulators are doing. \nThen it wouldn't be addressing the underlying need to protect \nthose sectors in this case. On the other hand, you don't want \nso close of a relationship that the standard setting is \neffectively a regulatory process.\n    Mr. Scalise. I know you are familiar with legislation that \nwe have moved through the House to expand the ability for the \nprivate sector to share information with the government to find \nout about threats but all on a voluntary basis where private \ninformation would be protected, where if a private entity \ndidn't want to go and talk to DOD about maybe things that they \nare seeing from China or Russia or some other country or \nentity, they don't have to do that, but then there would be the \nability for them to do it if that benefits them in looking at \nbreaches that are maybe coming their way. And so voluntary is \nvery different than new requirements that would be mandatory. \nYou understand the difference that we are looking at there?\n    Dr. Gallagher. Yes. The intent of the framework is not to \ndrive the establishment of new requirements. That portion of \nthe Executive order, to my understanding, is a harmonization \nissue, which is we want any existing regulatory agency to \nconsider the framework when it is complete. It may be something \nthey can harmonize against, which would remove duplicative \nrequirements to those companies. It could very well be that it \naddresses the underlying need, and they could actually lighten \nany specific regulatory requirements. But in our view, it would \nbe a mistake for them not to consider the framework in light of \nwhat they were doing before the framework was there.\n    Mr. Scalise. So when you talk about the Executive order \nthat would establish this framework, you also talked about \nincentivizing private companies, other entities that have \ncritical infrastructure to adopt this new framework that you \nare developing at NIST. What types of incentives are you \ntalking about?\n    Dr. Gallagher. So I think at this point we don't know what \nthe specific incentives are, so the Executive order actually \nasks a number of agencies to contribute reports identifying \npotential areas. We have done this through a public comment \nperiod and we are distilling those comments now. I think the \nway to understand this is that we want the framework adoption \nto be tantamount to good business. In other words, good \ncybersecurity is good business. They are compatible functions \nwithin these companies, and I think the best way to view the \nincentives question is to what extent are there barriers or, in \nsome cases, you know, counterincentives to doing the right \nthing. Those are the things I think we will work with you \ntogether to make sure that we align business interests with \ndoing good cybersecurity.\n    Mr. Scalise. Right, and again, in our legislation, we have \nsome liability protections. We don't want somebody to feel like \nif they are coming to the government to work together in a \npartnership that that is not going to expose them to some other \nkind of liability if their intent is to protect their network \nand ultimately all of the users. I mean, my constituents, \neverybody's constituents that are out there that give personal \ninformation to various Web sites, they do it under agreements. \nIf you are on Facebook or any other Web site, you have got an \nagreement. You know that there are agreements that your \npersonal information is going to be protected. Of course, if \nsome other country, some entity is trying to break through a \nfirewall, then they are also trying to get your personal \ninformation. So you want that to be protected. So I am just \ntrying to find out, does NIST have some definition of incentive \nwhen you are trying to get this?\n    Dr. Gallagher. At this time NIST does not but what I can \nshare with you is a preliminary look at some of the comments \ncoming in from the RFI to the Commerce Department. They include \nthings like liability protections, exploring the establishment \nof insurance markets where the risk can be monetized in \nbusiness-to-business relationships, procurement preferences for \ncompanies that are supporting the framework to offer high-\nquality products and services. It is things of that type.\n    Mr. Scalise. And I would just ask--I know my time has run \nout--I would just ask if you could share that with the \ncommittee as you are developing those definitions of \nincentives, if you could just share that with us along the way \nand some of the things like the liability protections are \nthings we have already hashed out and embedded here. Maybe you \ncould look at those things that we have already identified as \nwell.\n    Thanks a lot, and I yield back the balance of my time.\n    Mrs. Blackburn. The gentleman yields back. Mr. McNerney for \n5 minutes.\n    Mr. McNerney. Thank you, Madam Chairman.\n    Thanks, Dr. Gallagher, for your work on this issue, and you \nclearly have a good grasp of it and you are sharing the wealth \nso it is understandable.\n    One of the things that you mentioned and I think comes up \noften is the idea of performance-based standards, and I would \nlike for you to just talk a little bit about what that means, \nmaybe give an example, and also give an example of a non-\nperformance-based standard so we will have a clear idea of what \nwe are talking about here.\n    Dr. Gallagher. So simply, a performance-based standard is \none where the standard addresses a given level of performance \nand it is less prescriptive about how you get it done. So an \nexample would be this smartphone needs to talk to this network. \nThat is a performance requirement for interoperability in that \ncase but it doesn't prescribe the exact data format, electrical \nformat that would happen. What a performance requirement then \ndoes is allow a diversity of technical solutions that can \nachieve the same performance level, and that is why these are \npreferred. They give companies, particularly in technology \nfast-moving areas, the flexibility and latitude to continue to \ninnovate and perhaps even meet the performance requirement in \nimproved ways.\n    Mr. McNerney. Well, what would a performance-based standard \nin cyber look like or sound like?\n    Dr. Gallagher. Well, I think that is the exact question we \nare going to be putting in front of the industry groups through \nthe framework process. You know, measuring and assessing good \ncybersecurity performance, and I am saying this as head of a \nmeasurement agency, is actually a challenging problem. You \nknow, coming up with the right way of characterizing this, and \nI think it is probably going to be a diverse set of metrics \nthat they look at. Some of these are going to be looking at \nbest practices in terms of removing vulnerabilities. That would \nbe one type, known vulnerabilities and minimizing that threat \nsurface, if you will, in companies. And the other part is going \nto be this adaptive part of cybersecurity, which is, do you \nhave the intrinsic capability to take new threat information \nand to adjust the protective measures you are taking within the \ncompany. So I wish I could give you an easy, straightforward \nanswer to that one but I think that is going to be one of the \nissues that the entire framework community is going to be \ndealing with.\n    Mr. McNerney. Well, I spent some time developing standards \nin the mechanical engineering fields, and it is long, it is \npainstaking, and often it gets watered down so much that it is \nnot very useful, and I am worried about that in this sort of a \nframework. Do we have the chance of ending up with something \nthat is so watered down that it is not useful?\n    Dr. Gallagher. So consensus, of course, doesn't mean \nunanimity, as you know from that experience, and I think you \nare exactly right. One of the threats you face in a multi-\nstakeholder process is that in an effort to achieve agreement, \nyou go to the lowest common denominator. And that is why the \nperformance goal of having high-performance cybersecurity is \ngoing to be so important to this. I think what we are striving \nfor here is a framework that reflects best possible achievement \nat commercial levels of performance. That would allow \nadditional support, for example, in the public-private space \nwhere support from our intelligence agencies and operational \nagencies can support the private sector but not asking them to \ncarry out that role. But it also reflects that we can't race to \nthe bottom and just find the lowest common denominator of \ntechnical performance and call that adequate.\n    Mr. McNerney. Now, are you going to be including foreign \ncompanies in this collaborative process?\n    Dr. Gallagher. Yes.\n    Mr. McNerney. It would be hard not to because----\n    Dr. Gallagher. I would hope they do, actually. One of the \ninteresting parts of this is, by doing this through the market, \nand the market in fact is global, what we can do is end up with \na baseline level of performance that is reflected in products \nand services sold around the world. In fact, if we had taken a \nregulatory approach first, that would be unlikely to happen \nbecause as soon as a U.S. regulatory agency said this is the \nrequirement, it becomes a counterincentive to any adoption in \nother countries, where if this is coming from industry, very \nnaturally I think one of the real strengths here is that we can \ndrive this base level of performance into the global \nmarketplace. That doesn't preclude governments from adding any \nadditional requirements on top of that but I think it best for \ncompanies because it lets them sell their goods and services \naround the world, and it is good for us because the Internet is \nitself a global infrastructure, and I think if we can drive \nthis intrinsic security performance up, that is better for all \nof us.\n    Mr. McNerney. I think this is an opportunity for real, true \nbipartisan work. Thank you, Madam Chairman.\n    Mrs. Blackburn. The gentleman yields back. Mr. Latta, 5 \nminutes.\n    Mr. Latta. I thank the chairlady, and I appreciate you all \nbeing here today. This is a topic that is not just on \neveryone's mind here in Washington but back home. You know, in \nthe last 24 hours before I came back, there was an article in \nthe New York Times, China back to hacking United States \nalleges, experts say agencies, firms battling new attacks. \nThere was a front-page story yesterday also in the Washington \nPost about Chinese hackers, and it is a real issue, and I \nrepresent 60,000 manufacturing jobs back home and a lot of \nbusinesses that are very concerned with this. One of the things \nthat I started doing with the cybersecurity with the FBI in \nOhio, we have done cybersecurity events in the district, we are \ndoing one next week, to get the FBI in to really explain to \npeople how serious things are out there. So I really appreciate \nyou all being here because it is a topic that is on top of \neverybody's mind.\n    In your testimony, on page 4, if I can just ask you a \ncouple questions about that, it says that your request for \ninformation under the RFI this past February, you know, you \nhave received 224 responses so far. Have you been able to \nanalyze any of those responses and are you seeing any kind of a \ntrend right now, and who has been responding? Is it overall in \nthe industry or is it a broad section?\n    Dr. Gallagher. It is actually remarkably broad. As I said, \nwe have heard from some of the largest companies and industry \nassociations. I think in the next panel you will hear that many \nof the participants there, their companies have participated in \nthe process. It crosses all the sectors. We did publish last \nweek, and it is posted on the NIST Web site, a preliminary \nanalysis of the responses. In fact, we chart out and tabulate \nthe areas that are represented and the types of issues that \nwere coming up through the public comment period. That is part \nof the homework assignment that has been given to the framework \nparticipants for their first workshop in Pittsburgh next week.\n    Mr. Latta. Well, thank you, and also, you know, just maybe \nto sum up, because in the interests of time, that, you know, \none of the things, you commented in your testimony and also I \nhave heard over and over from folks out there that one size \ndoes not fit all, that we can't create one thing here in \nWashington because, again, on the industry side, things are \nmoving so quickly on theirs that we try to do something here, \nand we will be just three, four, five steps behind.\n    The other term that I always know that worries people back \nhome is the word ``voluntary'' and they want to make sure that \nanything that is done is always voluntary, and as my colleague \nfrom Louisiana just mentioned in a question about incentives, \nincentivizing, those are terms that also we want to really make \nsure that we know what is going on. So Madam Chair, in the \ninterest of time, I yield back.\n    Mrs. Blackburn. The gentleman yields back. Mr. Tonko, you \nare recognized for 5 minutes.\n    Mr. Tonko. Thank you, Madam Chair, and let me thank Chair \nUpton and Ranking Member Waxman for arranging today's very \nimportant hearing. Critical infrastructure represents a wide \nrange of industries, and interestingly, many fall under the \njurisdiction of E&C. So we need to take a serious look at how \nto improve these industries' resiliency from cyber threats.\n    Let me welcome you, Dr. Gallagher. I know that you have an \nawesome task assigned your way, but I also appreciated your \nrecent visit to the core of my district. It was well received. \nAnd I commend NIST on its leadership in implementing some very \nimportant guidelines here. NIST has received tremendous \nfeedback from stakeholders, and it appears that NIST has \nrecognized that cybersecurity can best be addressed through a \ncooperative public-private partnership. So it is clear that \nthis has been a collaborative effort, and I am grateful that \nyou appear before this committee today.\n    President Obama expressed concerns with the cyber \nlegislation recently considered in the House because of privacy \nand civil liberties issues. His Executive order makes promoting \nthese rights an explicit priority. Many of the testimonies we \nwill hear today will make mention of that importance. Has NIST \nor DHS's Office for Civil Rights and Civil Liberties been in \ndiscussion with privacy and civil liberties groups while \nworking on implementation?\n    Dr. Gallagher. So in the case of the framework process, \nwhich is fairly new, I am not specifically aware of any \ndiscussions, but prior to that, through Commerce Department \nefforts looking at both privacy and non-critical \ninfrastructure, we interacted quite extensively with those \ngroups. I think from a framework perspective, it comes up in \ntwo areas. One is privacy is about sharing the appropriate \ninformation you want to share and nothing else. That is a \ntechnically enabled capability, and so at the technical level, \nthe capacity to implement privacy is in fact a deep part of \ncybersecurity and will be part of the framework process. The \nother part of the Executive order where this is obviously is in \nthe information sharing and coming to terms with what \ninformation is needed to share to carry out the protective \nfunction.\n    Mr. Tonko. And according to your testimony, next month we \nare expecting reports about the potential incentives designed \nto increase participation in the framework program. Aside from \nliability protection, which was considered in the House as \ncyber legislation, and I think demanded by industry, what types \nof incentives are possible? Which of these will need \nlegislation perhaps to implement and which can be done right \naway?\n    Dr. Gallagher. So what we are seeing in the RFI process \nincludes a broad range of incentives. Some would absolutely \nrequire legislative action to occur. Those are things like \nliability protection, supporting reinsurance markets and how \ndoes that work. Looking at tax incentives potentially to \nsupport some of the capital investments to upgrade \ncybersecurity performance including, in some cases, supporting \ngrant programs for promoting innovation, some of the R&D \nactivities related to promoting good cybersecurity. Other areas \nappear to fall within existing authorities, and that would be \nthings like alignment, do you create procurement preferences in \nthe federal government that would support the adoption of the \nframework. In some cases, things were proposed that would not \nbe a good idea and so I think the report will be very useful in \nparticular to Congress as it considers this continuing question \nabout how do you promote industry's work to do the right thing \non cybersecurity and eliminate barriers and support adoption.\n    Mr. Tonko. Thank you. And 150 of the 244 responses to \nNIST's request for information discuss the workforce's cyber \ncapabilities. We obviously have to recognize this workforce \nwill be a vital and growing contributor to our economy in the \nfuture. It is not hard to imagine the need for constant \ntraining. So what types of education, training and research \nopportunities can we invest in to ensure that the private \nsector has access to the highly skilled personnel necessary to \nimplement and maintain some rigorous cybersecurity standards?\n    Dr. Gallagher. I think this is going to continue to be an \narea that we will have to work on aggressively. So outside of \nthe framework process, NIST was asked to be an interagency \ncoordinator, if you will, on interagency efforts to look at \ncybersecurity education across the federal government, and it \nbasically has three broad approaches. One is promoting \nwidespread cybersecurity awareness to the public--very \nimportant because they are interacting with this infrastructure \nas well. The other one is promoting interest in those that \nwould elect to take this direction as a career, so that is, do \nwe have the cadre of talented people moving in this direction \nwho would see cybersecurity as a place where they can \ncontribute and have a worthwhile career. And then the final \npiece is for somebody who has made that decision, can they get \nthe appropriate education and workforce-specific training where \nthey can contribute by the way both federal and non-federal, so \nwe have worked with a lot of outside stakeholders.\n    When you have those three pillars, there is a pretty broad \nrange of activities. Some are awareness campaigns and some are \nlooking at working with leading universities. In fact, NSA and \nDHS have played a leading role in that space working with \nuniversities to accredit cybersecurity education, and in the \nmiddle that promoting interests are some of the things that are \nbeing done in high schools and middle schools trying to promote \nbroader interest in cybersecurity and the roles that some of \nthe career possibilities that are there for folks at that \nformative period of time.\n    Mr. Tonko. Thank you very much, Dr. Gallagher, and with \nthat, Madam Chair, I yield back.\n    Mrs. Blackburn. The gentleman yields back. Mr. Lance, you \nare recognized for 5 minutes.\n    Mr. Lance. I waive.\n    Mrs. Blackburn. Mr. Lance waives. Mr. Cassidy is gone. Mr. \nOlson for 5 minutes.\n    Mr. Olson. Thank you, Madam Chair, and thank you, Dr. \nGallagher, for being here this morning.\n    Cybersecurity is very important to my home district, \nHouston, Texas. Obviously we are the energy capital of the \nworld. We have the world's largest petrochemical complex lining \nthe 15-mile-plus Houston ship channel, which serves the Port of \nGalveston, the Port of Texas City, the Bayport Container \nTerminal and the Port of Houston. We have a massive pipeline \ninfrastructure which supports that petrochemical industry. We \nhave two nuclear reactors 90 miles away down in Bay City, \nTexas. We are about to become the third largest city in terms \nof population. Sorry to my colleagues from Chicago, but those \nare the facts.\n    So my point is, lots of damage can be done to America in \nterms of dollars to our economy, in terms of lives by cyber \nattacks in Houston, Texas, and as we know, one of the most \nimportant ways to combat cyber attacks is for companies and the \nfederal government to work together to combat cyber attacks \nthrough robust information sharing, and that is why I voted for \nthe Cyber Information Sharing and Protection Act last month \nbecause, as you know, the information-sharing process \nauthorized by CISPA is completely voluntary, only ones and \nzeros, binary code, if my degree from Rice from 1985 in \ncomputer science is still relevant. No personally identified \ninformation will be exchanged between the private sector and \nthe federal government. The House has done its job, and that is \nwhy I am encouraged by the Administration's commitment to a \nvoluntary process that solicits input from industry to create \nthe cybersecurity framework.\n    My question is, as you know, cyber attackers adapt quickly \nwith new attack methods almost overnight. How does the \nAdministration and NIST plan to balance any additional \nregulatory requirements with the need for industries to remain \nflexible and be able to adapt to the changing cybersecurity \nenvironment?\n    Dr. Gallagher. Well, one specific example I can give to \nthat is something that you have probably heard quite a bit, \nwhich is the response capability for IT systems has to become \nquicker. In essence, we have to fully automate a lot of this \nresponse. It has to move at the speed of computation rather \nthan human speed, and that in some sense is a policy issue. A \nlot of the information-sharing debate is around that, how do we \nenable that flow of signatures and key information to enable \nthat, and some of that is the underlying technology. If I \nreceive that threat information and I am a system operator, how \ndo I deploy that automatically? And so NIST has been working \nwith industry on developing security automation tools and \nprotocols that can be deployed and can be used within their \nsystems and can provide an interoperability between different \nvendors of software and different vendors of IT equipment to \nenable share of cybersecurity-specific information across these \nplatforms. So we are trying to support what I think is going to \nbe a movement towards full-scale automation of a large amount \nof the cybersecurity activity.\n    Mr. Olson. Thank you. I yield back the balance of my time.\n    Mrs. Blackburn. The gentleman yields back. Ms. Matsui, you \nare recognized for 5 minutes.\n    Ms. Matsui. Thank you very much, and I would like to \nwelcome Dr. Gallagher here. Cybersecurity is both a national \nand economic security issue, and I believe that industry and \ngovernment must be partners in addressing our Nation's cyber \nthreats. It is not a one-way street, and I believe the \nAdministration's Executive order was a good first step but more \nwill need to be done.\n    Last October, I wrote to the White House urging them to \nconsider the implications of including interactive computer \nservices such as search engines and social networking \nplatforms. I believe the Executive order got it right and made \nit clear that there is a fundamental difference between \nnetworks that manage infrastructure critical to public safety \nand those that provide digital goods and services to the \npublic.\n    Dr. Gallagher, how should federal agencies ensure that any \nsector-specific cybersecurity standards required under the \ncybersecurity framework are not imposed on non-critical \ninfrastructure?\n    Dr. Gallagher. Well, as I said, I believe the question of \nimposition is going to be one that largely falls to Congress \nand, you know, those agencies with sector-specific \nresponsibilities. I actually view this almost in reverse, which \nis the actions we are taking to work with this broad collection \nof companies and interests to develop a set of general \npractices for cybersecurity performance may in fact be usable, \nin fact, cost-effectively usable, very broadly, in fact, maybe \nin areas outside of the specific critical infrastructure. So it \ncould very well be that companies that are in media and other \nareas would now find it easier to buy secure equipment and \nsecure software and lower vulnerability. This would be, in my \nview, a win. So without imposing any requirement, we still get \nthe benefit of improved security performance.\n    Ms. Matsui. OK. Now, how will the Executive order and the \ncybersecurity framework assist federal agencies in enabling \nmore uniform security measures across all government-operated \ndata centers?\n    Dr. Gallagher. So this is part of the discussion that we \nhave been working on pretty actively very recently, which is, \nhow do we get the federal agencies to align to this framework \nprocess. I think if the private sector is going to go to all \nthis trouble in developing this high-performance cybersecurity \nbaseline, then I think the federal government should leverage \nthat for a number of reasons. One is, it will be a high-\nperforming platform to use that as a baseline for any \nadditional requirements that it would have internally, and also \nit helps achieve market scale. In other words, some of the \ngovernment procurement now becomes supportive of helping the \ncompanies drive adoption.\n    Ms. Matsui. OK. That is good.\n    Dr. Gallagher. So I don't think we have any answers to that \nyet but that is certainly something we are actively discussing \nright now.\n    Ms. Matsui. OK. Now, with the electricity subsector already \nsubject to mandatory and enforceable cybersecurity standards, \nhow is NIST working to ensure that the framework will include \nthese existing standards?\n    Dr. Gallagher. Well, what we have done is, we have invited \nthose entities in from the beginning. So in fact, in the case \nof the electricity sector, that is fairly straightforward \nbecause in fact we are modeling a lot of this effort after the \ninteraction we have had with that sector in smart grid. So we \nhave well-established relationships with those companies, with \nthose regulators, with those industry associations, and we have \nin fact not only invited them into the process but suggested \nthat they, like other high-performing sectors, put their \npractices on the table as best practices for consideration \nunder the framework.\n    Ms. Matsui. OK. Now, another topic I would like to raise is \nsecuring the cloud. I am pleased that the Administration \ncontinues to pursue its Cloud First policy and is adopting \ncloud technologies to make the federal government more \nefficient and effective. Now, most government agencies are now \nadopting these cloud services. What kind of cyber protections \nand threats and what kinds of challenges do you foresee as the \ngovernment continues to adopt cloud services?\n    Dr. Gallagher. So in the case of government adoption of \ncloud, almost more than the technological challenges of dealing \nwith this are that cloud in some sense breaks policy. \nGovernment-used policy for IT is based on the assumption that \nwe are the owner/operators, that this is an enterprise system \nwithin our agencies and we manage and configure and control all \nof these assets. Cloud changes that because many of these \nassets now are provided via contract; they are services. And \nthat shift now creates a challenge, which is, how do I meet my \nresponsibilities as an agency head to protect my IT systems \nwhen my relationship with those that are operating that \nequipment or holding my data or running my applications has \nevolved. And so what we have been trying to do is work with a \nprocess where the cloud community, the companies and cloud \nservice providers, are working with the CIOs from across the \nfederal government and basically mapping out the different use \ncases, very specific use cases where we can take a government \napplication, expose the requirements that those agencies have \nto meet, and then turn to the business community and say how do \nyou help us ensure that we meet those requirements in this new \nspace. So that is leading to a pretty robust process where some \nof the more straightforward areas we have been able to be early \nadopters. Some of the more challenging areas, at least we have \nidentified the specific things we have to work on if we are \ngoing to go there.\n    Ms. Matsui. OK. Thank you. I see my time is up. Thank you.\n    Mrs. Blackburn. The gentlelady yields back. Mr. McKinley, \nyou are recognized for 5 minutes.\n    Mr. McKinley. Thank you, Madam Chairman.\n    Dr. Gallagher, you may or may not be familiar. In West \nVirginia in the Fairmont area on that I-79 corridor, there is a \nconsortium of about 50 different firms that are very much \ninvolved called the West Virginia High Technology Consortium. \nThis issue is probably one of the most important issues facing \nthem, so as a personal privilege, I am asking if we can get \nsomeone from Commerce to come sit down and talk to them about \nthis because it is by far one of the most important issues \nother than perhaps sequestration.\n    Dr. Gallagher. We would be happy to.\n    Mr. McKinley. We got a few questions from some of them, and \nI would like to share that. One was, what is the percentage of \nindustry that should be represented as a minimum to ensure that \nthese initiatives have been successful?\n    Dr. Gallagher. So I frankly haven't approached this from \nwhat fraction have to be involved in the development process. \nIn the normal industry-led consensus process, you often don't \nget high penetration where the majority of companies are \ninvolved. But those that have key technology and key drivers, \nthe question is making sure that the standards aren't shaped \nwithout having the right ideas around the room. I think the \nmore important test for success is at the other end, which is \nwhat is the level of adoption. If these are really useful, if \nthese are aligned with business practices and if these are \nhigh-performance, good cybersecurity practices and we don't see \nwidespread adoption, that will be something I worry about.\n    Mr. McKinley. I guess as an engineer, I always like the \nmetrics. I want to see how the metrics work. I know under \nSection 2, it defines from a 30,000-foot elevation what the \ndefinition of critical infrastructure, but down where you and I \nare on the ground, who is actually going to make those calls? \nWhat encompasses critical infrastructure?\n    Dr. Gallagher. I believe in the Executive order, that \ndecision is made by the Department of Homeland Security. I know \nit is not NIST. And I believe it is based on determination \nunder that operational definition that is given early in the \nExecutive order. That determination is basically for purposes \nof supporting participation in the voluntary program.\n    Mr. McKinley. And then in the Executive order, there is \nwhat is called the greatest risk list. That is interesting. \nGiven all the discussion here in Washington lately about lists, \nwho is going to be maintaining that list and following up with \nthat list and who is going to be implementing based on that \nlist?\n    Dr. Gallagher. I am not an expert on the list but my \nunderstanding is, that is Department of Homeland Security \nresponsibility and it is to assist them in prioritizing in a \nrisk-based fashion, so if they are going to be taking risk-\nbased actions, they are trying to conform themselves of what \nwould be the highest risk from industry so they can \nappropriately prioritize. But I would have to couch with that, \nyou should double-check that with the Department of Homeland \nSecurity.\n    Mr. McKinley. Thank you very much. I do hope that we will \nsee you at the high-tech foundation where we can all get \ntogether and see if we can put to rest some of their concerns. \nWhen you are talking about 50 firms, probably as many as 50 \nfirms all interacting, it is very much of a concern how much is \ntheir exposure.\n    Dr. Gallagher. One of the great things we don't have to \nworry about here is the companies not being behind this. They, \nI think, understand more than anyone how critically important \nthis is, and that is probably our biggest ally in this entire \neffort.\n    Mr. McKinley. Thank you very much. Madam Chairman, I yield \nback the balance of my time.\n    Mrs. Blackburn. The gentleman yields back. Ms. Schakowsky, \nyou are recognized for 5 minutes.\n    Ms. Schakowsky. Thank you, Dr. Gallagher. I am trying to \nunderstand how the framework interfaces with the CISPA \nlegislation. You know, there were some of us including the \nWhite House who felt that there were some deficiencies in the \nbill as it was voted on in the House, particularly dealing with \nreasonable efforts on the part of the companies, which of \ncourse we want to voluntarily comply, but in making sure that \npersonally identifiable information wasn't shared among each \nother or with the federal government, and actually at the time \nwhen we were holding hearings in the Intelligence Committee, \nPaul Smoker from the Financial Services Roundtable argued that \ncompanies should be responsible for minimization, stating, \n``The provider of the information is in the best position to \nanonymize it,'' and then there was also a question of John \nEngler, President of the Business Roundtable, if he thought it \nwas too much of a burden to ask the private sector to ``take \nreasonable steps where reasonable steps can be taken'' to \nminimize information, and Engler replied, ``No, I think it's \nreasonable. I think it's exactly fine.'' So that was one of the \nissues that raised in the SAP, the statement recommending a \nveto of the legislation, and the other was the broad immunity \nprovision that was given. Is the framework consistent with what \nthe White House has said about CISPA? Is it different? If you \ncould explain that?\n    Dr. Gallagher. So the way I understand it, of course, \nnobody is in disagreement that we have to enable information \nsharing. So the debate about CISPA in some ways are technical \nissues about how do you appropriately limit the scope of the \ninformation that is being shared, and the scope of the \nliability protection, and I leave that to the experts. What the \nframework does is in some ways enable that information sharing. \nIn other words, if you receive threat information through \ninformation sharing, can you act on it, how do you deploy that \nprotection through your system. In some ways, the framework may \nprovide an answer to this question of cost-effectiveness of \nsome of the things like minimization. If it is costly now for a \nsmaller company to minimize information, it could very well be \nthat through the framework process, we identify some technical \nmeans that are embedded in the technology that are supportive \nof this. So I think it is not that the framework depends on \ncompatibility with CISPA or with the Administration position \nbut it is related to information sharing in the sense that the \nadaptive part of cybersecurity, taking new threat information \nand being able to act on it, is a key part of the performance \nlevel we need to have. Hopefully the framework can provide some \ntechnical assistance in that as it goes forward, and it will be \nnice because that technology assistance will be coming directly \nfrom the industries that have to put it into practice.\n    Ms. Schakowsky. I thank you for that, and I yield back.\n    Mrs. Blackburn. The gentlelady yields back. Mr. Griffith, 5 \nminutes.\n    Mr. Griffith. Thank you.\n    I appreciate you being here today, and obviously we are all \ntrying to struggle through some concerns about privacy and \nappropriateness and when the government should be looking and \nwhen they shouldn't. But I think most of those questions you \nhave already answered, and so I am willing to yield back, Madam \nChair.\n    Mrs. Blackburn. The gentleman yields back. Mr. Rush, you \nare recognized for 5 minutes.\n    Mr. Rush. I want to thank you, Madam Chairman, and some of \nthese questions may have been asked and answered already, but I \nthink I have a different kind of slant on it.\n    The Department of Homeland Security, nothing that cyber \nattacks against federal agencies increased 782 percent between \n2006 and 2012 for 48,562 separate incidents reported in 2012 \nalone, and a number of experts have estimated that the economic \nimpact from cyber crime to be in the billions of dollars each \nand every year, and we know that here in the United States, our \nmost critical infrastructure including the electric grid, oil \npipelines, communications networks and financial institutions, \nall are vulnerable to manipulation or attack by malicious \nactors who use technology in all parts of the world, and my \nconstituents are as alarmed as most of America is about it. So \nare you confident that NIST has all the tools and the authority \nit needs to successfully implement cybersecurity framework in \norder to minimize and mitigate the risks of attack on the \ndigital infrastructure?\n    Dr. Gallagher. I think if the responsibility fell solely on \nour shoulders, my answer would be absolutely not. I would not \nbelieve we would have the capacity. But the approach we have \ntaken is to actually get behind an industry-led effort. And so \nsince so much of the capacity and the know-how and the \nexpertise and the technology and the leadership comes from \nindustry, and our role is to convene and support that effort, I \nam quite comfortable that we can do that.\n    Mr. Rush. So this alliance of industry, are you satisfied \nwith the level of participation and the level of concrete \noutcomes so as to prevent organized cyber attack?\n    Dr. Gallagher. I am in fact very satisfied. My biggest \nconcern when the Executive order process was announced was, \nwould the concerns over potential regulation later, which has \nbeen part of the public debate, basically result in companies \nelecting not to participate in the framework process. That de \nfacto boycott would have been devastating. That would have been \na failure of this entire process. And in fact, the opposite has \nhappened. I would say there has been a very strong tipping-in \neffect. Companies, I think, have fully appreciated that letting \nthem drive this process and own it and run it at market scale \nhas enormous advantages, and I have been gratified, and I think \nthe origin of any optimism I have here is based on the fact \nthat we have so many leading companies participating in this \neffort. It is going to make all the difference.\n    Mr. Rush. I don't know of anything that I can think of that \ndoesn't have challenges, and what are the challenges that this \nframework faces and what are some of the challenges that NIST \nfaces?\n    Dr. Gallagher. I would agree. In fact, the sign of maturity \nthat you should look for in a couple months is that we are up \nto our eyeballs in challenges. That means that this has become \nvery real. I think there is going to be lots of them. At the \nvery highest level, I think the challenge I am most interested \nto see how to resolve is the integration of cybersecurity into \nthe business practices of these entities. This can't be a bolt-\non, add-on activity that companies do. It has to be embedded in \nwhat they do, and that means integration with the risk \nmanagement that they do, with their business functions, with \ntheir costs. It has got to be good business to do good \ncybersecurity, and I think that is going to raise a number of \ninteresting challenges. Some of those may touch on the \nincentive discussions that we have already had. But I think \nthat among what will certainly be a long list of technical \nchallenges and areas where we just have to do better and find \nbetter solutions.\n    Mr. Rush. Thank you, Madam Chair.\n    Mrs. Blackburn. The gentleman yields back. Mr. Johnson, you \nare recognized for 5 minutes.\n    Mr. Johnson. Thank you, Madam Chair. First of all, thank \nyou, Dr. Gallagher, for being here today. I don't really have \nany questions but just a brief comment.\n    I spent nearly 30 years of my professional career in \ninformation technology, and I certainly understand the \nchallenges that we face with cybersecurity. There are those \nthat will always be out there that because they can, some of \nthem for no other reason than that, try to wreak havoc and \ndisrupt our networks. Some have a much more malicious intent in \nstealing information that doesn't belong to them, taking down \nour capabilities and so forth. So I am grateful to be serving \non a committee here that takes this issue very, very seriously \nbecause I think it is indeed a very, very serious issue and I \nlook forward to working with my colleagues and the \nAdministration to make sure that we do the right things, and \nwith that, Madam Chair, I will yield back.\n    Mrs. Blackburn. The gentleman yields back. Chairman Pitts?\n    Mr. Pitts. I will waive.\n    Mrs. Blackburn. The chairman waives. Mr. Harper?\n    Mr. Harper. Thank you, Madam Chair, and Dr. Gallagher, \nthank you taking the time. You can see by the attendance in \nhere, this is a very important subject, and we appreciate your \ninsight today.\n    I am blessed to have a great university in my congressional \ndistrict, Mississippi State University, which is designated as \na National Center of Academic Excellence by the National \nSecurity Agency and the Department of Homeland Security in \ninformation assurance education. So my question is, what has \nacademia's role been in the formulation of cybersecurity \nframework, and do you see that role expanding?\n    Dr. Gallagher. I do, and I think that it is going to draw \non the two great strengths of academia. I think on one hand it \nis the education of our youth and providing the knowledge base \nand the talent and the expertise to address this. This is not \nan easy thing, and it is going to need our best and brightest \nminds on it. And the other area is actually in the research \nfunction of our universities. I think we don't have all the \nanswers. I think there is areas where the technology can do \nbetter, and I think we count on them to come up with those \nbreakthrough ideas that will make this all a much more \naddressable problem. So I think it is going to draw on their \ntwo core strengths.\n    Mr. Harper. Thank you, Dr. Gallagher, and with that, I \nyield back, Madam Chair.\n    Mrs. Blackburn. The gentleman yields back, and Dr. \nGallagher, that concludes our questioning for today. You have \nbeen very patient, and it will conclude our first panel, but \nbefore you go, I have to tell you, you mentioned for your \nworkshops, you have said southern California and Pittsburgh. \nNashville, it ought to be on that list. We would appreciate \nthat. And we will go into recess for a moment while we set the \nsecond panel.\n    [Recess.]\n    Mrs. Blackburn. At this time we are ready to begin our \nsecond panel. I thank you all for moving quickly into your \nspots so that we can move forward. We welcome our second panel: \nMr. Dave McCurdy, President and CEO of the American Gas \nAssociation; Mr. John McConnell, Vice Chairman of Booz Allen \nHamilton and former Director of National Intelligence; \nAmbassador James Woolsey, Chairman of Woolsey Partners and \nformer Director of Central Intelligence; Mr. Mike Papay, the \nChief Information Security Officer and Vice President for Cyber \nInitiatives at Northrop Grumman; Dr. Phyllis Schneck, Vice \nPresident and Chief Technology Officer, Global Public Sector \nfor McAfee. And I yield to Mr. Lance for the next brief \nintroduction.\n    Mr. Lance. Thank you, Madam Chair. I have the honor of \nintroducing Charles Blauner from Citi, who is the head of \ninformation security for that great company, and he has \nextensive experience in both New York and London, and he is a \nresident of the district that I serve. He lives in Basking \nRidge, Bernards Township, Somerset County, New Jersey. Thank \nyou, Madam Chair.\n    Mrs. Blackburn. The gentleman yields back, and we continue \nwith Mr. Duane Highley, the President and CEO of Arkansas \nElectric Cooperative Corporation. Mr. Highley is appearing on \nbehalf of the National Rural Electric Cooperative Association. \nAnd Mr. Robert Mayer, the VP of Industry and State Affairs at \nthe United States Telecom Association. You all sound like the \ncast of characters in a sci-fi movie, and we are delighted that \nyou all are here. Mr. McCurdy, we begin with you for 5 minutes \nof testimony to summarize.\n\n STATEMENTS OF HON. DAVE MCCURDY, PRESIDENT AND CEO, AMERICAN \nGAS ASSOCIATION, AND FORMER CHAIRMAN OF THE HOUSE INTELLIGENCE \nCOMMITTEE; JOHN M. (MIKE) MCCONNELL, VICE CHAIRMAN, BOOZ ALLEN \n    HAMILTON, AND FORMER DIRECTOR OF NATIONAL INTELLIGENCE; \n AMBASSADOR R. JAMES WOOLSEY, CHAIRMAN, WOOLSEY PARTNERS LLC, \nAND FORMER DIRECTOR OF CENTRAL INTELLIGENCE; DR. MICHAEL PAPAY, \nVICE PRESIDENT AND CHIEF INFORMATION SECURITY OFFICER, NORTHROP \n    GRUMMAN INFORMATION SYSTEMS; DR. PHYLLIS SCHNECK, VICE \n PRESIDENT AND CHIEF TECHNOLOGY OFFICER, GLOBAL PUBLIC SECTOR, \n   MCAFEE, INC.; CHARLES BLAUNER, GLOBAL HEAD OF INFORMATION \n SECURITY, CITIGROUP, INC., ON BEHALF OF THE AMERICAN BANKERS \n    ASSOCIATION; DUANE HIGHLEY, PRESIDENT AND CEO, ARKANSAS \n  ELECTRIC COOPERATIVE CORPORATION, ON BEHALF OF THE NATIONAL \nRURAL ELECTRIC COOPERATIVE ASSOCIATION; AND ROBERT MAYER, VICE \n PRESIDENT, INDUSTRY AND STATE AFFAIRS, UNITED STATES TELECOM \n                          ASSOCIATION\n\n                   STATEMENT OF DAVE MCCURDY\n\n    Mr. McCurdy. Thank you, Madam Chair, and thank the ranking \nmember as well for the opportunity to be here. I am Dave \nMcCurdy, President and CEO of the American Gas Association, and \nalso relevant to this hearing, I am a former chairman of the \nHouse Intelligence Committee in this body, and just to start \noff, thank you for your comments earlier about Moore, Oklahoma, \nwhich was in my district as well years ago.\n    AGA represents over 200 local gas companies that deliver \nnatural gas to more than 71 million U.S. residential, \ncommercial, and industrial gas customers. AGA is an advocate \nfor local natural gas utility companies and provides a range of \nprograms to natural gas pipelines, marketers, gatherers and \nindustry associates. Natural gas is the foundation fuel for a \nclean and secure energy future, providing benefits for the \neconomy, our environment and our energy security.\n    Alongside the economic and environmental opportunity \nnatural gas offers comes a responsibility to protect its \ndistribution pipeline systems from cyber attacks. Web-based \ntools have made natural gas utilities more cost-effective, \nsafer and better able to serve our customers. However, the \nopportunity costs of a more connected industry is that we have \nbecome a target for sophisticated cyber terrorists. This said, \nnatural gas utilities are meeting the threat daily via skilled \npersonnel, a commitment to security, and the cybersecurity \npartnership with the federal government.\n    This government-private partnership in cybersecurity \nmanagement is critical for us. Our utilities deliver and our \nsystems are the safest energy delivery system in the world. \nThis said, industry operators recognize there are cyber \nvulnerabilities with employing web-based applications for \nindustrial control and business operating systems. Because of \nthis, gas utilities adhere to myriad cybersecurity standards \nand participate in an array of cybersecurity initiatives. \nHowever, the industry's leading cybersecurity tool is a \nlongstanding cybersecurity information-sharing partnership with \nthe federal government. Natural gas utilities work with \ngovernment at every level to detect and mitigate cyber attacks, \nin particular, AGA members with the Transportation Security \nAdministration, Pipeline Security Division of TSA, the agency \ntasked with overseeing distribution pipeline cybersecurity. In \naddition, gas utilities collaborate with ICS-CERT on \ncybersecurity awareness, detection and mitigation programs. \nSimply put, TSA and ICS-CERT understand cyber threats, natural \ngas utilities understand their operations, and we work together \nto protect critical infrastructure.\n    AGA's perspective in this is that since the Executive \norder's impact on gas utility cybersecurity could be \nsignificant, we participated on the Executive order's cyber \ndependent infrastructure identification, cybersecurity \nframework collaboration, and the incentive working groups. In \naddition, AGA chairs the Cybersecurity Working Group of the Oil \nand Natural Gas Pipeline and Chemical Sector Coordinating \nCouncil, a panel established to address Executive order \nactivities, and if I could, Madam Chair, in response to the \nquestions from the committee make just a couple quick \nobservations.\n    Clearly, there is certain disagreement within sector-\nspecific agencies about whether natural gas facilities should \nbe considered critical cyber dependent, cyber dependent being \nthe word infrastructure. For natural gas entities which answer \nto multiple federal agencies, this uncertainty is unsettling. \nRegardless of the ultimate answer, we hope that the \nInfrastructure Identification Working Group will decide this \nquestion in an open and collaborative fashion.\n    With regard to Dr. Gallagher's testimony on the NIST \ncybersecurity framework, at present the NIST cybersecurity \nframework development process appears headed in the proper \ndirection. This said, natural gas utilities have some general \nconcerns. First, the framework development process could \nbenefit from more consideration of existing cybersecurity \nstandards, including TSA standards applicable to gas utilities. \nIn addition, framework provisions must be flexible and not \nmorph into regulations, which will quickly become outdated due \nto an ever-changing cyber threat landscape. And finally, the \nframework must be flexible enough to allow companies to tailor \ncybersecurity systems to their own operational needs. And \nthird, the Executive order directs DHS to help develop \nincentives that will spur industry adoption of the NIST \nframework. However, most of the proposed incentives put forth \nso far are little more than government services like enhanced \ncybersecurity support that in fact should be in any \ncybersecurity program. The fact is, absent new statutory \nauthority to provide meaningful incentives like information \nsafe harbors and cybersecurity liability protections, the \ngovernment is limited in what it can do to entice \nparticipation. Industry would be better served via reinforced \nsupport for federal programs that provide training, onsite \ncybersecurity evaluations and system compromise support.\n    And lastly, Madam Chair, the case for cybersecurity \nlegislation or CISPA, ultimately AGA does believe there is a \nrole for cybersecurity legislation to help counter cyber \nattacks and protect networks against future incursions, \ncritical infrastructure needs, government to help identify, \nblock and/or eliminate cyber threats. Harnessing the \ncybersecurity capabilities of the government intelligence \ncommunity, so my colleagues, former colleagues on my left here, \non behalf of the private sector and networks will go a long way \ntowards overall network security. AGA supports----\n    Mrs. Blackburn. Mr. McCurdy, please sum up.\n    Mr. McCurdy. AGA supports the recently passed legislation \nand urges the Senate to follow suit, and we thank you for the \nopportunity to testify and will answer questions.\n    [The prepared statement of Mr. McCurdy follows:]\n    [GRAPHIC] [TIFF OMITTED] 82197.007\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.008\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.009\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.010\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.011\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.012\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.013\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.014\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.015\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.016\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.017\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.018\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.019\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.020\n    \n    Mrs. Blackburn. Thank you.\n    Mr. McConnell, you are recognized for 5 minutes, and as a \nreminder, you have the timers in front of you.\n\n             STATEMENT OF JOHN M. (MIKE) MCCONNELL\n\n    Mr. McConnell. Thank you, Madam Chairman. I want to first \nof all make the point that I am speaking as a citizen. I do not \nrepresent any company or organization.\n    I have one main point to make to the committee. Legislation \nis required. Legislation is required. If we don't have it, we \nwill not solve this problem. Now, the debate will be whether \nyou incentivize participation by the private sector or you \ncompel. That is something that Congress will have to debate.\n    I have four main points to make. The government produces \nunique information. That is the community that I come from, \nunique information. It is not produced anywhere else in the \nworld inside the United States. It is code breaking, it is \nintelligence, it is understanding threats before they happen. \nWe must determine a way to share the information with the \nprivate sector. That means we have to change the rules. That is \na requirement that will only be achieved through legislation.\n    The second point I would make is, we must establish \ncybersecurity standards. They must be able to evolve and they \nmust be dynamic. That will give us two choices to make: do you \nincentivize, as discussed earlier in the first panel, or do you \ncompel. That is going to be a decision that this Congress will \nhave to wrestle with, but one way or the other, we must have \nthose standards. We also must finally address the privacy \nconcerns, and I have fingerprints over a bill called FISA, \nForeign Intelligence Surveillance Act. So the congressional \nrecord will show the 2-year debate, actually 3 years--I was \nonly involved for 2 years--to get that to closure. The issue \nis, we must be able to do the intelligence mission of the \ncountry while protecting the privacy and civil liberties of our \ncitizens. I have a single recommendation: put it in law what \nyou don't want to happen, and the community will react to that \nlaw because we are a nation of laws. It is the responsibility \nof the Congress to oversee and ensure that that law is complied \nwith.\n    Now, the debate will be, is screening traffic coming in \nthrough an international gateway for malware, is that reading a \ncitizen's mail. That will be the debate. You will have to \nwrestle with that question to get it resolved because today the \nChinese, because they are clumsy and because they have a policy \nof building cyber tools for warfare but they have a policy of \neconomic espionage, they are stealing the intellectual \nlifeblood of this country. We have to deal with that, and we \nstrip out that malware at the international gateway. \nFortunately for us, the Iranians, because they are hammering \nU.S. banks with denial-of-service attacks, are causing the \nNation to focus on this issue. I have been focused on it for 20 \nyears. We are finally getting to a point of addressing it. It \nwill require legislation. Thank you for your time.\n    [The prepared statement of Mr. McConnell follows:]\n    [GRAPHIC] [TIFF OMITTED] 82197.021\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.022\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.023\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.076\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.077\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.078\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.079\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.080\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.081\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.082\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.083\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.084\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.085\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.086\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.087\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.088\n    \n    Mrs. Blackburn. Thank you, Mr. McConnell.\n    Ambassador Woolsey, you are recognized for 5 minutes.\n\n                 STATEMENT OF R. JAMES WOOLSEY\n\n    Mr. Woolsey. Thank you, Madam Chairman. I am going to talk \nabout a little different kind of cyber than normally comes into \nthe picture. Congressman Burgess referred earlier to Dr. Peter \nPry's and my op-ed in the Wall Street Journal this morning on \nthis subject.\n    It has to do with electromagnetic pulse. We don't get to \ndefine ourselves the problems we want to deal with and ignore \nthem because they don't fit into some bureaucratic category of \nours. Both Russia and China as well as North Korea and Iran \ninclude the use of electromagnetic pulse against our \ninfrastructure as part of information warfare and cyber \nwarfare, and they are working hard at it.\n    Electromagnetic pulse may hit the world, the United States \nand other parts of it, through solar activity, and some people \nfocus principally on this called coronal mass ejections. It is \nessentially a huge solar storm, much better than anything we \nnormally experience. It happens about once every 100 years, and \nwe are somewhat overdue for one of these. These could have a \nvery, very powerful effect on our electric grid. But insofar as \nwe are talking about human activity, the basic problem is that \na detonation of even a relatively small blast nuclear weapon 30 \nkilometers or more above the United States, let us say on a \nwarhead that is in orbit or one that is carried aloft even by a \nweather balloon, can seriously, very seriously damage and \nindeed destroy a substantial share of the electricity \nconnections that hold together our electric grid. One estimate \nfrom the report of the commission to assess the threat to the \nUnited States of electromagnetic pulse, a congressional \ncommission that reported in 2004 and in 2008, is that with a \nrelatively low-level attack launched only by a weather balloon \ncould take out approximately 70 percent of the country's \nelectricity with a single blast.\n    What is going on here is that gamma rays are one of the \nproducts of a nuclear detonation. We are all used to thinking \nof nuclear detonations as being more powerful and more damaging \nif there is a lot of blast because blast is what would be used \nto attack a specific target on the ground--a military \ninstallation, an ICBM silo or whatever. Electromagnetic pulse \nis different. It is something that occurs because of the gamma \nrays that are sent out by a nuclear detonation but an extremely \neffective electromagnetic pulse weapon could have a lot of \nradiation and very little blast--two, three, four single-digit \nblast efforts coupled with a lot of gamma rays and nuclear \nemanations of different kinds. What that produces, even if it \nas high as several hundred kilometers, is three waves of \nelectromagnetic pulse, the first and third being the damaging \nones, the first one attacking essentially all electronic \nconnections, and the third one attacking the grid itself, \nparticularly the transformers and the long-range transfer \nsystems.\n    The Chinese leading theorist on this subject, Chang \nMengxiong, says that information war and traditional war have \none thing in common, namely that the country which possesses a \ncritical weapon such as atomic bombs will have first-strike \ncapabilities. As soon as its computer networks come under \nattack and are destroyed, the country will slip into a state of \nparalysis and the lives of its people will ground to a halt. \nNorth Korea appears to be attempting to implement information \nwarfare doctrine with electromagnetic pulse. In December of \n2012, it demonstrated that it had the capability to launch a \nsatellite on a polar orbit circling the earth at an altitude of \n500 kilometers. That high, it is not entirely clear that we \nwould be able to destroy that satellite essentially carrying a \nnuclear weapon in orbit. We have canceled all of our programs \ndealing with boost-phase or space-based defensive systems, and \nindeed, the Administration has not even requested any study \nmoney for this type of system, which would potentially have a \nsubstantial effect on this type of threat.\n    I would urge--and finally, I see the time is over--I would \nurge that we not get bogged down in the issue of volunteerism \nversus government order. On something like this, we have to \nhave a national policy and a national commander-in-chief, \npresumably the President, but with someone reporting to him who \nis in charge of dealing with this kind of threat. The taking \nout of our electric grid takes out all 17 other critical \ninfrastructures. It takes out food, it takes out water, it \ntakes out natural gas, it takes out practically everything you \ncan think of. The casualty estimates for electromagnetic pulse \nattack in the congressional report are up in the range of two-\nthirds of the country dying under such an attack because there \nwould be after a very short period of time no food, no \nelectricity, no water, etc.\n    Mrs. Blackburn. Ambassador, if you would wrap up.\n    Mr. Woolsey. The North Koreans have already tested both \nlow-yield and we believe high-gamma-ray nuclear weapons. They \nhave tested satellites, put a satellite in orbit. The Iranians \nhave put three satellites in orbit and are in the process of \nworking very hard on having a nuclear weapon. We could well \nwithin months have two rogue states who are capable of \nlaunching this type of attack against the United States as part \nof their information warfare cyber campaign.\n    Thank you, Madam Chairman.\n    [The prepared statement of Mr. Woolsey follows:]\n    [GRAPHIC] [TIFF OMITTED] 82197.024\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.025\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.026\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.027\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.028\n    \n    Mrs. Blackburn. And thank you.\n    Dr. Papay for 5 minutes.\n\n                   STATEMENT OF MICHAEL PAPAY\n\n    Mr. Papay. Madam Chair and other members of the committee, \nNorthrop Grumman appreciates the opportunity to discuss this \ncritically important topic with you today. I am Mike Papay. I \nam the Chief Information Security Officer and Vice President \nfor Cyber Initiatives for Northrop Grumman. That means I cover \nboth the internal cyber business of Northrop Grumman as well as \nthe external cyber strategy.\n    Northrop Grumman is one of the leading cybersecurity \nproviders to the federal government and has expansive and in-\ndepth knowledge, experience and expertise in these critical \naspects of our Nation's technology framework. We build, supply \nand manage cyber solutions for customers that include the \nDepartment of Defense, intelligence communities, civilian \nagencies, international governments, state and local \ngovernments, and the private sector. Northrop Grumman is \nhonored to be trusted with the challenge of protecting some of \nthe world's most targeted systems.\n    The Defense Industrial Base's information sharing program \nhas demonstrated the benefits of industry-government \ncollaboration. Northrop Grumman was a founding member of this \ngroundbreaking framework. While this effort has demonstrated \nthat public-private information sharing can yield many \nsuccesses, we also learned that some of the toughest challenges \nare not technological but cultural and legal. Northrop Grumman \nwas proud to announce last week that it will participate in the \nnext-generation government-private sector information-sharing \nprogram, DHS's Enhanced Cybersecurity Services.\n    Given our experience, Northrop Grumman very much \nappreciates the seriousness and urgency of the cyber threat. We \ndo believe that the President's Executive order is an important \nstep in the right direction, but the EO's ultimate success will \nbe determined by the effectiveness of the individual agencies' \nefforts in implementing their assigned responsibilities. We \nappreciate the government's ongoing outreach to industry, and \nwe recently actively engaged with NIST to support the \ndevelopment of its cybersecurity framework. However, the EO \nalone cannot address the full range of cybersecurity issues. \nLegislation is still required to facilitate and encourage \ncompanies to secure their own networks and break down the \nbarriers to sharing cyber threat information.\n    We applaud the House of Representatives' recent passage of \ncybersecurity legislation, especially the strong bipartisan \nvote in favor of the CISPA, which we hope will build momentum \ntowards bills passing both chambers.\n    Northrop Grumman is committed to utilizing our experience \nto support the development of successful cyber policies. We \nencourage legislation that improves the agility of the federal \nacquisition process to address rapidly evolving cyber threats, \nincreases investments in cybersecurity technology and training \nof our current workforce, and supports the development of the \nnext generation of scientists and engineers. We must be \nmindful, however, that our Nation's cybersecurity cannot be \nfixed with one law or policy change. Effective cybersecurity \npolicies should be risk-based and as adaptable as the threat \nitself. These cyber efforts must also carefully balance civil \nliberties and greater security. These are not mutually \nexclusive goals. Indeed, if we do not strengthen our cyber \ndefenses, we imperil the civil liberties that we hold dear.\n    Please consider Northrop Grumman a resource. We look \nforward to working with Members of Congress on both sides of \nthe aisle and the Administration to make our world safer and \nmore secure.\n    I look forward to answering any questions you might have.\n    [The prepared statement of Mr. Papay follows:]\n    [GRAPHIC] [TIFF OMITTED] 82197.029\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.030\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.031\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.032\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.033\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.034\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.035\n    \n    Mrs. Blackburn. Thank you, Dr. Papay.\n    Dr. Schneck, you are recognized for 5 minutes.\n\n                  STATEMENT OF PHYLLIS SCHNECK\n\n    Ms. Schneck. Good afternoon, and thank you, Vice Chairman \nand other members of the committee, and thank you very much on \nbehalf of McAfee for the opportunity to testify here today.\n    I am the Vice President and Global Chief Technology Officer \nfor Public Sector for McAfee looking at how our products adapt \nto protect global government, federal, State and local, and \ncritical infrastructure, and I also have the honor of vice \nchairing the Information Security and Privacy Advisory Board \nthat reports up to this committee. So thank you very much for \nthat.\n    McAfee protects 160 million points of presence across the \nworld, global cybersecurity products, largest peer placed \nsecurity company on the planet, wholly owned subsidiary of the \nIntel Corporation with headquarters in Santa Clara, Plano, \nTexas, as well as our large labs operation in Oregon.\n    I want to start in the spirit of this testimony with an \nanecdote of the attack called Night Dragon on February of 2011 \nthat McAfee led an investigation where we saw five oil and gas \ncompanies lose their oil exploration diagrams, all that \nintellectual property in a matter of weeks, and it was sent off \nto another country, and overnight as we put the whole story \ntogether, worked with our partners to share that information, \nworked with other companies, wanted to warn the sector, legal \ncounsel came out in the middle of the night and said please \ndon't, and they were deeply concerned at that point that if the \nstock prices of those companies affected and others throughout \nthe sector dropped the next morning, McAfee would be liable. At \nthe same night, I got an angry phone call from a high-ranking \nofficial in law enforcement very upset that we didn't share the \ninformation with him sooner. This is a position that we are all \nin at some time, and this is what we need to fix. We should \nnever have to choose between protecting a sector, protecting \nour country versus legal liabilities. So in that spirit, I want \nto talk about two things, the science and policy, that I \nbelieve that we can use to fix this.\n    First, culling one of many technologies because it pertains \nso directly to the energy sector. The cybersecurity community \nhas evolved. Instead of what we call blacklisting or letting \neverything in and then looking very carefully to figure out \nwhat we think might be bad and trying to block it, we instead \nwhat we now call whitelisting: only let in the things that we \nknow are good, only let instructions execute if we know that \nthey are good, and as a wholly owned subsidiary of Intel, I can \ntell you that we can do that all the way to the chip at the \nhardware. But going and evolving to that technology is \ndifficult, and I will explain why in a moment, but this \ntechnology has expanded our ability to protect components as a \ncommunity of the electric grid, of the energy sector, and \nacross critical infrastructure.\n    The other piece is information sharing. We greatly applaud \nthe efforts of NIST, of DHS, looking at how we partner \ntogether, public and private. We all see an enormous piece of \nthis picture but it is not enough until we put it together. We \nall fight an adversary that is fast and loose, has no legal \nboundaries and can execute on a moment's notice with all the \npower in the world and all the money in the world. If we can \ntake our information and share it and put that puzzle together, \nwe regain the power of our electronic infrastructures. This is \nwhat they cannot do. If you think about really sharing \ninformation at light speed between machines, we call this \nsecurity connected at McAfee, but if you when block something, \nyou are able to instantly in milliseconds warn other components \naround you and around the network and take their warnings, that \nis golden. And between people, like what happened in Night \nDragon, we want to be able to share that, and we need the \nprotections to do so.\n    The key here is the small to medium businesses that were \nmentioned earlier, over 99 percent of our business fabric, many \nof those in the energy sector. We are missing not only not \nbeing able to protect them--they are probably building the \nnext-gen engine--but we are missing the information we get from \nthat entire piece of the global business sector by not getting \nthat information back in, and that partnership with NIST and \nwith Homeland Security exemplifies the importance of global \nstandards to do this. And I want to highlight the financial \ncommunity, the financial sector, who has gone out and worked \nwith NIST and DHS to build those global standards to be able to \nshare, no matter what product you have to be able to share \nmathematical indicators, preserving civil liberties and just \ndoing math on what might be dangerous coming toward you.\n    How do we do this? With positive incentives. First off, \ndriving by innovation. That whitelisting technology, our \ncustomers begged for that in the CIP requirements but it was \nmandated that they only use blacklisting, so for compliance so \nthey wouldn't get penalized, they used a weaker form and were \nnot as secure. Now 2 years later, because regulation moves so \nslowly, we are finally looking at getting whitelisting in there \nas an acceptable form of ``compliance.''\n    The other piece: liability protections. Help us share. \nThere is so much information we want to share, per previous \ntestimony, be able to get information from the government, give \ninformation to the government and provide again that privacy, \nthat civil liberties that makes our country so unique. We have \nto be able to do all this and we have to be able to get it \nright. This is the agility and the alacrity that today is only \nenjoyed by the cyber adversary. Today at 320 gigs per second on \nthe finest routing equipment in the world, bad people are \nsending bad things to good infrastructure. This is our danger \nto the energy infrastructure. You could risk intellectual \nproperty theft. You could risk credential harvesting where \npeople pretend to be you and access our infrastructure and \neffect negative change, and also of course destruction and the \nthings that we see in the movies. Insurance provisions, tax \nprovisions, all these other positive incentives help us drive \nthe innovation to put our information together and to improve \ntechnology as fast as the adversary does to us.\n    Thank you very much for requesting McAfee's views on these \nissues. I am happy to answer any questions.\n    [The prepared statement of Ms. Schneck follows:]\n    [GRAPHIC] [TIFF OMITTED] 82197.036\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.037\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.038\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.039\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.040\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.041\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.042\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.043\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.044\n    \n    Mrs. Blackburn. Thank you.\n    Mr. Blauner for 5 minutes.\n\n                  STATEMENT OF CHARLES BLAUNER\n\n    Mr. Blauner. Chairman Blackburn, Ranking Members, members \nof the committee, my name is Charles Blauner. I am the Global \nHead of Information Security for Citi, and I set the \ninformation security strategy for Citi. I am accountable for \nthe information security risk posture across all of our lines \nof businesses, functions and regions. In addition, I serve as \nthe Chairman of the Financial Service Sector Coordinating \nCouncil, also known as FSSCC, which coordinates protection of \ncritical financial services infrastructure focusing on \noperational risks. I appreciate the opportunity to be here \ntoday to testify on behalf of the ABA.\n    I would like to begin by commending the House for its \nrecent passage of the Cyber Intelligence Sharing and Protection \nAct. This legislation, if enacted, will greatly facilitate \ninformation sharing regarding the serious threats to our \nNation's critical infrastructures. We are also supportive of \nthe Administration's Executive order, which provides important \ndirection to both the public and private sector to enhance our \nNation's cybersecurity protections.\n    There are three key points I would like to highlight today. \nFirst, the public and private partnership between government \nand the financial services sector is critical to protecting \nfirms against cyber threats, and we pledge to continue this \ncollaboration to further our mutual goals. The most recent \nexample of our collaboration is a unified response to the cyber \nattacks that have targeted the U.S. financial services sector \nsince September 2012. This partnership, facilitated by the FS-\nISAC, or the Financial Services Information Sharing and \nAnalysis Center, allows for real-time collaboration on measures \nto mitigate the attacks and provides a forum to request and \nacquire specific governmental technical assistance.\n    Second, the ABA believes that the development and \nimplementation of the NIST cybersecurity framework should \nleverage existing standards, regulations or processes. \nFinancial institutions are already subject to significant \nfederal and state law and regulations that emanate from the \nGramm-Leach-Bliley Act of 1999. These requirements are \nsubstantially similar to those developed by NIST, and it is \nextremely important that the implementation of the NIST \ncybersecurity framework be leveraged and complementary to the \nexisting audit and examination process. Otherwise we will end \nup with redundant audit requirements that become a compliance \nexercise and do absolutely nothing to enhance cybersecurity.\n    Third, the ABA also believes that timely cross-sector \ninformation sharing is key to cybersecurity protection. While \nthe existing mechanisms play a vital role in incident response \ncoordination, improving and encouraging information sharing is \nessential to protecting the financial services sector and the \nNation. It is of utmost importance to increase the volume, \ntimeliness and quality of threat information shared by federal \nagencies, law enforcement and the U.S. intelligence community \nwith the private sector so they may better protect themselves \nagainst cyber threats. Thus, we need our government partners to \nexpedite the processing of security clearances and to \ndeclassify and more broadly disseminate threat information \ncritical to enhancing our Nation's ability to protect itself \nfrom cyber threats.\n    It is important to note that a key factor in the success of \ninformation sharing is trust, which takes years to develop. The \nABA, the FS-ISAC and FSSCC have worked hard to develop trust \nbetween its members and public and private sector partners. We \ncan't afford to dismantle that trust, and we will continue to \ndevelop trust and confidence now sharing efforts.\n    The ABA also believes that foundational work needs to be \ndone to share our goal of enhanced cybersecurity. The \ndevelopment of technical capabilities relies on robust research \nand development that can quickly yield new commercial products \nto protect individual firms and critical shared infrastructure. \nI would also like to note that these efforts, often supported \nby the resources of banks like Citi and other large financial \nfirms, help create tools and defenses that help banks of all \nsize cope with cyber threats. Beyond technical capabilities, \nthe demand for skilled resources outstrips supply today. A \ncoordinated effort is required to develop a skilled worker \nforce as up to the task of defending us against today's and \ntomorrow's cyber threats.\n    In conclusion, cybersecurity is top priority for banks and \nother financial services companies. We have invested an \nenormous amount of time, energy, and resource into placing the \nhighest level of security, and we are subject to stringent \nregulatory requirements. We also look forward to continuing to \nwork with Congress and the Administration towards our mutual \ngoal of protecting our Nation's critical infrastructure.\n    Thank you, and I would be happy to answer any questions you \nmight have.\n    [The prepared statement of Mr. Blauner follows:]\n    [GRAPHIC] [TIFF OMITTED] 82197.045\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.046\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.047\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.048\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.049\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.050\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.051\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.052\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.053\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.054\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.055\n    \n    Mrs. Blackburn. We thank you.\n    Mr. Highley, you are recognized for 5 minutes.\n\n                   STATEMENT OF DUANE HIGHLEY\n\n    Mr. Highley. Thank you, Madam Chair, Ranking Member and \nmembers of the committee. Thank you for the invitation to \ntestify today regarding the electric power sector's work on \ncybersecurity. I serve as President and CEO of Arkansas \nElectric Cooperative, which is a nonprofit power supply system \nserving 17 distribution systems who in turn serve about 1 \nmillion Arkansans.\n    Like other cooperative managers, I report to a \ndemocratically elected board representing the customers I \nserve. Cooperatives work for the members we serve, and that \nkeeps us focused solely on their needs. The electric \ncooperatives of Arkansas are members of the National Rural \nElectric Cooperative Association, a service organization for \nover 900 nonprofit electric utilities serving over 42 million \npeople in 47 states.\n    Today I am offering testimony on behalf of the Arkansas \ncooperatives and the NRECA, but I am also sharing information \nfrom an overall industry perspective based on my work with the \nNERC Electric Subsector Coordinating Council and the National \nInfrastructure Advisory Council.\n    Whether cooperative, investor-owned or public power, \nelectric providers agree on the need for robust and rapid \nrecovery from natural disasters, physical attacks and cyber \nattacks. I think I can summarize my testimony in two \nstatements, each 10 words or less. First, NERC has it covered; \nplease don't mess it up. Second, we need to talk.\n    Now, on the first subject, we appreciate the Energy and \nCommerce Committee's engagement on this topic. You played a \nlarge role in the discussions that led to the creation of the \nNorth American Electric Reliability Corporation, or NERC, and \nits standards regime. Under that regime, the Federal Energy \nRegulatory Commission can order NERC today without any \nadditional legislation, FERC can order NERC to develop \nmandatory, enforceable standards on any topic. NERC has \ndeveloped a number of standards for cybersecurity in electric \npower systems, and can and does enforce these standards through \naudits, inspections, and fines. The standards are developed in \na collaborative process with all stakeholders, which has \nresulted in enforceable standards that have improved the \nreliability of the North American electric grid.\n    To my knowledge, the electric power sector is the only \ncritical infrastructure sector with such a robust regulatory \nframework, and I believe that this framework can serve as a \nmodel for the other critical infrastructures. The grid is an \nextremely complex machine, and changes to the way it operates \nmust be carefully coordinated with all stakeholders or \nreliability will suffer. The NERC standard-setting process \nprovides a platform to vet all potential impacts with input \nfrom those who understand the grid the best. Regulations issued \nwithout consideration of these impacts run the risk of reducing \ngrid resiliency rather than enhancing it. We have already \ndeveloped a method that has been proven to work, so in summary, \nNERC has it covered. Please don't mess it up.\n    On the second topic, we need to talk, we are glad to see \nthe Executive order's emphasis on information sharing. We have \nrecently begun a top-level dialog between utility CEOs and \ngovernment, as recommended by the National Infrastructure \nAdvisory Council. We very much appreciate the leadership shown \nby many members of this committee in developing CISPA and \ngetting it passed overwhelmingly in the House.\n    This year we have seen some progress in getting security \nclearances for key personnel in our industry. It is hard to \nhave a partnership when one party can't tell the other what is \ngoing on, and our staff must be able to conduct honest \nconversations with government representatives about the threat \nenvironment. While relationships have developed over time, and \nwe do receive useful information through mechanisms such as the \nES-ISAC, we still know of instances where government is slow to \nshare information or has developed plans for our industry's \nresponse to cyber events but yet has been classified as top \nsecret. So we welcome the continued dialog and hope that the \nSenate will join in crafting mechanisms and law that will \nensure our owners and operators get timely, actionable \ninformation. In summary, we need to talk.\n    Other witnesses have raised the issue of electromagnetic \npulse. Utilities can do a lot, but we cannot defend against \nnuclear strikes from enemy nations or other terrorist \norganizations. Electromagnetic pulse and its related \ngeomagnetic disturbance from solar storms are very real \nthreats, and FERC has just issued a rule directing NERC to \ndevelop standards on geomagnetic disturbances within the next 6 \nmonths for phase I and 18 months for phase II, so action is \nbeing taken. Experts outside the utility sector often \nrecommended untested technical solutions that really should \nrequire detailed analysis and studies before installation to \nensure that grid reliability is not harmed. Some even propose \ntechnology-specific solutions that could greatly reduce the \nability for utilities to use other useful products and \nsolutions. As I said before, the grid is very complex and one-\nsize-fits-all fixes are generally not appropriate and may \nactually reduce grid reliability. That is why we support the \ncontinuance of the NERC standard-setting process. It brings \ntogether all stakeholders, including government and industry \nexperts, to design practicable, buildable and cost-effective \nsolutions.\n    Thank you for the opportunity to testify.\n    [The prepared statement of Mr. Highley follows:]\n    [GRAPHIC] [TIFF OMITTED] 82197.056\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.057\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.058\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.059\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.060\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.061\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.062\n    \n    Mrs. Blackburn. Thank you.\n    Mr. Mayer.\n\n                   STATEMENT OF ROBERT MAYER\n\n    Mr. Mayer. Thank you, Chairman Blackburn and members of the \ncommittee for giving me the opportunity to appear before you \ntoday. My name is Robert Mayer, and I serve as Vice President \nof Industry and State Affairs at the United States Telecom \nAssociation. I have had the privilege in the past of sharing \nthe communications sector coordinating council through which \nthe Department of Homeland Security works to coordinate the \ninfrastructure protection activities of our industry sector \nwith those of the federal, state, local, territorial and tribal \ngovernments. Currently, I chair our sector coordinating \ncouncil's cybersecurity committee.\n    USTelecom member companies, indeed, our entire sector, \nincluding wireless and cable broadband providers, stand on the \nfront lines of cybersecurity. Protecting our networks and our \ncustomers from cyber threats is our highest priority and \nrequires our members to innovate literally every single day to \nmeet the challenges posed by increasingly sophisticated \nadversaries.\n    In our industry's view, the single most important policy \nstep that can be taken to combat this scourge is giving \nappropriately cleared personnel in our companies access to \nreal-time actionable cyber threat information. USTelecom \nsupported passage of the Cyber Intelligence Sharing and \nProtection Act, or CISPA, because voluntary, real-time sharing \nof threat information will provide both the private sector and \nthe government with the essential tools needed to address \nmalicious cyber activity. We especially appreciate the effort \nto balance the many factors necessary to gain overwhelming \nbipartisan passage of CISPA, including providing necessary \nliability protections while at the same time ensuring \nappropriate safeguards for privacy and civil liberties. We \ncommend and thank Chairman Mike Rogers, Ranking Member Dutch \nRuppersberger, the authors of several helpful Floor amendments, \nas well as all of those who voted for the bill.\n    Turning to the President's February 12th Executive order, \nwe are pleased that the Order reaffirms the importance of the \npublic-private partnership in assessing and combating threats \nand that it envisions a voluntary and collaborative framework \nfor achieving its goals. USTelecom believes that the government \ncan encourage private sector acceptance and adoption of that \nframework by ensuring, among other things, that it remains a \ntrue partnership among all parties at all levels with the \nflexibility that rapidly changing technological threats require \nand with strong legal protections and incentives for \nparticipation.\n    I want to express our industry's hope and optimism that the \nprocess of implementing the Executive order will turn out well \nand will lead to widespread acceptance and adoption. We have \nbeen working constructively to date with NIST, DHS and the FCC, \nand hope those good relationships will continue. But do we want \nto bring to the committee's attention Sections 9 and 10 of the \nOrder, because the manner in which they are ultimately \ninterpreted and implemented may spell the difference between \nthe success and failure of this effort.\n    Section 9 relates to the identification of critical \ninfrastructure ``at greatest risk.'' Overly expansive \ndesignations of critical infrastructure may harm innovation by \nleading to predictability and stagnation. Conversely, Section 9 \nmay preemptively exempt a major portion of the Internet \necosystem from even being considered as critical \ninfrastructure, a similarly problematic starting point for \neffective cybersecurity strategy. We are watching the \nimplementation of Section 9 closely.\n    Section 10 requires federal agencies to review the \npreliminary framework and determine whether their own current \ncybersecurity regulatory requirements are sufficient. While \nthis section contains language that would encourage agencies to \nreduce ineffective regulation, it arguably also serves as a \nhunting license to regulate, the very thing that would \nundermine the purported goal of the Order: a partnership with \ngovernment to make its citizens safer. We do not believe that \nregulatory proceedings are compatible with addressing \ncybersecurity threats which emerge and evolve at lightning \nspeeds.\n    Likewise, with respect to the agency most closely \nassociated with our industry, the Federal Communications \nCommission, we appreciate and value the contributions it makes \nto the areas of public safety and emergency communications, \nincluding the work of the Communications Security, Reliability \nand Interoperability Council, or CSRIC, in which we \nparticipate. A voluntary and consensus-driven approach, as \ncontrasted with a regulatory approach, is what has made the \nCSRIC process productive and worthwhile.\n    In closing, thank you for holding this timely hearing. We \nare of course on guard against the kind of potential regulatory \noverreach that would slow our response to cyber attacks or \nresult in static, Maginot Line-type defenses that our opponents \nwill easily bypass. Implemented prudently, however, the \nExecutive order may enhance our ability to respond to cyber \nthreats and represent the triumph of government-private sector \ncooperation. Thank you.\n    [The prepared statement of Mr. Mayer follows:]\n    [GRAPHIC] [TIFF OMITTED] 82197.063\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.064\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.065\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.066\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.067\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.068\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.069\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.070\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.071\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.072\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.073\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.074\n    \n    [GRAPHIC] [TIFF OMITTED] 82197.075\n    \n    Mrs. Blackburn. Thank you, Mr. Mayer. I thank each of you \nfor your testimony, and I yield myself 5 minutes for questions.\n    Mr. Mayer, I am going to begin with you. Let us talk for \njust a second about what you just mentioned, and I want to hear \njust a little bit more from you on why you think that the \ninterpretation and implementation of Sections 9 and 10 of the \nExecutive order may spell--what was your statement there?--\nspell the difference between success and failure of the effort. \nSo just another couple of sentences on that?\n    Mr. Mayer. OK. Sure. So the vast body of the Executive \norder governing critical infrastructure under Section 2 is \nunder a voluntary framework. Section 9 carves out what is \ndetermined to be critical infrastructure at greatest risk, and \nthere is a process right now where DHS is working with industry \nand others to determine what is on that list of critical \ninfrastructure. To the extent that that list becomes overly \nexpansive, it will overcome, so to speak, the nature and \nusefulness from our perspective of the voluntary framework, and \nI think it was interesting that Secretary Gallagher mentioned \nas a concern that that very provision might operate to be a \ndisincentive for folks who participate in the voluntary \nframework. We are going forward with the presumption that it is \nall going to turn out well and that the voluntary framework \nwill dominate and that there will be----\n    Mrs. Blackburn. So the fear is overreach and uncertainty \nbasically?\n    Mr. Mayer. Yes, ma'am.\n    Mrs. Blackburn. OK. Mr. Highley, I want to come to you. I \nwill just work right down the line. Listening to Mr. Waxman, it \nmade it sound like our electric utilities are just getting \nbombarded every day, and my understanding was, these attacks \nare really fairly rare for you all, and more often than not, it \nis an attack on the consumer-facing side like most businesses. \nSo I just want to be certain, don't you already have mandatory \nstandards that are governing how you should protect your \noperations?\n    Mr. Highley. Yes. The answer is yes. The majority of those \nattacks, while large in number, are the same attacks that every \nbusiness receives to their Internet portal, and those are on \nthe public-facing sides of the business. They are all stopped \nat the gate, and the supervisory control and data acquisition \nsystems have mandatory enforceable standards for how you \ninterface to those. We don't have significant problems with \nattacks to those today.\n    Mrs. Blackburn. OK. Let me just very quickly, a show of \nhands, how many of you prefer staying with standards, the \nvoluntary standards as opposed to going to regulation? How many \nof you prefer standards? OK. All right. I just was curious \nabout that. And then I would like to have one statement from \neach of you. As we look at the cybersecurity framework and the \nplans that are in place for implementation, I would like to \nknow what your primary concern is, and Mr. McCurdy, I would \nlike to start with you and just work down the line, and then I \nwill yield my time.\n    Mr. McCurdy. Thank you, Madam Chair. I think our primary \nconcern is that when you are developing the risk profile and \nthe definitions of what is critical infrastructure, that they \nlook at existing tools that DHS has used and TSA, we work \nthrough those. We have a lot of self-assessment tools that \ncompanies run. So that experience should inform a lot in this \nprocess.\n    Mrs. Blackburn. OK. So you kind of match up with Mr. Mayer \non the concerns?\n    Mr. McCurdy. Yes.\n    Mrs. Blackburn. OK. Mr. McConnell?\n    Mr. McConnell. My primary concern is it does not have the \neffect of law and so therefore it cannot grant liability \nprotection as an incentive to industry to comply with these \nstandards.\n    Mrs. Blackburn. OK. Ambassador?\n    Mr. Woolsey. I believe that we are at war without wanting \nto be so, and whether it is North Korea or Iran, they believe \nthey are at war with us. They have the hardware to do us huge \ndamage in various ways but particularly through electromagnetic \npulse, and trying to defend against them with 3,500 generals--\nthe utilities--each commanding essentially its own force is \ngoing to fail.\n    Mrs. Blackburn. OK. Dr. Papay?\n    Mr. Papay. Madam Chair, I think it is important for \nbusinesses to have that ability to break down barriers to \nsharing information. I will go along with what Dr. Schneck was \nsaying earlier. It has got to be as easy as possible for us to \nshare that critical cybersecurity information with each other, \nand the EO is getting there but we need legislation to follow \nit up.\n    Mrs. Blackburn. Great. Dr. Schneck?\n    Ms. Schneck. I completely agree with Dr. Papay. I will add \nmore, and that is on the technology front, right tool for the \nright job. We have so many technologies as a community all over \nthe world. I mentioned one that many people provide, a \nwhitelisting concept. We have to have a framework that allows \npeople to very quickly not only build on those and innovate but \nassign the right technology to the right job for what the \nattacker is doing today.\n    Mrs. Blackburn. OK. I am running over time but I want to \nfinish the panel. Mr. Blauner?\n    Mr. Blauner. Since everyone already mentioned information \nsharing, to us, I would say the most critical thing is, we are \nalready a regulated environment, which is why I didn't raise my \nhand earlier. We just don't need extra complexity added into \nthat and having another agency come in and try to regulate us a \nsecond time.\n    Mrs. Blackburn. Mr. Highley?\n    Mr. Highley. For electric utilities, I would say don't \nshort-circuit the existing regulatory framework we have where \nFERC can order NERC to write standards as needed.\n    Mrs. Blackburn. I am going to have to get you that app. Mr. \nMayer?\n    Mr. Mayer. With the exception of Section 9 in the context \nof the voluntary framework, one of the primary concerns that we \nhave and I think Representative Eshoo mentioned this, is that \nwe can't have a one-size-fits-all solution, not only across the \nsectors but even within the sectors because different companies \nhave different business models and different abilities to \nrecover for investment and security.\n    Mrs. Blackburn. Thank you. I am way over my time. Mr. \nMcNerney for 5 minutes.\n    Mr. McNerney. Thank you, Madam Chair.\n    Mr. Woolsey, very sobering testimony. Do you think that the \nsolution to the threat is hardware-based that you discuss in \nEMP threat or do you think it is software-based? I mean, there \nmust be some way to protect the critical components from EMP.\n    Mr. Woolsey. There are various things. The surge arrestors \ncan help with one part of it, Faraday boxes for other \ncomponents. There are a number of things that can be done. They \noverlap, some of them, with traditional cyber defenses; surge \narrestors are one example. Others do not. What will fail, I \nthink, disastrously is for 3,500 utilities each voluntarily \ngoing off on its own because they don't want to be regulated \ntrying to figure out what to do about electromagnetic pulse. \nThey will lose. Anybody who is facing an enemy who is commanded \nby somebody as shrewd as the senior leadership in Iran or, I am \nafraid, probably also North Korea, who is focused on defeating \nus, anybody who is facing an enemy like that with 3,500 \ngenerals all going off in different directions will lose. We \nwill lose.\n    Mr. McNerney. So you mentioned that some of the hardware \nthat we need is actually going to help provide protection at \nthe cyber level as well, so I appreciate that comment.\n    Now, Mr. Highley was talking about the NERC process \nproviding sufficient protection and us not messing it up. Do \nyou agree with that perspective?\n    Mr. Woolsey. Well, the first order after 9/11 that came out \nof NERC in response to a query, as I understand it, or a \ndirection from FERC in total took 44 months, I believe. That \nis--World War II took 3 years and 8 months for us. So if \nresponse to one part of one problem is timely and useful when \nit comes within the time that we went from Pearl Harbor to \naccepting Japan's surrender, then OK. But I think that standard \nfor promptness and effectiveness of response in circumstances \nin which you are dealing with an enemy is nuts. It is nuts to \nsuggest that that will be effective against an enemy, against \nsolar-based electromagnetic pulses. If we are lucky, maybe it \nwill work.\n    Mr. McNerney. Thank you. Ms. Schneck, you mentioned the \nissue of legal liability and protection on that issue, but that \nis a huge gift to a company to be given legal liability \nprotection. What would you be willing to give back in terms of \nfirst of all protection to get that kind of legal liability \nprotection yourself?\n    Ms. Schneck. So to clarify, we would want the protection. \nWe work very hard in analytics, as does our community, all the \ndifferent companies.\n    Mr. McNerney. Right. You want legal liability protection \nbut personal information--I mean, what would you be willing to \ntrade to get that kind of gift from the federal government?\n    Ms. Schneck. To also clarify, we don't ever share personal \ninformation. That is not what we do. We share cyber indicators. \nA good example is the address of a machine that is sending \nsomething bad to, say, 30,000 different places or feeding that \ninformation to 30,000 different machines to form a botnet. Our \nunderstanding is that a certain link goes to a site that will \nfeed you code to hook you up to steal your intellectual \nproperty. That is the kind of information we want to share \nbetween machines, and between humans, we want to be able to say \nthings like, if you are looking at a weather map, I see danger \nthere, or I see the same type of attack because we protect such \na wide part of the globe. If we see the same type of event \nhappening to some in the same sector, we want to be able to \ntell that to the whole sector. We want to act in good faith, \nwhich we do today. We certainly applaud CISPA and the work \nthere. We want to be able to share more with the community \nwithout fearing we will get hurt.\n    Mr. McNerney. OK. I am going to ask a question similar to \nwhat the chairwoman asked. If NIST develops performance-based \nstandards--and anyone can answer this--how would industry \ncooperate in terms of implementing or compelling those \nstandards to be enforced?\n    Mr. McConnell. If you are going to grant industry liability \nprotection, you are going to have to have some audit that will \nallow you to determine to verify that they had met the \nstandards. The way I think about this issue is, the set of \nstandards are established, businesses comply with those \nstandards, and then if there is a breach, they would have \nliability protection against the fact of a cyber breach.\n    Mr. McNerney. Thank you. I will yield back.\n    Mrs. Blackburn. Thank you. Chairman Walden for 5 minutes of \nquestioning.\n    Mr. Walden. Thank you very much, Madam Chair.\n    Mr. Mayer and Ms. Schneck, Dr. Gallagher has emphasized \nthat the Executive order framework would remain voluntary. Are \nyou confident it will? Mr. Mayer, do you want to go first?\n    Mr. Mayer. I am confident that NIST in its current work has \nevery intention of developing a voluntary framework, and in \nfact, it is their mandate as an organization to do that.\n    Mr. Walden. And you are confident it will stay voluntary? I \nknow nobody can really predict the future well but----\n    Mr. Mayer. The concern or the caution is around what \nhappens after framework is developed and when it moves toward \nsector-specific available. When you combine that with the list \nthat we still do not have settled, it can morph into something \nthat, as I've indicated before, takes on a different quality, \nand that would be problematic. But we are--from every \nindication in talking with all of the key federal entities, \nright now we are quite sanguine that it is going to be a \nvoluntary process.\n    Mr. Walden. Dr. Schneck?\n    Ms. Schneck. So thank you. We are very participatory in the \nframework process as well. We have yet to fully finish studying \nthe Executive order as a whole, but at present we are very \nsupportive of the framework of the voluntary focus of the idea \nthat all different technologies could be explored, innovation \ncould be made more rapid. More cybersecurity jobs could come as \na result of that. Believing it would make us more secure, we \nwork in very close partnership with NIST. We have just signed \nan MOU with their cybersecurity center to foster that \ninnovation even faster as have many other companies. So at \npresent, it does look optimistic and we have been very \nsupportive of that.\n    Mr. Walden. And again in your testimony, Dr. Schneck, you \nhighlight your security-connected products as comprehensive. Do \nyou believe that the Executive order's approach to \ncybersecurity is comprehensive?\n    Ms. Schneck. I think that remains to be seen. We are in the \nearly stages. So far we have been working, again, in \npartnership with NIST. A full response to the RFI focused a lot \non this need for private sector innovation to drive where \nsecurity can go because that adversary is so fast, the only way \nto be out front ahead of those that wish to do us harm is to \nband together, and I think thus far--again, we are not finished \nstudying the full effects of the EO.\n    Mr. Walden. All right. Mr. Highley, you are here \nrepresenting some of the electrical co-ops, right?\n    Mr. Highley. Yes.\n    Mr. Walden. Mr. Woolsey, who has extraordinary service in \nthe government, has indicated, if I am hearing him right, that \nhe has deep concerns about a more voluntary structure with so \nmany utilities and power suppliers. Can you comment on his \ncomments relative to FERC and the ability to enforce and your \norganizations and others that you are representing today, \nability to protect the grid?\n    Mr. Highley. So on behalf of the trade association, the \nNational Rural Electric Cooperative Association, they are \nengaged in discussions with NIST and with FERC and NERC on the \nregulation to protect us from these issues. I agree, it is a \nvery serious concern. What we want to do is see that work \nthrough a deliberate process that involves all the \nstakeholders. That is why we support the NERC process. I also \nagree with Mr. Woolsey that the process has been very slow in \nthe past and we are taking actions to improve the speed at \nwhich that can move, and I think you saw in the recent FERC \norder, they are asking for the geomagnetic disturbance actions \nto be taken within 6 months. So we are trying to accelerate \nthat process in order to get actionable, enforceable standards \nthat utilities will meet.\n    Mr. Walden. All right. And Mr. Mayer, again, what sort of \nindustry best practices are most effective from your experience \nin combating cyber threats and how can such practices be \nidentified, incorporated and encouraged under the Executive \norder?\n    Mr. Mayer. So I think clearly I am biased, but I would say \nthat the communications sector is a leading sector in terms of \nadvanced cybersecurity capabilities. Not only do we have to \nprotect our networks because that is an ongoing business \nagainst attacks, but we have to protect our customers, and many \nof those customers are some of the largest corporations in the \nUnited States and some of the largest government agencies. So \nwe have over the years invested significant amounts of money \nand capabilities into innovating and developing all sorts of \npreventative response, mitigation, technologies, tools, \npractices. The interesting thing also is that many of our \ncompanies compete in this space for services, so it is a very \nactive market that encourages innovation and then encourages \nfurther investment, and you know, we are in constant \nconversations either through the council or other mechanisms, \nsome business-to-business mechanisms, in which we talk about \nthese capabilities, and we will bring these capabilities to \ndiscussions at NIST at these workshops and demonstrate some of \nthe things that we do, and much of the work that we have done \nin developing best practices, for example, at the FCC through \nCSRIC.\n    Mr. Walden. Thank you, and thanks for your generosity on \nthe time.\n    Mrs. Blackburn. Absolutely. Mr. Waxman for 5 minutes.\n    Mr. Waxman. Thank you very much, Madam Chair. We are \ntalking about cybersecurity for a range of critical \ninfrastructure sectors, but I want to focus on the electric \ngrid, as I did earlier, because it is the foundation for every \none of these sectors. Protecting the grid from cyber attacks \nand other threats is essential to our economy.\n    Ambassador Woolsey, you touched on some of these issues but \nI want to bring them out for the record. It is not just our \ncivilian infrastructure that depends on the grid. What about \nour national security installations? Aren't they also largely \ndependent on the electric grid?\n    Mr. Woolsey. Absolutely, Congressman Waxman. To the best of \nmy knowledge, there is one military base in the United States, \nChina Lake, which has its own water steam system, has a geyser \nunderneath it, essentially, and it sends electricity to Los \nAngeles when it doesn't need it itself. Everybody else is on \nthe grid. So if the grid goes down, soldiers and sailors are as \nhungry as everybody else.\n    Mr. Waxman. Thank you very much. We only have a limited \ntime so I want to get some more points in here. The problem is \nthat the Federal Energy Regulatory Commission, what we call \nFERC, lacks authority to ensure that the grid is protected. The \nindustry-controlled North American Electric Reliability \nCorporation, or NERC, issues the cyber and physical security \nstandards for the grid. Now, NERC operates by a consensus. \nStandards have to be approved by a supermajority vote of the \nutilities. It takes them years to develop a standard. The most \nrecent version of NERC's critical infrastructure protection \nstandards took 43 months to develop and they are still not in \neffect, and these standards do not include measures to address \nspecific viruses or cyber threats. Once NERC submits a \nstandard, FERC cannot directly fix an inadequate standard. So \nthe process will start all over again.\n    Mr. Ambassador, what do you think of NERC's track record on \ngrid security threats? Is this the right regulatory model for \nnational security issues?\n    Mr. Woolsey. I don't believe it is the right model, \nCongressman, and I think NERC's record on security against the \nkinds of sophisticated threats we face today in traditional \ncyber and electromagnetic pulse is virtually nonexistent.\n    Mr. Waxman. In 2010, Fred Upton, now a chair, and Ed \nMarkey, soon to be Senator from Massachusetts, had a bipartisan \ngrid security bill. It would have provided FERC with the \nauthority it needs to improve the security of the electric \ngrid. This committee passed that bill by a vote of 47 to \nnothing. The House passed the bill by voice vote. Members \nviewed it a national security issue.\n    Ambassador Woolsey, in April of 2010, you and several other \nprominent national security experts, former national security \nadvisors and Secretaries of Defense and Homeland Security wrote \nto the committee to strongly endorse the bipartisan GRID Act. \nDo you still think that FERC needs additional authority to \nprotect the electric grid against threats and vulnerabilities?\n    Mr. Woolsey. Yes, I do, absolutely.\n    Mr. Waxman. The GRID Act also provided FERC with authority \nto address the threat posed by electromagnetic pulses. How \nworried should the committee be about this threat for which \nthere is no mandatory standard?\n    Mr. Woolsey. I think the committee should be quite \nconcerned and all Americans should. It is an extremely \ndangerous situation we are in now, and we are where we were \nyesterday.\n    Mr. Waxman. Well, I thank you for your testimony and your \nanswers to my questions. I just wanted to make it very, very \nclear because you and I see this issue in the same way. We have \ngot to rely on clear regulatory authority to get this job done.\n    Mr. Woolsey. Thank you, Congressman. I think that NERC \ncould deal adequately with squirrels and tree branches, which \nis what the main problem is for a lot of electricity \nmaintenance regular delivery, but North Korea and Iran, I \nthink, are quite beyond their competence.\n    Mr. Waxman. Thank you for your answers and thank you for \nyour service. I yield back the time.\n    Mrs. Blackburn. The gentleman yields back. Mr. Latta for 5 \nminutes.\n    Mr. Latta. Thank you, Madam Chair, and again, thanks very \nmuch to this panel for your very instructive information that \nwe have received this morning and this afternoon.\n    You know, as I was sitting here thinking that there is a \nlot of folks, I would say a great majority of Americans, don't \nunderstand the threat that we are under and how important it is \nthat we come to real grips in this country of the cybersecurity \nthat we have to have to protect ourselves, and if I could just \nstart with Mr. Papay. In your testimony, you talk about \nNorthrop Grumman's focus on internal cybersecurity awareness \ntraining as part of your internal protection efforts and your \ncyber academy. Can you share a few points about what kind of \ntraining that people go through when they are at that?\n    Mr. Papay. Yes, sir. Thank you for the question. It is a \nvoluntary participation within the company for everybody to \nsign up for at least a lower level of cybersecurity awareness \ntraining to understand where the threats are coming from and \nwhat they can do as an employee of the company to combat those \nbecause, really, all of my 70,000 employees in the company are \nreally my first line of defense against incoming cyber threats \nthat they might get in their email or through a malicious Web \nlink. So above the basic cybersecurity awareness, it moves on \nup the pyramid, as we call our cyber academy pyramid, to really \nget to those certifications where somebody wants to go off and \nadvance their knowledge of cyber and move it on up all the way \nup through penetration testing and forensics and secure coding \nto where we have really got a set of experts within the company \nbecause cybersecurity for us is not just about the defense of \nour company but it is also the primary business that we are in. \nSo that is our cyber academy in a nutshell, sir.\n    Mr. Latta. Thank you.\n    Mr. McConnell, if I could ask you a quick question, and I \nreally appreciate your knowledge of the severity of the cyber \nthreats that face our Nation. Do you have any estimates as to \nwhat the economic espionage costs are to this country every \nyear?\n    Mr. McConnell. There is a huge debate about that issue now. \nThe community struggled with a National Intelligence estimate, \nand they could not agree. I personally would put it in the cost \nof billions of dollars and millions of jobs, and that is based \non my best guess at looking at all the information over the \npast 20 years, billions of dollars and millions of jobs every \nyear.\n    Mr. Latta. Well, and one of the things again, like I said, \nI have had a couple of informational meetings with the FBI in \nmy district. We are doing one again next week. How do we get \nthis information out? You know, a lot of the larger companies \nout there are worried about the cybersecurity and it is getting \nthe folks back home in the smaller companies to say, you know \nwhat, this could affect us because we might be the largest part \nof the chain, the weakest link that they get into and move up \nfrom there. But, you know, have you in your experience talked \nwith individuals out there, companies out there that might be \nsmaller in nature and expressed to them how serious \ncybersecurity is for them?\n    Mr. McConnell. The answer is yes, quite a bit, but let me \nmake a point with regard to sharing the information. The rules \nthat we have were created in World War II and they served us \nwell in the Cold War, and both Ambassador Woolsey and I have \nhad the position of being responsible for protecting sources \nand methods of the U.S. intelligence community. The rules are \nin place. That community will not change, will not share unless \nthe rules change so they can share information with the private \nsector. I have observed this over a long career, and the rules \nmust change. Therefore, we have a process for flowing \ninformation to corporate America. The point is, why do we \ncollect this information, why do we analyze it? It is to \nprotect the Nation. So we have to then have a forcing function \nto cause a bureaucratic organization that will not comply with \nthat process of sharing information unless they are compelled \nto do so.\n    Mr. Latta. Thank you. And also, Mr. Mayer, if I could just \nbriefly, I am running out of time here. Again, I thank you for \nbeing here today. You know, in your testimony you highlight the \nnumber of your member companies, the entire communications \nindustry on the front of cybersecurity, and when you are \nlooking at the overall picture, given that USTelecom represents \na large range of companies from small rural providers to some \nof the largest in the country, what would be the effect of \nlabeling some of these businesses and networks as critical \ninfrastructure?\n    Mr. Mayer. I didn't hear the last part, sir.\n    Mr. Latta. What would be the effect of labeling these \nbusinesses and networks as critical infrastructure?\n    Mr. Mayer. Well, there are criteria that are being \nestablished to define what critical infrastructure is under \nSection 9. Under Section 2, it is vague, and I think there is \nan assumption that the broad sector is determined to be \ncritical infrastructure under that element. So the question \nbecomes, to what extent can different companies of different \nsizes have incidents that result in catastrophic situations, \nand the truth is, not very substantially. Obviously, the \ngreater the footprint, the different customers that are served, \nthe concentration of facilities in an area, all will make a \ndifference. But for purposes of the voluntary framework under \nSection 2, the entire sector is captured as critical \ninfrastructure.\n    Mr. Latta. Thank you. Madam Chair, my time is expired and I \nyield back.\n    Mrs. Blackburn. The gentleman yields back. Ms. Eshoo for 5 \nminutes.\n    Ms. Eshoo. Thank you, Madam Chair. I want to thank the \nentire panel. This is a panel with enormous depth and breadth \nof expertise, and a special welcome to our former colleague, \nDave McCurdy, who served as the chairman of the House \nIntelligence Committee, to Admiral McConnell, who served our \nNation as a Director of National Intelligence, and to \nAmbassador Woolsey, who served as the Director of the CIA. With \nyour collective presence, but most especially from this end of \nthe table, this is a confirmation that this is a national \nsecurity issue, period. It is a national security issue. It is \nnot an ``and'' or an ``or.'' We can't be squishy about it. I \nmean, we really have to put the pedal to the metal, and I know \nthat probably all of you and just about all of us have been \nasked to give speeches on cyber attacks and cybersecurity over \nthe last several years.\n    These attacks are really the new normal. They are the new \nnormal, and I don't think there is any question about that. I \ndon't know what day I pick up the newspaper that there isn't \nsome article about who is doing what to our country. So it is a \nquestion about how we are going to handle this. Now, what is \nvery interesting to me today is our grid, and I want to go to \nAmbassador Woolsey, and I heard Dr. Gallagher from NIST talking \nabout a lot of voluntary cooperative measures, and I think \nthere is a place for it, but I have to tell you from what I \nthink we are all experiencing, I don't think our national grid \nshould be left up to that. So can you just spend a moment--and \nI have a couple of other questions if I have time--but I think \nwhen there is only one defense operation in our Nation that can \nrely on its own energy so that this doesn't occur to them, I \nthink we are leaving ourselves absolutely wide open. I mean, it \nis like here we are, come get us.\n    Mr. Woolsey. Congresswoman, I completely agree with you. I \nhave been very concerned and speaking and writing about this \nissue for some years. I think that the problem is that our grid \ngrew up in the beginning of the late 19th century and it is \nstill growing, but mainly in the 20th century. During the \nperiod of time in which the only time we had to worry about \nsecurity inside the country at all was really right after Pearl \nHarbor with Japanese and German submarines off the coast. Yes, \nin the Cold War, we and the Soviets deterred one another but \ngenerally speaking, the only time Americans were really worried \nsomebody might be coming ashore, might go after, you know, a \nutility or something like that was from 1941 to around 1946. I \nthink that that mentality has meant that we have put together \nan electric grid that is designed for openness, for ease of \naccess, for being cheap, providing electricity as cheaply as \npossible, and without a single thought being given to security \nexcept for nuclear power plants, and even the nuclear power \nplants, most of the time their transformers are outside the \nfence, even though the plant itself may have great guards and \nso forth, and----\n    Ms. Eshoo. Do you believe, if I might, I would appreciate \nthis, and we are going to have a working group and I think that \nI would like to have you come back to be instructive to us, but \ndo you think that this deserves a different kind of set of \napproaches because it is what it is? And, you know, God forbid \nthat this goes down, we are cooked.\n    Mr. Woolsey. Technology has caught up with us. At the same \ntime we were doing the Y2K fixes in the late 1990s, the Web was \ncoming heavily into use and everybody decided hey, what could \ngo wrong if we put the control systems for the electric grid on \nthe Web and the SCADA systems, some of them, Supervisory \nControl and Data Acquisition systems. So you have a situation \nnow where our control systems for our electricity are open to \nhackers. That wasn't the case some years ago. So we have not \nonly ignored security, we have done really, really dumb things \nwithout thinking about security, and we are now faced with a \nsituation with the grid in which we have to make some very \nsubstantial changes very quickly because of really serious \ndangers, and a lot of people want to put the blinders on and \nsay gee, that is tough, we don't want to deal with that. I am \ndelighted to help in any way I can.\n    Ms. Eshoo. Well, I think it gets into a debate of whether \nthe government should regulate or not in this area. That is \nreally where the rub comes. But I think that we really have to \nscrub this with the seriousness that needs to be brought to it \nbecause this is an enormous vulnerability for our country. It \nis a very serious one, and I appreciate your work. I have so \nmany questions that I want to ask. I wish I were the only one \nhere and could just go on and on, but I will submit my \nquestions to you, and thank you to all of you for testifying, \nand for those of you that spent considerable time serving our \ngovernment, thank you.\n    Mrs. Blackburn. The gentlelady yields back. Mr. Lance, you \nare recognized for 5 minutes.\n    Mr. Lance. Thank you, Madam Chair, and it is an honor to \nmeet all of you, and this is certainly among the most \ndistinguished panels I have heard as a member of the committee.\n    Regarding cybersecurity, I usually think of challenges from \nChina and Iran and from Russia, and to the distinguished \nmembers of the panel, and I would start with you, Ambassador \nWoolsey, and also Admiral McConnell, I have heard several times \nthis morning North Korea. Might you go into a little more \ndetail regarding your belief in the threat from North Korea?\n    Mr. Woolsey. Yes, Congressman, not particularly cyber, \nalthough they do some cyber attacking. Mike would know more \nabout that than I. The problem is that one way to launch an \nelectromagnetic pulse attack against the United States, and \nthis is, by the way, in my op-ed in the Wall Street Journal \nthis morning too, is to use what is called a fractional orbital \nbombardment system, FOBS, which was invented by the Soviets. It \nis essentially a way to bypass all of our defenses by launching \na satellite into orbit, usually relatively low Earth orbit, and \nlaunching it toward the south because our detection systems, \nour radars and so forth, are focused north, and the one North \nKorean satellite and the two, or now three, I think, Iranian \nsatellites have all been launched toward the south and they \nhave all been launched at an altitude to have an orbit over us \nthat would be pretty optimal with respect to the detonation of \na nuclear weapon and the creation of an electromagnetic pulse. \nAll you really need for that is a nuclear weapon. You can make \nit more effective with more gamma rays if you design it that \nway. It does not have to have a high yield. It can be two, \nthree, four, five kilotons, it doesn't matter. It is not the \nblast that matters, it is the generation of the gamma rays from \nspace. If that is done, it is a relatively simple task. You \ndon't need heat shields. You don't need accuracy. You are not \ntrying to hit anything on the ground. You are just detonating \nup there at several hundred kilometers. And that means that \nthat type of capability could be in the hands of the North \nKoreans, and as the President said a few months ago, even \nwithin this year, in the hands of the Iranians.\n    Now, that is a very different situation than their having \nto come at us to attack American bases, to engage us where our \nmilitary forces are or anything like that, or even attack South \nKorea with American troops helping defend South Korea. To \nsimply put a satellite into orbit at a few hundred kilometers \nand detonate a simple nuclear weapon is, I am afraid, not that \nhard if you already have the weapon and you already have the \nlaunch vehicle, the ballistic missile. So that is why I talk \nabout North Korea as well. Iran doesn't have a nuclear weapon \nyet but it may well in relatively short order. So those two \ncountries, especially since they hate us so much, or at least \ntheir governments do, and in the case of North Korea, they \nissue extremely strident statements about destroying the United \nStates. Putting those things together, I take them at their \nword, they would like to do that, and then we have to find some \nway to keep them from doing it.\n    Former Secretary of Defense Bill Perry and current Deputy \nSecretary of Defense Ashton Carter in the Washington Post back \nin 2006 urged President Bush not to let the North Koreans test \ntheir medium-range missile, which is the same thing that had \nbeen used for the launch vehicle, but to attack their launching \npad with conventional weapons if they ever hold one of these \nballistic missiles out to launch. They have now done that \nseveral times, and I think Bill and Ash were right and \nPresident Bush was unwise not to follow their advice, and now \nwe are in a situation where both countries have the launch \nvehicles but only one has a nuclear weapon so far.\n    Mr. Lance. Thank you. Admiral McConnell, your thoughts?\n    Mr. McConnell. On a scale of one to 10, 10 being the best, \nthe best in the world, the Russians and Chinese are probably a \nseven. The Iranians are probably a four. The issue is, about 80 \npercent of what is out there is from the Chinese. They have a \npolicy of economic espionage. They have 100,000 just in the \nmilitary, probably another 100,000 scattered throughout, and \nthey are after economic advantage, competitive advantage. So \nthat is what we are facing.\n    I didn't mention terrorist groups. On a scale of one to 10, \nthey are pretty low. But the Chinese and others are producing \nthousands of these malware attack tools. These are exploitation \nattack. How long is it before some extremist group who wants to \nchange the world order gets their hands on some of these \nweapons and then they go after something like a critical \ninfrastructure, for example, the grid.\n    Mr. Lance. Thank you. My time is expired. Thank you very \nmuch.\n    Mrs. Blackburn. The gentleman yields back. Mr. Doyle for 5 \nminutes.\n    Mr. Doyle. Thank you, Madam Chair, and thank you to all our \nwitnesses here today. It has been very interesting testimony.\n    Like many of my colleagues on this committee, I have been \nengaged in this issue for quite some time now, and there are \nmany aspects of this debate that we have weighed in on, most \nspecifically the importance of protecting consumer privacy, but \ntoday I want to address the ways we can successfully develop a \ncybersecurity framework that protects and defends our critical \ninfrastructure while being nimble enough to adapt to new and \nemerging threats.\n    I come from Pennsylvania. We have a complex electric and \ntelecommunications distribution network, miles and miles of new \nnatural gas pipeline being built every day and several large \nnuclear power plants. So protecting our critical infrastructure \nin my State and across the country is of the utmost urgency.\n    I can see that everyone here today agrees with the urgency \nand the seriousness of the task, and as NIST develops its \ncybersecurity framework, I am hopeful that the testimony at \nthis hearing today will be considered. A lot of that testimony \ndeals with the need for voluntary standards that aren't \nprescriptive, and while I agree that codifying prescriptive \nstandards this month that could be out of date by next month \nisn't the best approach. I am not convinced, however, that \nvoluntary incentive-based standards will properly protect our \ncritical infrastructure.\n    So I mentioned in Pennsylvania, we have several nuclear \npower plants including the Beaver Valley plant, which sits just \noutside my district. Now, you are all probably aware that the \nNRC issued its cybersecurity regulations after September 11. \nThe regulations they developed for nuclear power plants were \nperformance-based standards that once approved were \nincorporated into a plant's operating license giving it proper \nenforcement mechanisms.\n    So I would like to ask Ambassador Woolsey and Admiral \nMcConnell, do you think it makes sense to develop performance-\nbased cybersecurity standards for our critical infrastructure \nsectors?\n    Mr. McConnell. I think performance-based standards are what \nwe should strive for. The reason for that is they have to be \ndynamic. The question will be, how do you get compliance with \nthose standards. So the argument will come down to, do you \nincentivize industry to allow them to get some reward for \nfollowing the standards or do you compel it, so that will be \nthe debate that Congress will have to wrestle with.\n    Mr. Doyle. Ambassador?\n    Mr. Woolsey. I think that is a good idea, but the problem \nis, if one expects innovation to come from utilities, it is not \nwhere it is going to come from. Just former Deputy Director of \nthe Advanced Research Projects Agency for DOE, ARPA-E, told me \nabout 3 or 4 weeks ago that he had just done the calculation \nand that the 3,500 utilities in the United States spend less on \nresearch and development than the American dog food industry. I \ndon't know what those totals are. I haven't looked up the dog \nfood industry's total yet. There are some fine institutions, \nthe Edison Electric Institute and so forth, that do some R&D \nwork, but we have not designed our system so that the electric \ngrid demands, takes advantage of or is a mecca for security \nmeasures, and something has to drive that and drive it really \nhard within that framework. If one can figure out a way to use \nperformance-based standards, yes, but if one just hopes that \nperformance is going to be met, I don't see anything that is \ngoing to improve the current situation, which I think is really \nvery bad.\n    Mr. Doyle. Thank you, Ambassador. Dave?\n    Mr. McCurdy. Congressman, thank you. I want to put \nsomething in context here, and I have dealt with this issue as \nwell for quit some time, and part of my indoctrination or \nintroduction to the cyber level was in your home district in \nPittsburgh. I was on the board of the Software Engineering \nInstitute at Carnegie Mellon, and there, they develop the best \npractices and understanding of cybersecurity, and it was their \nCERT, which is now the basis of the U.S. CERT, because the \ngovernment, when they formed DHS after 2001, you know, used \nthat expertise. It has evolved. In fact, as a founder of the \nInternet Security Alliance, I was in Tokyo on 9/11 talking to \nthe OECD about the role of board directors and corporate \nleadership in raising the awareness of the importance of \ncybersecurity, then we called it Internet security. It has \nevolved. And even though we can talk about the extreme cases, \nand it is true, and I spent seven terms across the hall in the \nArmed Services Committee, which is a lot of conversation that \nwe have gotten into, don't just assume that the worst case here \nis applying in the cyber arena. First of all, these attacks \nthat occur, a number of them are repelled at the border. We \nhave to assume that many are going to penetrate, but that is \nwhy we have also gone to other layers of defense where we have \npenetration, understanding, detection capability and in \nmitigation. That is working with this entire array of \ngovernment agencies and outside contractors, et cetera, that \nare raising the level of protection. So I just wanted to get \nthat on the record, Madam Chair, because I think we have \nperhaps gotten a little on one extreme of the severity as \nopposed to likelihood of occurrence and what actually happens \non a daily basis.\n    Mr. Doyle. Thank you, Madam Chair.\n    Mrs. Blackburn. Thank you. Dr. Olson for 5 minutes.\n    Mr. Olson. I thank the chairwoman, and welcome to our \nwitnesses, and before I ask my questions, I want to let \nCongressman McCurdy know that the people back home in Texas 22 \nhave the people of Moore, Oklahoma, in our hearts and in our \nprayers. I know that is your old district. And Mary Fallin, my \nformer colleague, is doing a great job. But if you all need \nsome help, just ask. We will swim across the Red River. God \nbless the people of Moore, Oklahoma, and everybody impacted by \nthose terrible tornados.\n    As you know, we are having an energy renaissance right here \nin America because of new technology: hydraulic fracturing and \ndirectional so-called horizontal drilling. The Administration \njust this last week said the Barnett shale play has twice the \noil and gas they thought they had up there just 6 months ago. \nThe Barnett shale play in the Dallas-Fort Worth area is still \ngoing strong. The Permian Basin in West Texas is booming again \nand the Eagle Ford shale play is off the charts. With all this \nnew energy, thousands of miles of pipelines have to be built \nincluding the Keystone XL pipeline that is actually being built \nright now from Port Arthur to the Port of Houston up to \nCushing, Oklahoma, your home State, and with that NASA-like \nautomation of modern pipelines, that makes them safer but \nobviously it opens them to cyber attacks. So I know that your \nmembership takes these threats seriously. Could you expand on \nwhat steps the industry is taking to protect itself from cyber \nattacks from malicious actors who might attempt to alter the \noperations of pipelines themselves? What are you doing as an \nagency or as an association?\n    Mr. McCurdy. Well, thank you, Congressman. First of all, \nsafety is the number one priority of our sector, and there are \n2.4 million miles of natural gas pipeline in this country, \nwhich is the envy of the world, and coincident with the comment \nI just made to Congressman Doyle, this has to start at the top, \nthe awareness of the importance of cybersecurity. Our current \nchairman is the CEO of Questar in Utah. He as an engineer was \nworking on cybersecurity issues post 9/11 and has made it very \nclear that during his term as chairman of AGA, this is a top \nconcern. So we have established not only task forces working, \nwe chair a number of coordinating committees within the \nframework but also in the oil and gas sector. In fact, Mr. \nJibson and Questar, there is a tool that DH uses called CSAT, \nwhich is an evaluation tool that takes multiple weeks to \nactually run to assess your own security, and he not only had \nthat run several times but he also had reported to his board of \ndirectors the outcomes so that they could prioritize their \ninvestments, and ultimately, it is making sure that the utility \ncommissions that not only regulate but they also approve the \nrate mechanisms, rate recoveries, understand the importance. So \nthere is a whole panoply of action that is occurring, not only \nat the technical level--we have technical experts meeting every \nday--we had FBI walk into us and talk about risks. We had DHS. \nWe have met with DOE, met with NSA. So there is a good, you \nknow, kind of information flow. However, the gist of this \nhearing is, how do you improve information exchange, and that \ngoes from making sure that the clearances are there for \nindustry and potential protection because of this kind of \nlitigious society that we belong to so that there is a free \nflow of information and it is relevant and it is timely. When \nthey come to us and they say here is a perceived threat, they \nhave also identified not only the nature of the threat but also \nsome actions that can be taken to mitigate it or defeat it. \nThat is an important flow of information and exchange.\n    Mr. Olson. In your opening comments, you said the \ncybersecurity framework is ``headed in the right direction.'' \nSo my question for you is, headed in the right direction, that \nis a good thing--that is not a great thing but a good thing. So \nmy question is, what do you hope to see out of this framework \nand what do you not want to see out of this framework? One on \neach category.\n    Mr. McCurdy. There was a question earlier about are they \nconfident that NIST was going to maintain the voluntary nature, \nand I think NIST on its own would. We work with NIST and other \norganizations I have worked with, there are standards \ndeveloping. They work with industry. I think given that \nbackground and that direction, they will build a consensus and \nit would be a voluntary set of incentives and guidelines and \nthe like. It is beyond that. So what happens in the \nAdministration that says maybe that is not enough. So in the \nhands of NIST and the current framework, I think it is a good \nstep.\n    Mr. Olson. Thank you. I yield back the balance of my time. \nThank you so much, and again, we have the people in Moore, \nOklahoma, in our thoughts and prayers. God bless you, sir.\n    Mrs. Blackburn. The gentleman yields back. Mr. Griffith for \n5 minutes.\n    Mr. Griffith. Thank you, Madam Chair. This is a question \nfor Mr. McConnell. Softbank, a Japanese company, has offered to \npurchase Sprint. My understanding is, the National Security \nCommittee on Foreign Investment in the United States has a \nreview ongoing. Do you have any concerns about placing a major \ninfrastructure provider like Sprint, which has some security \nissues for our national security, under the control of \nSoftbank?\n    Mr. McConnell. Yes, I do. If you are in the intelligence \nbusiness, as I was and some would argue still am, the one thing \nyou would love to do is to run the infrastructure of some other \ncountry if you considered them a potential adversary. So having \na foreign country own and control the telecommunications \nindustry inside the United States, I would not be in favor of.\n    Mr. Griffith. All right. I appreciate that.\n    I do want to get back to, because I found it very \ninteresting, and I am very concerned about the electromagnetic \npulse issue, but I do want to give Mr. Highley an opportunity \nto respond. There have been some comments that the current \nstructure won't work. Do you agree or disagree?\n    Mr. Highley. I disagree.\n    Mr. Griffith. Tell me why.\n    Mr. Highley. There is a item called the Electric Subsector \nInformation Sharing and Analysis Center, which is part of NERC, \nand it was stated earlier that NERC can't respond quickly \nenough to developing threats, but the whole purpose of this \ncenter is to disseminate developing threats as soon as they are \nreleased by government or the information sharing work that is \ndone. As soon as they can declassify a threat, whether it is \nphysical or cyber, that is sent out to the utilities, and \nbelieve me, we respond when we get those actionable-threat \nupdates. Recently the CFOs met with a number of Cabinet-level \nofficials to discuss threats to the electric system, and EMP \nwas not raised as a top priority, top concern, but I guarantee \nyou that when we are informed of that, we will respond.\n    Mr. Griffith. But let me say, don't you think that should \nbe a major concern? I mean, we do have two enemies, and of \ncourse, then there are natural causes as well that might cause \nthis problem. Don't you think it should have been discussed and \nshouldn't it be on the list?\n    Mr. Highley. Absolutely. It is of great concern.\n    Mr. Griffith. Let me go back to you, if I might, Ambassador \nWoolsey, because I do find this very interesting, and in his \nwhole discussion we have talked about launching south. Who else \ngets affected? Because obviously it is not just going to be the \nUnited States if you release that magnetic pulse out there. If \nyou launch south from either Iran or North Korea, what other \ncountries are going to be impacted? I guess what I am asking \nalso is, are they going to be impacted or can they launch it \nsuch a way that it doesn't affect them as well?\n    Mr. Woolsey. It depends on the altitude that the detonation \noccurs at and where it is. The lower the altitude, the less you \nget of at least one of the three types of electromagnetic pulse \neffects, because some of the effect is line of sight and others \nof the effects travel along the transmission lines and so \nforth. So it is kind of a complicated question. You are \nprobably OK on the other side of the earth from the detonation \nbut it would certainly be the case that if the heart of the \nUnited States was taken out of the electric grid by something \nlike this, certainly Canada would be in very serious trouble \nand the like.\n    It would also be pretty difficult, I think, although \nperhaps not impossible to detonate at appropriate altitude to \nonly affect a relatively small country. So I think a better \nwitness on this than me is Peter Pry, who is sitting behind me, \nwho worked on both of the electromagnetic pulse commissions.\n    Mr. Griffith. Maybe they can steer us to some information \nthat we can look at on that issue.\n    Mr. Woolsey. I would be glad to.\n    Mr. Griffith. And then you made a comment earlier that it \nwas less likely, understandable because they are our enemies \nbut there was also the threat of the solar-based impulse. Can \nyou explain that a little bit, and when was ht last time we had \none strong enough to take out the electric grid?\n    Mr. Woolsey. The huge one was in 1859, and most of the \nphysicists and people who study the sun and work on these \nthings think that the big ones occur about once a century, and \nwe are about 150 years, so we are about 50 years overdue, but \nthese things don't occur with real regularity. There have been \nseveral since at a much lower level than the one that occurred \nin 1859.\n    Mr. Griffith. Let me stop you there, because another one of \nmy questions that I am interested in is, doesn't that also have \nimpacts on our weather conditions, and what happened in 1859 \nwith the weather?\n    Mr. Woolsey. I don't know that, but solar events of all \ndifferent kinds including much, much smaller ones than this \nhave substantial effects sometimes on weather and climate. But \nyou need somebody up here who----\n    Mr. Griffith. I understand. You go on back to what you do \nknow. I appreciate that. And go ahead and tell me some more \nabout what--well, I am out of time anyway. Maybe we can have \nthis discussion another time or at a later date. I appreciate \nit, Madam Chair, and I yield back.\n    Mrs. Blackburn. The gentleman yields back, and I will \nremind all of our members that you have 10 business days to \nsubmit additional questions. Indeed, as you all can see, there \nwill be some more questions coming your direction, and that \nwould put the deadline for questions at June 5th. I would ask \nthat our witnesses, as patient as you have been with us today, \nthat you please respond promptly to the questions where a \nwritten answer is requested, and without objection, this \nhearing is adjourned.\n    [Whereupon, at 1:24 p.m., the Subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n                 Prepared statement of Hon. Fred Upton\n\n    Today's hearing continues the Energy & Commerce Committee's \noversight of a topic of great national significance--\ncybersecurity. The committee continues to closely monitor the \ncybersecurity protection and mitigation efforts of those vital \nsectors within the committee's jurisdiction, including oil and \ngas pipelines, the electric grid, nuclear energy, chemical \nfacilities, sewer and water, and telecommunications.\n    As the nation becomes more reliant on digital \ncommunications technology, we also increase our exposure to \ncyber threats. Indeed, cyber risks to our nation's critical \ninfrastructure have increased significantly in recent years, \nincluding multiple high-profile cyber incidents that have \nconfirmed the steady rise in cyberattacks.\n    But combatting such threats requires a cybersecurity regime \nthat provides ample flexibility to afford owners and operators \nof critical infrastructure the ability to protect against and \nrespond to rapidly evolving threats. A one-size-fits-all \napproach to cybersecurity is ill-suited for the diverse range \nof critical infrastructure sectors, each of which has its own \ncomplex characteristics. Owners and operators know best how to \nprotect their own systems, and it is nearly impossible for the \nspeed of bureaucracy to keep pace with ever changing threats.\n    Undertaking certain reasonable actions in the short-term \ncan have a marked improvement in protecting critical assets. \nThese actions include enhanced information sharing between the \nfederal government and the private sector, greater emphasis on \npublic-private partnerships, and improved cross-sector \ncollaboration. Regarding information sharing, we continue to \nsupport Intelligence Committee Chairman Rogers's legislation, \nwhich passed the House last month.\n    I believe that the best approach to improving cybersecurity \nis for existing regulators to work with industry stakeholders, \nand for robust information sharing between government and \nstakeholders. In contrast, I continue to be skeptical of \ncontinued calls for a top-down, command-and-control regulatory \napproach centralized at the Department of Homeland Security or \nany other federal agency. Along those lines, the committee will \ncontinue to monitor with great interest implementation of the \nPresident's Executive order on cybersecurity.\n\n                                #  #  #\n\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED] 82197.089\n\n[GRAPHIC] [TIFF OMITTED] 82197.090\n\n[GRAPHIC] [TIFF OMITTED] 82197.091\n\n[GRAPHIC] [TIFF OMITTED] 82197.092\n\n[GRAPHIC] [TIFF OMITTED] 82197.093\n\n[GRAPHIC] [TIFF OMITTED] 82197.094\n\n[GRAPHIC] [TIFF OMITTED] 82197.095\n\n[GRAPHIC] [TIFF OMITTED] 82197.096\n\n[GRAPHIC] [TIFF OMITTED] 82197.097\n\n[GRAPHIC] [TIFF OMITTED] 82197.098\n\n[GRAPHIC] [TIFF OMITTED] 82197.099\n\n[GRAPHIC] [TIFF OMITTED] 82197.100\n\n[GRAPHIC] [TIFF OMITTED] 82197.101\n\n[GRAPHIC] [TIFF OMITTED] 82197.102\n\n[GRAPHIC] [TIFF OMITTED] 82197.103\n\n[GRAPHIC] [TIFF OMITTED] 82197.104\n\n[GRAPHIC] [TIFF OMITTED] 82197.105\n\n[GRAPHIC] [TIFF OMITTED] 82197.106\n\n[GRAPHIC] [TIFF OMITTED] 82197.107\n\n[GRAPHIC] [TIFF OMITTED] 82197.108\n\n\n                                 <all>\n\x1a\n</pre></body></html>\n"