[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
                  CYBER THREATS AND SECURITY SOLUTIONS

=======================================================================



                                HEARING

                               BEFORE THE

                    COMMITTEE ON ENERGY AND COMMERCE

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 21, 2013

                               __________

                           Serial No. 113-45


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov



                  U.S. GOVERNMENT PRINTING OFFICE
82-197                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman
RALPH M. HALL, Texas                 HENRY A. WAXMAN, California
JOE BARTON, Texas                      Ranking Member
  Chairman Emeritus                  JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
TIM MURPHY, Pennsylvania             GENE GREEN, Texas
MICHAEL C. BURGESS, Texas            DIANA DeGETTE, Colorado
MARSHA BLACKBURN, Tennessee          LOIS CAPPS, California
  Vice Chairman                      MICHAEL F. DOYLE, Pennsylvania
PHIL GINGREY, Georgia                JANICE D. SCHAKOWSKY, Illinois
STEVE SCALISE, Louisiana             JIM MATHESON, Utah
ROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin 
BILL CASSIDY, Louisiana                  Islands
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas                    JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia     JERRY McNERNEY, California
CORY GARDNER, Colorado               BRUCE L. BRALEY, Iowa
MIKE POMPEO, Kansas                  PETER WELCH, Vermont
ADAM KINZINGER, Illinois             BEN RAY LUJAN, New Mexico
H. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York
GUS M. BILIRAKIS, Florida
BILL JOHNSON, Missouri
BILLY LONG, Missouri
RENEE L. ELLMERS, North Carolina


                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................     1
    Prepared statement...........................................     3
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................     4
    Prepared statement...........................................     5
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, prepared statement...................................   152

                               Witnesses

Patrick D. Gallagher, Under Secretary of Commerce for Standards 
  and Technology, and Director, National Institute of Standards 
  and Technology.................................................     6
    Prepared statement...........................................     9
    Answers to submitted questions...............................   153
Dave McCurdy, President and CEO, American Gas Association, and 
  Former Chairman of the House Intelligence Committee............    38
    Prepared statement...........................................    41
    Answers to submitted questions...............................   157
John M. (Mike) McConnell, Vice Chairman, Booz Allen Hamilton, and 
  Former Director of National Intelligence.......................    55
    Prepared statement...........................................    56
    Answers to submitted questions...............................   160
R. James Woolsey, Chairman, Woolsey Partners LLC, and Former 
  Director of Central Intelligence...............................    72
    Prepared statement...........................................    74
    Answers to submitted questions...............................   162
Michael Papay, Vice President and Chief Information Security 
  Officer, Northrop Grumman Information Systems..................    79
    Prepared statement...........................................    81
    Answers to submitted questions...............................   164
Phyllis Schneck, Vice President and Chief Technology Officer, 
  Global Public Sector, McAfee, Inc..............................    88
    Prepared statement...........................................    90
Charles Blauner, Global Head of Information Security, Citigroup, 
  Inc., on Behalf of the American Bankers Association............    99
    Prepared statement...........................................   101
    Answers to submitted questions...............................   167
Duane Highley, President and CEO, Arkansas Electric Cooperative 
  Corporation, on Behalf of the National Rural Electric 
  Cooperative Association........................................   112
    Prepared statement...........................................   114
    Answers to submitted questions...............................   169
Robert Mayer, Vice President, Industry and State Affairs, United 
  States Telecom Association.....................................   121
    Prepared statement...........................................   123
    Answers to submitted questions...............................   171


                  CYBER THREATS AND SECURITY SOLUTIONS

                              ----------                              


                         TUESDAY, MAY 21, 2013

                  House of Representatives,
                  Committee on Energy and Commerce,
                                            Washington, DC.
    The committee met, pursuant to call, at 10:05 a.m., in room 
2123 of the Rayburn House Office Building, Hon. Marsha 
Blackburn (vice chairman of the committee) presiding.
    Present: Representatives Blackburn, Shimkus, Pitts, Walden, 
Terry, Rogers, Murphy, Burgess, Scalise, Latta, Harper, Lance, 
Cassidy, Olson, McKinley, Gardner, Pompeo, Kinzinger, Griffith, 
Bilirakis, Johnson, Long, Ellmers, Dingell, Rush, Eshoo, Green, 
DeGette, Capps, Doyle, Schakowsky, Matheson, Butterfield, 
Barrow, Matsui, Castor, McNerney, Braley, Tonko, and Waxman (ex 
officio).
    Staff present: Nick Abraham, Legislative Clerk; Carl 
Anderson, Counsel, Oversight; Gary Andres, Staff Director; 
Charlotte Baker, Press Secretary; Ray Baum, Senior Policy 
Advisor/Director of Coalitions; Mike Bloomquist, General 
Counsel; Matt Bravo, Professional Staff Member; Patrick 
Currier, Counsel, Energy and Power; Neil Fried, Chief Counsel, 
Communications and Technology; Brad Grantz, Policy Coordinator, 
Oversight and Investigations; Gib Mullan, Chief Counsel, 
Commerce, Manufacturing, and Trade; Andrew Powaleny, Deputy 
Press Secretary; David Redl, Counsel, Telecom; Krista 
Rosenthall, Counsel to Chairman Emeritus; Chris Sarley, Policy 
Coordinator, Environment and the Economy; Peter Spencer, 
Professional Staff Member, Oversight; Dan Tyrrell, Counsel, 
Oversight; Lyn Walker, Coordinator, Admin/Human Resources; Phil 
Barnett, Democratic Staff Director; Jeff Baron, Democratic 
Senior Counsel; Shawn Chang, Democratic Senior Counsel; Patrick 
Donovan, FCC Detailee; Margaret McCarthy, Democratic Staff; 
Roger Sherman, Democratic Chief Counsel; and Kara van Stralen, 
Democratic Policy Analyst.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mrs. Blackburn. The subcommittee will come to order. As we 
open our hearing today, I am certain we all are mindful and 
remembering and are prayerful for those in Oklahoma, and our 
former colleague, Governor Mary Fallin, who is addressing that 
tragedy today with the storms there in Oklahoma. I recognize 
myself for 5 minutes for an opening statement.
    American companies, the U.S. government and private 
citizens are facing new challenges in the fight to protect our 
Nation's security, economy, intellectual property and critical 
infrastructure from cyber attacks.
    Today the Energy and Commerce Committee is exploring how 
the private sector and our government are responding. We will 
also review the implementation of the President's Cybersecurity 
Executive Order 13636.
    Cyber attacks have grown in scope and sophistication to 
include nearly every industry and asset that makes America 
work. That is why this committee is well positioned to lead, 
oversee and review policies and solutions to these wide-ranging 
and evolving threats. Last year an al-Qaeda video surfaced 
calling for a covert cyber jihad against the United States. On 
Sunday, the New York Times reported that hackers sponsored by 
China's People's Liberation Army have resumed attacks on U.S. 
targets. According to the GAO, the number of cyber incidents 
reported by federal agencies to U.S. Computer Emergency 
Readiness Teams has increased by 782 percent over 6 years.
    As vice chairman of the full committee, I offered a 
discussion framework, the SECURE IT Act, to provide our 
government, business community and citizens with the tools and 
resources needed to protect themselves from those who wish us 
harm. The five major components that make up the Secure IT Act 
are, number one, allow the government and the private sector to 
share cyber threat information in a more transparent fashion; 
number two, reform how our government protects its own 
information systems; number three, create new deterrents for 
cyber criminals; number four, prioritize research and 
development for cybersecurity initiatives; and number five, 
streamline consumers' ability to be notified when they are at 
risk of identity theft and financial harm.
    One of the things we know is that cybersecurity is uniquely 
ill suited for federal regulation. Rapid changes in technology 
guarantee the failure of static, prescriptive approaches. Our 
focus should be on developing consensus public policy that puts 
American businesses in the driver's seat and allows cooperation 
and collaboration, not top-down and one-size-fits all mandates.
    NIST's written testimony on implementing the framework of 
the Executive order states, ``Any efforts to better protect 
critical infrastructure need to be supported and implemented by 
the owners and operators of this infrastructure. It also 
reflects the reality that many in the private sector are 
already doing the right things to protect their systems and 
should not be diverted from those efforts through new 
requirements.'' Private solutions--not government 
presumptions--offer the best prospect for our future cyber 
defenses.
    As we explore ways to incentivize the private sector to 
diminish our exposure to cyber threats, we must ensure the 
Executive order stays true to a voluntary, cooperative 
standard. Likewise, Congress and the executive branch should 
refrain from further exploring legislative regulatory proposals 
giving DHS authority to impose critical infrastructure 
requirements as our government is purportedly already in the 
midst of working with the private sector to draft a voluntary 
cybersecurity framework.
    I look forward to the testimony and appreciate each and 
every one of our nine witnesses' thoughtful answers to our 
questions this morning.
    [The prepared statement of Mrs. Blackburn follows:]

              Prepared statement of Hon. Marsha Blackburn

    American companies, the U.S. government, and private 
citizens are facing new challenges in the fight to protect our 
nation's security, economy, intellectual property, and critical 
infrastructure from cyber attacks.
    Today the Energy and Commerce Committee is exploring how 
the private sector and our government are responding. We will 
also review the implementation of the President's Cybersecurity 
Executive Order 13636.
    Cyber attacks have grown in scope and sophistication to 
include nearly every industry and asset that makes America 
work. That is why this committee is well-positioned to lead, 
oversee, and review policies and solutions to these wide-
ranging and evolving threats. Last year an al-Qaeda video 
surfaced calling for a covert cyber jihad against the United 
States. On Sunday the New York Times reported that hackers 
sponsored by China's People's Liberation Army have resumed 
attacks on U.S. targets. According to the GAO, the number of 
cyber incidents reported by federal agencies to US Computer 
Emergency Readiness Team has increased by 782 percent over 6 
years.
    As vice chairman of the full committee, I offered a 
discussion framework--the SECURE IT Act--to provide our 
government, business community, and citizens with the tools and 
resources needed to protect themselves from those who wish us 
harm. The five major components that make up the Secure IT Act 
are: 1) allow the government and the private sector to share 
cyber threat information in a more transparent fashion; 2) 
reform how our government protects its own information systems; 
3) create new deterrents for cyber criminals; 4) prioritize 
research and development for cybersecurity initiatives; and 5) 
streamline consumers' ability to be notified when they are at 
risk of identity theft and financial harm.
    One of the things we know is that cybersecurity is uniquely 
ill-suited for federal regulation. Rapid changes in technology 
guarantee the failure of static, prescriptive approaches. Our 
focus should be on developing consensus public policy that puts 
American businesses in the driver's seat and allows cooperation 
and collaboration, not top-down and one-size-fits-all mandates.
    NIST's written testimony on implementing the framework of 
the Executive order states, ``Any efforts to better protect 
critical infrastructure need to be supported and implemented by 
the owners and operators of this infrastructure. It also 
reflects the reality that many in the private sector are 
already doing the right things to protect their systems and 
should not be diverted from those efforts through new 
requirements.'' Private solutions--not government 
presumptions--offer the best prospect for our future cyber 
defenses.
    As we explore ways to incentivize the private sector to 
diminish our exposure to cyber threats, we must ensure the 
Executive order stays true to a voluntary, cooperative 
standard. Likewise, Congress and the executive branch should 
refrain from further exploring legislative regulatory proposals 
giving DHS authority to impose critical infrastructure 
requirements as our government is purportedly already in the 
midst of working with the private sector to draft a voluntary 
cybersecurity framework.
    I look forward to the testimony and appreciate all nine of 
our witnesses' thoughtful answers to our questions this 
morning.

                                #  #  #

    Mrs. Blackburn. At this time, is there any member seeking 
the remainder of the time? I yield back my time, and Mr. 
Waxman, you are recognized for 5 minutes.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Waxman. Thank you very much, Madam Chair, for holding 
this hearing today on cyber threats to the Nation's critical 
infrastructure.
    Cybersecurity is a vital concern for sectors that span the 
committee's jurisdiction, from the electric grid and natural 
gas pipelines to telecommunications networks and health care. 
Our committee should be playing a key role in developing 
policies to enhance the cybersecurity of the infrastructure we 
depend on every day for power, drinking water, communications 
and medical care. All of these sectors are essential to the 
daily operation of our economy and our government, but I want 
to focus on one in particular: the electric grid.
    The Nation's critical infrastructure and defense 
installations simply cannot function without electricity. The 
committee has a special responsibility to ensure that the 
electric grid is properly defended from cyber and physical 
attacks. The Executive order we are examining today is a step 
in the right direction but we also need new legislation.
    In January, Representative Ed Markey and I wrote to more 
than 150 electric utilities to ask about their efforts to 
protect the electric grid from cyber attacks, physical attacks 
and geomagnetic storms. We received responses from over 60 
percent of those utilities.
    Today, we are releasing a report analyzing the responses we 
received. The findings are sobering. Many utilities reported 
that the electric grid is a target of daily cyber attacks. Some 
utilities explained that they are under a ``constant state of 
attack.'' One utility reported that it was the target of 
approximately 10,000 attempted cyber attacks each month. The 
utilities did not report any damage from these attacks to date, 
but the threat is growing.
    An industry organization called the North American Electric 
Reliability Corporation, or NERC, develops mandatory 
reliability standards for the electric grid through a 
protracted consensus-based process. NERC also recommends 
voluntary actions to utilities. Our report finds that most 
utilities comply only with the mandatory cyber security 
standards, which mostly focus on general procedures. They have 
not implemented the voluntary NERC recommendations, which are 
targeted at specific threats. For example, only 21 percent of 
investor-owned utilities reported implementing NERC's 
recommended actions to protect against the Stuxnet virus.
    The failure of utilities to heed the advice of their own 
industry-controlled reliability organization raises serious 
questions about whether the grid will be adequately protected 
by a voluntary approach to cybersecurity. When specific threats 
arise, prompt action is needed, but utilities are apparently 
not responding to the alerts from this organization.
    We also asked utilities about geomagnetic storms, which can 
interfere with the operation of the electric grid and damage 
large electric transformers. Most utilities have not taken 
concrete steps to reduce the vulnerability of the grid to 
geomagnetic storms. Only one-third of investor-owned utilities 
and one-fifth of municipal utilities or rural electric co-ops 
reported taking specific mitigation measures, such as hardening 
their equipment. The Federal Energy Regulatory Commission is 
aware of this vulnerability to geomagnetic storms. Last week, 
it directed NERC to address the issue. Yet FERC lacks the 
authority to make sure that NERC's actions are sufficient.
    In 2010, Congressman Fred Upton and Congressman Ed Markey 
introduced the bipartisan GRID Act to provide FERC with 
authority to address cyber threats and vulnerabilities. The 
legislation also provided FERC with the authority to protect 
the grid against physical attacks, electromagnetic pulses and 
geomagnetic storms. There was a bipartisan consensus that 
national security required us to act. That bill was reported 
out of this committee by a vote of 47 to nothing, and then it 
passed the full House by voice vote. However, the Senate did 
not act on the legislation.
    Madam Chair, we need to work together in a bipartisan way 
to protect the electric grid. Nothing in the executive order we 
are examining today will address the regulatory gaps that 
prevent FERC from acting decisively to tackle these dangers. I 
hope that today's hearing will be the first step in rebuilding 
the bipartisan consensus we had on the need for legislative 
action. Thank you, Madam Chair.
    [The prepared statement of Mr. Waxman follows:]

               Prepared statement of Hon. Henry A. Waxman

    Mr. Chairman, thank you for holding today's hearing on 
cyber threats to the nation's critical infrastructure. Cyber 
security is a vital concern for sectors that span the 
Committee's jurisdiction--from the electric grid and natural 
gas pipelines to telecommunications networks and health care. 
Our Committee should be playing a key role in developing 
policies to enhance the cyber security of the infrastructure we 
depend on every day for power, drinking water, communications, 
and medical care.
    All of these sectors are essential to the daily operation 
of our economy and our government, but I want to focus on one 
in particular: the electric grid. The nation's critical 
infrastructure and defense installations simply cannot function 
without electricity.
    The Committee has a special responsibility to ensure that 
the electric grid is properly defended from cyber and physical 
attacks. The Executive order we are examining today is a step 
in the right direction. But we also need new legislation.
    In January, Ed Markey and I wrote to more than 150 electric 
utilities to ask about their efforts to protect the electric 
grid from cyber attacks, physical attacks, and geomagnetic 
storms. We received responses from over 60% of those utilities.
    Today, we are releasing a report analyzing the responses we 
received. The findings are sobering. Many utilities reported 
that the electric grid is the target of daily cyber attacks. 
Some utilities explained that they are under a ``constant state 
of attack.'' One utility reported that it was the target of 
approximately 10,000 attempted cyber attacks each month.
    The utilities did not report any damage from these attacks 
to date. But the threat is growing.
    An industry organization called the North American Electric 
Reliability Corporation, or NERC, develops mandatory 
reliability standards for the electric grid through a 
protracted, consensus-based process. NERC also recommends 
voluntary actions to utilities. Our report finds that most 
utilities comply only with the mandatory cyber security 
standards, which mostly focus on general procedures. They have 
not implemented the voluntary NERC recommendations, which are 
targeted at specific threats. For example, only 21% of 
investor-owned utilities reported implementing NERC's 
recommended actions to protect against the Stuxnet virus.
    The failure of utilities to heed the advice of their own 
industry-controlled reliability organization raises serious 
questions about whether the grid will be adequately protected 
by a voluntary approach to cyber security. When specific 
threats arise, prompt action is needed. But utilities are 
apparently not responding to the alerts from NERC.
    We also asked utilities about geomagnetic storms, which can 
interfere with the operation of the electric grid and damage 
large electric transformers. Most utilities have not taken 
concrete steps to reduce the vulnerability of the grid to 
geomagnetic storms. Only one-third of investor-owned utilities 
and one-fifth of municipal utilities or rural electric co-ops 
reported taking specific mitigation measures, such as hardening 
their equipment.
    The Federal Energy Regulatory Commission is aware of this 
vulnerability to geomagnetic storms. Last week, it directed 
NERC to address the issue. Yet FERC lacks the authority to make 
sure that NERC's actions are sufficient.
    In 2010, Fred Upton and Ed Markey introduced the bipartisan 
GRID Act to provide FERC with authority to address cyber 
threats and vulnerabilities. The legislation also provided FERC 
with authority to protect the grid against physical attacks, 
electromagnetic pulses, and geomagnetic storms. There was a 
bipartisan consensus that national security required us to act. 
That bill was reported out of this Committee by a vote of 47 to 
zero. And then it passed the full House by voice vote. However, 
the Senate did not act on the legislation.
    Mr. Chairman, we need to work together in a bipartisan way 
to protect the electric grid. Nothing in the executive order we 
are examining today will address the regulatory gaps that 
prevent FERC from acting decisively to tackle these dangers.
    I hope that today's hearing will be the first step in 
rebuilding the bipartisan consensus we had on the need for 
legislative action.

    Mrs. Blackburn. The gentleman yields back, and I would like 
to welcome and recognize our first witness today. Dr. Gallagher 
is the Under Secretary of Commerce for Standards and Technology 
and Director of the National Institute of Standards and 
Technology, or NIST. And everyone knows, Mr. Waxman had all of 
his acronyms. There is an app for that. You can get an app and 
follow all of these acronyms. Dr. Gallagher, we are delighted 
you are here, and you are recognized for 5 minutes for an 
opening statement.
    Mr. Waxman. Madam Chair, can I just ask a question? Is the 
app able to tell us what a NERC and a FERC is for jerks? Oh, 
bad joke.
    Mrs. Blackburn. Dr. Gallagher, you are recognized.

   STATEMENT OF DR. PATRICK D. GALLAGHER, UNDER SECRETARY OF 
 COMMERCE FOR STANDARDS AND TECHNOLOGY, AND DIRECTOR, NATIONAL 
             INSTITUTE OF STANDARDS AND TECHNOLOGY

    Dr. Gallagher. Thank you, Madam Chair and Ranking Member 
Waxman. I want to thank you and the members of this committee 
for this opportunity to testify today. My task this morning is 
to briefly summarize NIST's role and our responsibility 
specifically to develop a framework to reduce cyber risk to 
critical infrastructure.
    It may be a surprise to some that an agency of the U.S. 
Department of Commerce has a key role in cybersecurity, but in 
fact, NIST has a long history in this area. We have provided 
technical support to cybersecurity for over 50 years working 
closely with our federal partners. Also because NIST is a 
technical but non-regulatory agency, we provide a unique 
interface with industry to support their technical and 
standards efforts. Today NIST has programs in a wide variety of 
cybersecurity areas including cryptography, network security, 
security automation, hardware roots of trust, identify 
management and cybersecurity education.
    As directed in the Executive order, NIST will work with 
industry to develop a cybersecurity framework. This is in 
essence a collection of industry-developed standards and best 
practices to reduce cyber risk to critical infrastructure. The 
Department of Homeland Security in coordination with sector-
specific agencies will then support the adoption of the 
cybersecurity framework by owners and operators of critical 
infrastructure and other interested entities through a 
voluntary program.
    To be successful, two major elements have to be part of 
this approach. First, it will require an effective partnership 
across government to ensure that our work with industry for the 
cybersecurity framework is fully integrated with the mission of 
a diverse set of agencies. This will enable a more holistic 
approach to addressing the complex nature of this challenge.
    Secondly, the cybersecurity framework must be developed 
through a process that is industry led and open and transparent 
to all stakeholders. By having industry develop their own 
practices that are responsive to the performance goals, this 
process will ensure a robust technical basis but also one 
aligned with business interests. This approach has many 
benefits. It does not dictate a specific solution to industry 
but it promotes industry offering its own solutions. It 
provides solutions that are compatible with the market and 
other business conditions, and by leveraging industry's own 
capacity, it brings more talent and expertise to the table to 
develop the solutions.
    This is not a new or novel approach for NIST. We have 
utilized very similar approaches in the recent past to address 
other pressing national priorities, most notably on the 
development of a nationwide end-to-end interoperable smart 
grid, and in the area of cloud computing technologies. We 
believe we know how to do this.
    Since this is industry's framework, the NIST role will be 
to lend its technical expertise and to support their efforts. 
We will act as a convener, a contributor, and we will work 
closely with our federal partners to ensure that the effort is 
relevant and contributes to their missions to protect the 
public.
    So what is in this framework? In short, whatever is needed 
to achieve good cybersecurity performance. In practice, we 
expect that the framework will include standards, 
methodologies, procedures and processes that can align 
business, policy and technological approaches to address cyber 
critical infrastructure.
    Let me touch quickly on the topic of standards and their 
importance to the success of this effort. By ``standards,'' I 
am using the term as industry does. These are agreed-upon best 
practices or specifications, norms, if you will, that allow 
compatibility of efforts to meet a goal. These are not the same 
thing as regulation. Industry standards are developed through a 
multi-stakeholder voluntary consensus process, and it is this 
process that gives standards their considerable power, that is, 
their broad acceptance around the world. These standards are 
not static. They can be changed to meet technological advances 
and new performance requirements. Performance-based standards 
promote innovation by allowing new products and services to 
come to the market in a way that is not a tradeoff with good 
security.
    Madam Chair, I appreciate the challenge before us. The 
Executive order requires the framework to be developed within 
one year. A preliminary framework is due already within 8 
months, and we have already begun to work on this. We have 
issued a request for information to gather relevant input from 
industry and other stakeholders, and we are actively inviting 
stakeholders to participate in the cybersecurity framework 
process. The early response from industry has been very 
gratifying. Over the next few months, we will convene a series 
of deep dive workshops and use these workshops to develop the 
framework. This forum allows the needed collaboration and 
engagement. The first workshop was held in early April to start 
organizing the process, and next week will be our first full 
workshop.
    Last week, we released the initial findings from an early 
analysis of the responses to the request for information. These 
responses range from individuals to large corporations and 
trade association from a few sentences on particular topics to 
comprehensive responses that ran well over 100 pages. Next week 
at the workshop hosted by Carnegie Mellon University in 
Pittsburgh, we will work with the stakeholder community to 
discuss the foundations of the framework and this initial 
analysis, and this will mark the transition to actually 
developing the framework.
    In a related note, in June the Departments of Commerce, 
Homeland Security, and Treasury will submit reports regarding 
incentives designed to increase participation with the 
voluntary program. At 8 months we will have an initial draft 
framework including initial list of standards, guidelines and 
best practices, but even after a year the work will only have 
begun. Adoption and use of this framework will raise new issues 
that we need to address. The goal at the end of this process 
will be for industry to take and update the cybersecurity 
framework themselves, creating a continuous process to enhance 
cybersecurity.
    The President's Executive order lays out an urgent and 
ambitious agenda but it is designed around an active 
collaboration between the public and private sectors. I believe 
that this partnership provides the needed capacity to meet the 
agenda and effectively will give us the tools to manage the 
cyber risk we face
    I really appreciate the committee holding this hearing. We 
have a lot of work ahead of us, and I look forward to working 
with you to address these challenges. I am looking forward to 
answering any questions you may have.

    [The prepared statement of Dr. Gallagher follows:]


    [GRAPHIC] [TIFF OMITTED] 82197.001
    
    [GRAPHIC] [TIFF OMITTED] 82197.002
    
    [GRAPHIC] [TIFF OMITTED] 82197.003
    
    [GRAPHIC] [TIFF OMITTED] 82197.004
    
    [GRAPHIC] [TIFF OMITTED] 82197.005
    
    [GRAPHIC] [TIFF OMITTED] 82197.006
    
    Mrs. Blackburn. Thank you. The gentleman yields back, ran a 
little bit over time there but that is OK. At this time I will 
begin the questioning, and I recognize myself for 5 minutes.
    I want to talk with you first about what you are doing with 
this framework. Because I think all of us caught, it came to 
our attention that Secretary Napolitano in congressional 
testimony earlier this year was still seeking legislation 
giving DHS the authority to impose the critical infrastructure 
requirements, and it probably struck many of us odd--I know it 
did me--that you all are working on this and are looking at a 
voluntary cybersecurity framework. So shouldn't the 
Administration wait to see whether your process creates an 
effective cybersecurity framework before asking for new 
statutory authority to impose regulations?
    Dr. Gallagher. So I think the Executive order lays out a 
clear goal of a voluntary-based system. We agree that the first 
priority is to allow the market to attempt to address this 
needed level of cybersecurity performance. That being said, the 
Executive order lays out sort of two goals once the framework 
is in place. One is a program to promote adoption of the 
framework, this voluntary framework by industry, and the other 
is a recognition that some of these sectors are already 
regulated, so we would like to see the framework used as a way 
to harmonize this. I think it would be a mistake if we do all 
this work on a broad, multi-sector framework for cybersecurity 
and then not have those practices embraced by those existing 
regulatory entities. So it really contains both of those 
pieces.
    Mrs. Blackburn. Well, let me ask you this then. Why do you 
think the Administration issued the Executive order if they 
knew that you were already working and trying to create the 
framework, and do you think that there is going to be any 
further push for legislation? If you have got a year, you are 
going to meet a deadline within a year, you say you are 8 
months away from delivering a product. You are holding your 
workshops, the multi-stakeholder workshops, you are bringing 
people to the table. So why are they bothering to issue the 
Executive order and then ask for legislation?
    Dr. Gallagher. So the Executive order serves to basically 
align roles and responsibilities across the existing agencies, 
and you see that in the Executive order, that it choreographs 
the role of Homeland Security, NIST and other players in a 
process within our existing authorities. So you are correct: 
what we are doing now doesn't require any legislation. My 
personal view is that the primary need for legislation is going 
to become more important as we look at the implementation and 
the adoption of the framework. The real win in a framework 
process is that cybersecurity--good cybersecurity--is good 
business, and I think what we are going to be looking at is, 
what are the obstacles that get in the way of adoption of this 
framework, where are the areas where these practices require 
incentives and other--or maybe removing barriers to adoption, 
and so I think the ongoing discussion that has been happening 
with Congress will likely continue. The Administration looks 
forward to working with Congress on this, but I think industry 
won't need our help developing the framework but they may need 
our help looking at areas where there are barriers to putting 
this into meaningful use.
    Mrs. Blackburn. Well, and I think that what we are hearing 
from industry is that good cybersecurity, solid cybersecurity 
steps are an imperative. They are not something that is just 
good business but they are something that are an imperative 
every single day, whether it is financial networks, whether it 
is the grid, as Mr. Waxman referenced, whether it is some of 
our health IT organizations. When you look at the number of 
attacks and the step-up in that such as the PLA attacks, you 
know that it is an imperative.
    With that, Mr. Waxman, I yield you 5 minutes for questions.
    Mr. Waxman. Thank you very much, Madam Chair. I agree with 
your last statement. This is an imperative issue.
    Dr. Gallagher, the President's Executive order of 
Cybersecurity applies to all of the critical infrastructure 
sectors. I want to ask you about the one that I talked about in 
my opening statement, and that is the electric grid, because 
our Nation's critical infrastructure and defense installations 
are almost entirely dependent on the grid for electricity and 
they simply can't function without it. When Ed Markey and I 
wrote to the utilities asking them about cybersecurity, they 
reported that they feel they are under a constant state of 
attack. They are targets of daily cybersecurity attacks. 
Because the grid is so critical and is the target of so many 
cyber attacks, I think we need to make sure that we are 
adequately protected. The current industry-controlled approach 
of issuing mandatory electric reliability standards through 
protracted and consensus-based process has a poor track record. 
When it does issue standards, they are at least enforceable, 
but voluntary standards are not enforceable.
    Dr. Gallagher, the cybersecurity framework envisioned by 
the Executive order would be voluntary. Isn't that right?
    Dr. Gallagher. That is correct.
    Mr. Waxman. And because there is no way for a federal 
agency to ensure compliance with voluntary standards, isn't 
that a correct statement that there is no way they can enforce 
it?
    Dr. Gallagher. That is correct, from a regulatory or legal 
perspective.
    Mr. Waxman. You can provide incentives for the private 
sector to adopt standards, but there is no actual enforcement. 
Isn't that right?
    Dr. Gallagher. That is correct.
    Mr. Waxman. The problem is that recommended voluntary 
cybersecurity measures have not been adopted by most utilities. 
I mentioned that in my opening statement, even to the point 
where compliance with voluntary measures to protect against the 
Stuxnet computer worm have not been taken, and that is the 
virus that destroyed uranium enrichment centrifuges in Iran. So 
I don't find these numbers that we have received from voluntary 
reporting by the industry encouraging.
    The Executive order directs federal agencies to assess 
whether the cybersecurity regulations governing each sector are 
sufficient. If they are not adequate, the agencies are supposed 
to issue new regulations to mitigate the cyber risk, but that 
raises the question of whether agencies have the necessary 
statutory authority to issue such regulations. Under the 
Federal Power Act, the Federal Energy Regulatory Commission 
lacks authority to issue regulations to protect the electric 
grid. Even if they see that it is necessary, they can't do it.
    Dr. Gallagher, the Executive order doesn't address this gap 
in authority, does it?
    Dr. Gallagher. It does not address that specific issue, 
correct.
    Mr. Waxman. So a voluntary approach to cybersecurity may 
make sense for some sectors but experience has shown that it 
cannot be relied upon to protect the electric grid. The FERC 
should have the authority to address cyber threats to the 
electric grid. That requires legislation from Congress. I hope 
we will work together on a bipartisan approach, I hope a 
consensus on the need for that legislation. This is a national 
security issue and I believe all of us want to work together. 
That is why we are here today, and we are all expressing our 
concern about this issue.
    Madam Chair, I will follow your lead and yield back a big 
chunk of my time.
    Mrs. Blackburn. Thank you, Mr. Waxman. At this time, 
Chairman Walden is recognized for 5 minutes.
    Mr. Walden. I thank the chairwoman. Thank you very much, 
and Dr. Gallagher, thanks for being here.
    Dr. Gallagher, networks are obviously very complex and 
interconnected and themselves rely heavily on information 
technology products and consumer information technology 
services. How clear is the delineation? You have the so-called 
IT exception, and how will that be applied?
    Dr. Gallagher. So as I understand it, the IT exemption that 
is discussed in the Executive order pertains to whether the IT 
equipment and components are identified themselves as a 
critical infrastructure. In the framework process, they are 
clearly dependencies. So if we are talking about the energy 
sector or any other critical infrastructure that is depending 
on IT--this is about cybersecurity, after all--they will depend 
on the performance networks and the performance of IT-based 
equipment. And so the IT sector, the IT companies are already 
deeply involved with this process. I think the exemption 
applies to whether they are being specifically identified as a 
critical infrastructure. I don't think it means they are not 
involved deeply in the framework.
    Mr. Walden. So you think they will be then?
    Dr. Gallagher. Yes, they already are.
    Mr. Walden. And obviously, flexibility is critical in 
engaging the private sector to respond to the very rapid 
evolving cybersecurity threats, especially since networks are 
themselves varied and rapidly evolving. I don't have to tell 
you that. How will the framework incorporate such flexibility?
    Dr. Gallagher. Well, I think the way it adopts 
flexibilities by relying on the same process that industry 
relies on to actually develop things like the network itself. 
The Internet is actually a series of protocols and standards 
that allow this widespread interoperability. So it has to be as 
dynamic as the technology they are deploying. What we are 
basically arguing in the framework is, we want to leverage the 
same thing to address cybersecurity performance. So it is an 
industry-controlled process with their own technical experts. 
They can bring their own technologies to the table as part of 
this multi-stakeholder process, and it can be as dynamic as the 
technology is to address this.
    Mr. Walden. As you may know, our Subcommittee on 
Communications and Technology held several hearings on the 
issue of cybersecurity and cyber threats, and I think every 
single witness we had said be careful in this area to not 
overregulate because if you do, the bad actors will know what 
we have been instructed to do by statute, they will change up 
faster than you will ever keep up from a statutory standpoint, 
and that you will bind our hands and misallocate our capital 
and the resources. Is that a view you share?
    Dr. Gallagher. So I think the tension between regulation 
and standards has always been there. Standards and regulation 
interplay with each other all the time, and frankly, it leads 
to a lot of confusion in this space. But they really serve 
different purposes. I mean, I am not an expert in this area, 
regulatory issues. We would have to work with Congress anyway. 
We would want to do that. But very simply, in my view, a 
regulation is needed when the market can't perform. In other 
words, we are talking about infrastructure whose failure would 
cause a catastrophic impact to the Nation, and so we don't want 
that to happen. But the advantage of industry doing as much as 
it can is self-evident because of what they bring to the table 
and the fact that so much of this equipment is owned and 
operated and managed by the private sector.
    Mr. Walden. Well, I think that is the concern that we have. 
Later today we have a hearing subcommittee hearing on supply 
chain vulnerabilities, which, as you know, is a major national 
and international issue, and I don't know if you have any 
comments regarding some of those reports that have been in the 
news. Certainly our colleague, Mr. Rogers, and his committee in 
a bipartisan way have had some pretty important things to say 
in this area.
    Dr. Gallagher. Well, let me start by saying we would like 
to work with you on that issue. I think supply chains are one 
of these dependencies that we talk about. The markets for 
equipment, the markets for software are global, they are 
interconnected, and we need to understand how do we put 
together resilient and secure systems out of potentially 
unresilient, low-trustworthy parts and components, how do we 
put trust into a system this heterogeneous and this diverse. It 
is really a very important issue and it is one that has already 
come up some level in the RFI process for the framework.
    Mr. Walden. All right. My time is expired. Thank you, Madam 
Chair.
    Mrs. Blackburn. The gentleman yields back. Mr. Dingell, you 
are recognized for 5 minutes, sir.
    Mr. Dingell. Madam Chairman, thank you. Welcome to you, Dr. 
Gallagher. I would appreciate a yes or no response to the 
questions if you please.
    Dr. Gallagher, I note Section 7(e) of the Executive Order 
13636 mandates you publish a final version of the cybersecurity 
framework no later than February 2014. Will you be able to meet 
that deadline? Yes or no.
    Dr. Gallagher. Yes, sir.
    Mr. Dingell. Dr. Gallagher, do you believe that in general 
NIST has sufficient resources whether in terms of funding or 
manpower with which to comply with Executive Order 13636? Yes 
or no.
    Dr. Gallagher. Yes.
    Mr. Dingell. Doctor, I note that Executive Order 13636 does 
not grant agencies additional statutory authority with which to 
address cybersecurity-related risks. Based on your 
consultations so far in establishing the cybersecurity 
framework, do you expect the Administration will request the 
Congress to grant it additional cybersecurity-related statutory 
authority? Yes or no.
    Dr. Gallagher. Yes.
    Mr. Dingell. Now, Dr. Gallagher, in general, do you believe 
that the Administration should be granted additional statutory 
authority to address cybersecurity-related risks? Yes or no.
    Dr. Gallagher. Yes.
    Mr. Dingell. Doctor, do you believe that Executive Order 
13636 alone is sufficient to adequately address the myriad 
number of cybersecurity-related threats faced by industry and 
the government? Yes or no.
    Dr. Gallagher. No.
    Mr. Dingell. Now, Doctor, a portion of your written 
testimony is dedicated to explaining the role of standards in 
Executive Order 13636. You state the standards are agreed-upon 
best practices against which we can benchmark performance. 
Thus, these are not regulations. Earlier in your testimony, you 
stated, and I quote, ``Many in the private sector are already 
doing the right things to protect their systems and should not 
be diverted from these efforts through new requirements.'' Do 
these statements mean that NIST and the Administration do not 
support the establishment of mandatory cybersecurity 
regulations? Yes or no.
    Dr. Gallagher. Well, I think----
    Mr. Dingell. And if you explain it--I think you are going 
to have to--please do it briefly. Go ahead.
    Dr. Gallagher. As I said, I think we strongly prefer a 
private-sector-led solution. A voluntary industry-led consensus 
process is going to be more dynamic. It is going to be 
adoptable around the world. It can help shape the technology 
and the markets in a way that would not be possible if we took 
a regulatory approach. That being said, the final analysis we 
have to protect critical infrastructure, and so the real test 
is going to be as put into practice is it protective of 
cybersecurity, and if it is not, then I think there is a 
question for Congress and the Administration in terms of how 
to----
    Mr. Dingell. And I would assume that you expect that we are 
going to run into many occasions where we are going to have to 
figure out what we do and whether or not we are going to have 
additional changes in the executive orders, regulations or 
whether additional statutory authority is needed. Is that 
right?
    Dr. Gallagher. I would certainly anticipate this will be 
part of an ongoing discussion, yes, sir.
    Mr. Dingell. Thank you, Doctor.
    Now, Madam Chairman, I would like to note in closing that 
Section 4 of the Executive order establishes a limited 
information-sharing regime between the federal government and 
industry. It is my hope that the committee will continue to 
examine this issue. It is also my hope that we shall hear from 
the Secretary of Homeland Security, who is important in the 
implementing of Section 4 about the effectiveness of 
information sharing as well as whether the Congress should 
authorize the liability exemptions that industry claims are 
necessary to making information sharing function well. I 
anticipate considerable need for us to engage in active 
oversight of these matters.
    I thank you, Madam Chairman, for your courtesy. Doctor, I 
appreciate your courtesy and your assistance. I yield back the 
balance of my time.
    Mrs. Blackburn. The gentleman yields back. At this time, 
Mr. Terry, you are recognized for 5 minutes.
    Mr. Terry. I waive.
    Mrs. Blackburn. Mr. Terry waives. At this time, Mr. Rogers, 
you are recognized, and you waive. OK. Mr. Murphy, you are 
recognized for 5 minutes.
    Mr. Murphy. Thank you. I want to go over with regards to 
working with the private sector, and you had mentioned Carnegie 
Mellon University in your testimony there, and I understand 
there is a number of things that are classified in that process 
as well. You stated also that many in the private sector are 
already doing the right things. We would look at health policy 
and financial institutions and agriculture and transportation, 
et cetera, and we have a limited amount of time and resources 
to spend on bolstering protections and not spent on burdensome 
other requirements here. Can you assure us that the whole 
cybersecurity framework required by Executive order is not 
going to just be a bunch of regulations, it is going to allow 
these groups to all work with each other as well and to 
interconnect among them? So the universities, the private 
institutions, et cetera.
    Dr. Gallagher. Well, I can assure you that is our intent, 
and the way we are trying to make sure that intent follows 
through is by giving the pen, if you will, to develop the 
framework to industry and these sectors themselves and then 
supporting that effort. It is really essential that this be 
their work product, that this reflects current best practice 
from across these sectors that identify cross-cutting issues 
because it is going to be a superior product. It is the only 
way to do this in the time frame, and it also allows an answer 
that can basically be driven into the market actually across 
the entire world.
    Mr. Murphy. Thank you. Madam Chair, I yield back.
    Mrs. Blackburn. The gentleman yields back. Ms. Eshoo is 
recognized for 5 minutes.
    Ms. Eshoo. Thank you, Madam Chair. Good morning, Dr. 
Gallagher. Thank you for being here. Thank you for your 
leadership at NIST, and I want to thank NIST for being one of 
the cosponsor of the first-ever hack-a-thon that took place in 
my congressional district this weekend on public safety apps. 
So I think some really important ideas are going to come out of 
that and benefit our country.
    My first question to you is, you have referred to a 
critical infrastructure, as have members, and this whole issue 
of regulation, light touch and/or regulation. What do you 
consider to be critical infrastructure, number one?
    Dr. Gallagher. Well, I don't read anything past what is is 
in the Executive order itself, which is an operational 
definition that defines it as something whose failure would 
cause catastrophic harm to the country, and then there is a 
process in the Executive order that allows for a more specific 
identification process.
    Ms. Eshoo. And how do you, as part of this framework, how 
do you intend to address the integrity of the supply chain? 
Chairman Walden raised this, and I wanted to go back to it.
    Dr. Gallagher. So I think from our view, in supporting an 
industry-led effort, it is going to basically look at how does 
the market identify trust in software, in components and in 
systems. We are talking about companies that will be buying 
equipment, presumably from supply chains that may be around the 
world that are going to integrate those into systems that 
control and manage their critical infrastructure. So the 
question is, how do we give them the tools to identify 
trustworthy components and systems in the context of that 
global market. It is one of these major dependencies that just 
is part of this type of a system, and we already see that issue 
coming up from our industry partners in the framework process.
    Ms. Eshoo. Now, in this whole issue of cybersecurity, about 
95 percent of it is private sector, 5 percent is the 
government, roughly, and I am pleased that NIST has placed such 
a prominent focus on public-private partnerships because they 
are very important. But as you work with the private sector, I 
think it is very important for you to hear not just from the 
large companies or the largest companies in the country but 
small and medium businesses because they offer a rather unique 
perspective, and given that the congressional district that I 
represent, people think, members, especially, that when they 
come to my district they visit Google and Facebook and 
Microsoft and that they have covered the entire ground. They 
haven't. I am proud that they are there and that I get to 
represent them but there is a lot more to it. So how will you 
ensure that the input of these small and medium sized 
businesses are incorporated into NIST's cybersecurity 
framework? And if you could be specific about this, how you are 
doing it.
    Dr. Gallagher. In short, we are trying to do everything we 
can to ensure that companies of all sizes--it is not just the 
big companies, as you know. Small companies tend to be leading 
innovators in many cases. It would be a real problem if they 
were excluded from the process. But even as owner/operators of 
critical infrastructure, there are companies of all sizes that 
do that. What we tried to do is make sure that our engagement 
with the private sector through this process is not just in one 
mode. In other words, we have the major workshops where we----
    Ms. Eshoo. But do you go to them? I mean, where do you go? 
Do you invite everybody to come to Washington?
    Dr. Gallagher. No. In fact, we are going to be holding----
    Mr. Eshoo. These small startups can't. They don't have time 
or money to come here.
    Dr. Gallagher. That is correct, so we have done input that 
can be done electronically. The request-for-information process 
was completely virtual. And our workshops are going to be 
across the country, the first one in Pittsburgh, the second we 
anticipate in southern California, and then the third one is 
still being worked out. So we do recognize the limitations that 
smaller companies have to do this, and we are trying to design 
the process so that there is few of barriers as possible to 
their participation.
    Ms. Eshoo. Thank you. I yield back.
    Mrs. Blackburn. The gentlelady yields back. Dr. Burgess, 
you are recognized for 5 minutes.
    Mr. Burgess. I thank the chair, and Dr. Gallagher, thank 
you so much for spending time with us this morning.
    On the information that you provided to us, you talk about 
developing the framework and developing the standards that will 
be used, voluntary compliance by the industries involved, and 
one of the panelists we are going to hear from on the second 
panel, former CIA Director, Mr. Woolsey, talks about the danger 
from an electromagnetic pulse and talks about the need for 
surge arrestors to be built into infrastructure. Are you 
similarly developing the standards for those arrestors and 
resistors that will be built into the infrastructure for 
protecting our electrical grid and other systems?
    Dr. Gallagher. So while remembering, in the United States, 
NIST does not write the standards. By law, federal agencies 
look to private-sector standards organizations for their needs. 
So we ourselves would not be developing the standards.
    The framework process, since it is specific to 
cybersecurity, will probably not have within its scope sector-
specific resiliency measures like electromagnetic pulse or 
geostorm or what have you. However, NIST does support those 
efforts directly. So in the case of a geomagnetic storms, a lot 
of the electrical measurement equipment and technology that is 
needed by the electrical utilities to provide that protective 
service is work that we do support from our laboratories.
    Mr. Burgess. That is the point I was going to make. Many of 
us remember the day in the late 1990s or maybe the early 2000s 
when our little card readers at the gasoline pumps stopped 
working because of some sort of solar event that had interfered 
with satellite technology, and so you have that ongoing work in 
process at NIST. Is that not correct?
    Dr. Gallagher. That is correct. We think of ourselves as 
industry's national lab, so as these technical issues come up 
in their standards process where they want resilient equipment 
and services, our job is to work on that technology and support 
their efforts.
    Mr. Burgess. Well, again, we are going to hear a great deal 
more of this from a witness on our second panel but it just 
seems that it stands to reason as you build that or as you 
develop the voluntary compliance standards for that 
infrastructure that you would build this protection in so that 
industry and the private sector would be not only aware of the 
necessity but have a place to go. So often we get into these 
things and you get overwhelmed by vendors and you don't really 
know which is the best practice or the best technologies. So 
that is where I see NIST as really being able to provide some 
of that direction and some of that leadership in going forward 
in this. Is that a fair assessment?
    Dr. Gallagher. Yes. I think it is ironic that the diversity 
of our approach in the United States, which is one of its 
strengths, also makes it complicated at times, but that is 
certainly a role that we would be happy to take on to help 
facilitate, provide some clarity, particularly in this area.
    Mr. Burgess. I thank the chair. In the interest of time, I 
am going to yield back.
    Mrs. Blackburn. The gentleman yields back. Mr. Green, you 
are recognized for 5 minutes.
    Mr. Green. Thank you, Madam Chairman.
    Mr. Gallagher, thank you for appearing before our committee 
today, and it is important that any framework established 
through the Executive order be truly voluntary. Mandated 
regulations could quickly become outdated due to a rapidly 
changing cyber threat landscape and may result in increasing 
uniformity that may inadvertently add vulnerabilities to 
intricate systems tailored to specific company operations and 
risk profiles. How will NIST ensure the framework remains a 
truly voluntary program?
    Dr. Gallagher. Well, the most straightforward way is, we 
simply have no regulatory authority of any type that would make 
it compulsory. Insofar as supporting industry's intent to have 
this be something under their control, one of the things that I 
think we can do is work with them through the framework process 
to identify how this framework is muscular. I think one of the 
problems we face is that people are equating the term 
``voluntary'' with ``weak'', and that is not necessarily the 
case. Most product safety standards in the United States, many 
things are in fact fully managed by industry, and industry is 
quite capable of putting in muscle--what we call conformity 
assessment tools--to ensure that in business-to-business 
interactions and so forth that they assure themselves, that 
they are complying with their own standards and protocols. And 
I think if that is done, it addresses the performance. I think 
if what they do is protective of the critical infrastructure, I 
think that is the best thing we can do to maintain this as a 
voluntary industry-led process.
    Mr. Green. As the framework takes shape, demonstrating 
adherence to the framework should not require submission of 
company audit results. Sharing of sensitive information with 
third parties could greatly compromise cyber systems, so 
specific information regarding cyber systems must remain 
propriety to protect the information from the public and cyber 
criminals. Has NIST developed a method to determine adherence 
to the framework, and will they take into consideration the 
sensitive information that different companies and plants may 
provide?
    Dr. Gallagher. So NIST itself would not play a role in 
assessing compliance with the framework. Our preference would 
be for industry to develop as part of the framework the vehicle 
by which they would determine the compliance mechanism. What we 
can do is share a number of best practices and models where 
that has occurred in other areas including smart grid and cloud 
computing and show them the pros and cons of these different 
models. It addresses many of the concerns you just raised, 
which is in the business environment, they can set this up so 
that they are not sharing competitively sensitive information 
and propriety information in a way that they don't want to. In 
other words, the conformance assessment program can be 
compatible with their business needs.
    Mr. Green. I appreciate that. I know a lot of us represent 
different entities who have a big stake in this, and they are 
already doing a lot of things. In my area, my refineries, 
chemical plants, of course, all of us have utility plants, that 
this cybersecurity threat is being addressed now and they are 
standards being developed, sometimes by companies, sometimes by 
industry, and that is my concern, that we make sure that we 
don't get in the way of some of the innovations that literally 
can be found out every day.
    So Madam Chairman, I appreciate the time. Thank you. I 
yield back.
    Mrs. Blackburn. The gentleman yields back. Mr. Scalise, you 
are recognized for 5 minutes.
    Mr. Scalise. Thank you, Madam Chair. I appreciate you 
holding this hearing. Dr. Gallagher, thank you for being with 
us today.
    You mentioned in your testimony that regulatory agencies 
will review the cybersecurity framework to determine if any 
requirements, if the current requirements are sufficient but 
also if there would be any proposed new types of actions. When 
I look at that and I see words like ``requirements'' and 
``actions,'' is that something that is synonymous with 
regulations?
    Dr. Gallagher. Not to me, but you are not the first person 
that has noticed the connection.
    Mr. Scalise. So there are no proposals right now to come 
out with actual regulations when you talk about requirements or 
actions?
    Dr. Gallagher. So in my experience, here is what I have 
learned when you are dealing with standard setting that 
potentially touches regulatory agencies. So some of these 
sectors are currently regulated. It would be a mistake for the 
framework to not be germane to what the regulators are doing. 
Then it wouldn't be addressing the underlying need to protect 
those sectors in this case. On the other hand, you don't want 
so close of a relationship that the standard setting is 
effectively a regulatory process.
    Mr. Scalise. I know you are familiar with legislation that 
we have moved through the House to expand the ability for the 
private sector to share information with the government to find 
out about threats but all on a voluntary basis where private 
information would be protected, where if a private entity 
didn't want to go and talk to DOD about maybe things that they 
are seeing from China or Russia or some other country or 
entity, they don't have to do that, but then there would be the 
ability for them to do it if that benefits them in looking at 
breaches that are maybe coming their way. And so voluntary is 
very different than new requirements that would be mandatory. 
You understand the difference that we are looking at there?
    Dr. Gallagher. Yes. The intent of the framework is not to 
drive the establishment of new requirements. That portion of 
the Executive order, to my understanding, is a harmonization 
issue, which is we want any existing regulatory agency to 
consider the framework when it is complete. It may be something 
they can harmonize against, which would remove duplicative 
requirements to those companies. It could very well be that it 
addresses the underlying need, and they could actually lighten 
any specific regulatory requirements. But in our view, it would 
be a mistake for them not to consider the framework in light of 
what they were doing before the framework was there.
    Mr. Scalise. So when you talk about the Executive order 
that would establish this framework, you also talked about 
incentivizing private companies, other entities that have 
critical infrastructure to adopt this new framework that you 
are developing at NIST. What types of incentives are you 
talking about?
    Dr. Gallagher. So I think at this point we don't know what 
the specific incentives are, so the Executive order actually 
asks a number of agencies to contribute reports identifying 
potential areas. We have done this through a public comment 
period and we are distilling those comments now. I think the 
way to understand this is that we want the framework adoption 
to be tantamount to good business. In other words, good 
cybersecurity is good business. They are compatible functions 
within these companies, and I think the best way to view the 
incentives question is to what extent are there barriers or, in 
some cases, you know, counterincentives to doing the right 
thing. Those are the things I think we will work with you 
together to make sure that we align business interests with 
doing good cybersecurity.
    Mr. Scalise. Right, and again, in our legislation, we have 
some liability protections. We don't want somebody to feel like 
if they are coming to the government to work together in a 
partnership that that is not going to expose them to some other 
kind of liability if their intent is to protect their network 
and ultimately all of the users. I mean, my constituents, 
everybody's constituents that are out there that give personal 
information to various Web sites, they do it under agreements. 
If you are on Facebook or any other Web site, you have got an 
agreement. You know that there are agreements that your 
personal information is going to be protected. Of course, if 
some other country, some entity is trying to break through a 
firewall, then they are also trying to get your personal 
information. So you want that to be protected. So I am just 
trying to find out, does NIST have some definition of incentive 
when you are trying to get this?
    Dr. Gallagher. At this time NIST does not but what I can 
share with you is a preliminary look at some of the comments 
coming in from the RFI to the Commerce Department. They include 
things like liability protections, exploring the establishment 
of insurance markets where the risk can be monetized in 
business-to-business relationships, procurement preferences for 
companies that are supporting the framework to offer high-
quality products and services. It is things of that type.
    Mr. Scalise. And I would just ask--I know my time has run 
out--I would just ask if you could share that with the 
committee as you are developing those definitions of 
incentives, if you could just share that with us along the way 
and some of the things like the liability protections are 
things we have already hashed out and embedded here. Maybe you 
could look at those things that we have already identified as 
well.
    Thanks a lot, and I yield back the balance of my time.
    Mrs. Blackburn. The gentleman yields back. Mr. McNerney for 
5 minutes.
    Mr. McNerney. Thank you, Madam Chairman.
    Thanks, Dr. Gallagher, for your work on this issue, and you 
clearly have a good grasp of it and you are sharing the wealth 
so it is understandable.
    One of the things that you mentioned and I think comes up 
often is the idea of performance-based standards, and I would 
like for you to just talk a little bit about what that means, 
maybe give an example, and also give an example of a non-
performance-based standard so we will have a clear idea of what 
we are talking about here.
    Dr. Gallagher. So simply, a performance-based standard is 
one where the standard addresses a given level of performance 
and it is less prescriptive about how you get it done. So an 
example would be this smartphone needs to talk to this network. 
That is a performance requirement for interoperability in that 
case but it doesn't prescribe the exact data format, electrical 
format that would happen. What a performance requirement then 
does is allow a diversity of technical solutions that can 
achieve the same performance level, and that is why these are 
preferred. They give companies, particularly in technology 
fast-moving areas, the flexibility and latitude to continue to 
innovate and perhaps even meet the performance requirement in 
improved ways.
    Mr. McNerney. Well, what would a performance-based standard 
in cyber look like or sound like?
    Dr. Gallagher. Well, I think that is the exact question we 
are going to be putting in front of the industry groups through 
the framework process. You know, measuring and assessing good 
cybersecurity performance, and I am saying this as head of a 
measurement agency, is actually a challenging problem. You 
know, coming up with the right way of characterizing this, and 
I think it is probably going to be a diverse set of metrics 
that they look at. Some of these are going to be looking at 
best practices in terms of removing vulnerabilities. That would 
be one type, known vulnerabilities and minimizing that threat 
surface, if you will, in companies. And the other part is going 
to be this adaptive part of cybersecurity, which is, do you 
have the intrinsic capability to take new threat information 
and to adjust the protective measures you are taking within the 
company. So I wish I could give you an easy, straightforward 
answer to that one but I think that is going to be one of the 
issues that the entire framework community is going to be 
dealing with.
    Mr. McNerney. Well, I spent some time developing standards 
in the mechanical engineering fields, and it is long, it is 
painstaking, and often it gets watered down so much that it is 
not very useful, and I am worried about that in this sort of a 
framework. Do we have the chance of ending up with something 
that is so watered down that it is not useful?
    Dr. Gallagher. So consensus, of course, doesn't mean 
unanimity, as you know from that experience, and I think you 
are exactly right. One of the threats you face in a multi-
stakeholder process is that in an effort to achieve agreement, 
you go to the lowest common denominator. And that is why the 
performance goal of having high-performance cybersecurity is 
going to be so important to this. I think what we are striving 
for here is a framework that reflects best possible achievement 
at commercial levels of performance. That would allow 
additional support, for example, in the public-private space 
where support from our intelligence agencies and operational 
agencies can support the private sector but not asking them to 
carry out that role. But it also reflects that we can't race to 
the bottom and just find the lowest common denominator of 
technical performance and call that adequate.
    Mr. McNerney. Now, are you going to be including foreign 
companies in this collaborative process?
    Dr. Gallagher. Yes.
    Mr. McNerney. It would be hard not to because----
    Dr. Gallagher. I would hope they do, actually. One of the 
interesting parts of this is, by doing this through the market, 
and the market in fact is global, what we can do is end up with 
a baseline level of performance that is reflected in products 
and services sold around the world. In fact, if we had taken a 
regulatory approach first, that would be unlikely to happen 
because as soon as a U.S. regulatory agency said this is the 
requirement, it becomes a counterincentive to any adoption in 
other countries, where if this is coming from industry, very 
naturally I think one of the real strengths here is that we can 
drive this base level of performance into the global 
marketplace. That doesn't preclude governments from adding any 
additional requirements on top of that but I think it best for 
companies because it lets them sell their goods and services 
around the world, and it is good for us because the Internet is 
itself a global infrastructure, and I think if we can drive 
this intrinsic security performance up, that is better for all 
of us.
    Mr. McNerney. I think this is an opportunity for real, true 
bipartisan work. Thank you, Madam Chairman.
    Mrs. Blackburn. The gentleman yields back. Mr. Latta, 5 
minutes.
    Mr. Latta. I thank the chairlady, and I appreciate you all 
being here today. This is a topic that is not just on 
everyone's mind here in Washington but back home. You know, in 
the last 24 hours before I came back, there was an article in 
the New York Times, China back to hacking United States 
alleges, experts say agencies, firms battling new attacks. 
There was a front-page story yesterday also in the Washington 
Post about Chinese hackers, and it is a real issue, and I 
represent 60,000 manufacturing jobs back home and a lot of 
businesses that are very concerned with this. One of the things 
that I started doing with the cybersecurity with the FBI in 
Ohio, we have done cybersecurity events in the district, we are 
doing one next week, to get the FBI in to really explain to 
people how serious things are out there. So I really appreciate 
you all being here because it is a topic that is on top of 
everybody's mind.
    In your testimony, on page 4, if I can just ask you a 
couple questions about that, it says that your request for 
information under the RFI this past February, you know, you 
have received 224 responses so far. Have you been able to 
analyze any of those responses and are you seeing any kind of a 
trend right now, and who has been responding? Is it overall in 
the industry or is it a broad section?
    Dr. Gallagher. It is actually remarkably broad. As I said, 
we have heard from some of the largest companies and industry 
associations. I think in the next panel you will hear that many 
of the participants there, their companies have participated in 
the process. It crosses all the sectors. We did publish last 
week, and it is posted on the NIST Web site, a preliminary 
analysis of the responses. In fact, we chart out and tabulate 
the areas that are represented and the types of issues that 
were coming up through the public comment period. That is part 
of the homework assignment that has been given to the framework 
participants for their first workshop in Pittsburgh next week.
    Mr. Latta. Well, thank you, and also, you know, just maybe 
to sum up, because in the interests of time, that, you know, 
one of the things, you commented in your testimony and also I 
have heard over and over from folks out there that one size 
does not fit all, that we can't create one thing here in 
Washington because, again, on the industry side, things are 
moving so quickly on theirs that we try to do something here, 
and we will be just three, four, five steps behind.
    The other term that I always know that worries people back 
home is the word ``voluntary'' and they want to make sure that 
anything that is done is always voluntary, and as my colleague 
from Louisiana just mentioned in a question about incentives, 
incentivizing, those are terms that also we want to really make 
sure that we know what is going on. So Madam Chair, in the 
interest of time, I yield back.
    Mrs. Blackburn. The gentleman yields back. Mr. Tonko, you 
are recognized for 5 minutes.
    Mr. Tonko. Thank you, Madam Chair, and let me thank Chair 
Upton and Ranking Member Waxman for arranging today's very 
important hearing. Critical infrastructure represents a wide 
range of industries, and interestingly, many fall under the 
jurisdiction of E&C. So we need to take a serious look at how 
to improve these industries' resiliency from cyber threats.
    Let me welcome you, Dr. Gallagher. I know that you have an 
awesome task assigned your way, but I also appreciated your 
recent visit to the core of my district. It was well received. 
And I commend NIST on its leadership in implementing some very 
important guidelines here. NIST has received tremendous 
feedback from stakeholders, and it appears that NIST has 
recognized that cybersecurity can best be addressed through a 
cooperative public-private partnership. So it is clear that 
this has been a collaborative effort, and I am grateful that 
you appear before this committee today.
    President Obama expressed concerns with the cyber 
legislation recently considered in the House because of privacy 
and civil liberties issues. His Executive order makes promoting 
these rights an explicit priority. Many of the testimonies we 
will hear today will make mention of that importance. Has NIST 
or DHS's Office for Civil Rights and Civil Liberties been in 
discussion with privacy and civil liberties groups while 
working on implementation?
    Dr. Gallagher. So in the case of the framework process, 
which is fairly new, I am not specifically aware of any 
discussions, but prior to that, through Commerce Department 
efforts looking at both privacy and non-critical 
infrastructure, we interacted quite extensively with those 
groups. I think from a framework perspective, it comes up in 
two areas. One is privacy is about sharing the appropriate 
information you want to share and nothing else. That is a 
technically enabled capability, and so at the technical level, 
the capacity to implement privacy is in fact a deep part of 
cybersecurity and will be part of the framework process. The 
other part of the Executive order where this is obviously is in 
the information sharing and coming to terms with what 
information is needed to share to carry out the protective 
function.
    Mr. Tonko. And according to your testimony, next month we 
are expecting reports about the potential incentives designed 
to increase participation in the framework program. Aside from 
liability protection, which was considered in the House as 
cyber legislation, and I think demanded by industry, what types 
of incentives are possible? Which of these will need 
legislation perhaps to implement and which can be done right 
away?
    Dr. Gallagher. So what we are seeing in the RFI process 
includes a broad range of incentives. Some would absolutely 
require legislative action to occur. Those are things like 
liability protection, supporting reinsurance markets and how 
does that work. Looking at tax incentives potentially to 
support some of the capital investments to upgrade 
cybersecurity performance including, in some cases, supporting 
grant programs for promoting innovation, some of the R&D 
activities related to promoting good cybersecurity. Other areas 
appear to fall within existing authorities, and that would be 
things like alignment, do you create procurement preferences in 
the federal government that would support the adoption of the 
framework. In some cases, things were proposed that would not 
be a good idea and so I think the report will be very useful in 
particular to Congress as it considers this continuing question 
about how do you promote industry's work to do the right thing 
on cybersecurity and eliminate barriers and support adoption.
    Mr. Tonko. Thank you. And 150 of the 244 responses to 
NIST's request for information discuss the workforce's cyber 
capabilities. We obviously have to recognize this workforce 
will be a vital and growing contributor to our economy in the 
future. It is not hard to imagine the need for constant 
training. So what types of education, training and research 
opportunities can we invest in to ensure that the private 
sector has access to the highly skilled personnel necessary to 
implement and maintain some rigorous cybersecurity standards?
    Dr. Gallagher. I think this is going to continue to be an 
area that we will have to work on aggressively. So outside of 
the framework process, NIST was asked to be an interagency 
coordinator, if you will, on interagency efforts to look at 
cybersecurity education across the federal government, and it 
basically has three broad approaches. One is promoting 
widespread cybersecurity awareness to the public--very 
important because they are interacting with this infrastructure 
as well. The other one is promoting interest in those that 
would elect to take this direction as a career, so that is, do 
we have the cadre of talented people moving in this direction 
who would see cybersecurity as a place where they can 
contribute and have a worthwhile career. And then the final 
piece is for somebody who has made that decision, can they get 
the appropriate education and workforce-specific training where 
they can contribute by the way both federal and non-federal, so 
we have worked with a lot of outside stakeholders.
    When you have those three pillars, there is a pretty broad 
range of activities. Some are awareness campaigns and some are 
looking at working with leading universities. In fact, NSA and 
DHS have played a leading role in that space working with 
universities to accredit cybersecurity education, and in the 
middle that promoting interests are some of the things that are 
being done in high schools and middle schools trying to promote 
broader interest in cybersecurity and the roles that some of 
the career possibilities that are there for folks at that 
formative period of time.
    Mr. Tonko. Thank you very much, Dr. Gallagher, and with 
that, Madam Chair, I yield back.
    Mrs. Blackburn. The gentleman yields back. Mr. Lance, you 
are recognized for 5 minutes.
    Mr. Lance. I waive.
    Mrs. Blackburn. Mr. Lance waives. Mr. Cassidy is gone. Mr. 
Olson for 5 minutes.
    Mr. Olson. Thank you, Madam Chair, and thank you, Dr. 
Gallagher, for being here this morning.
    Cybersecurity is very important to my home district, 
Houston, Texas. Obviously we are the energy capital of the 
world. We have the world's largest petrochemical complex lining 
the 15-mile-plus Houston ship channel, which serves the Port of 
Galveston, the Port of Texas City, the Bayport Container 
Terminal and the Port of Houston. We have a massive pipeline 
infrastructure which supports that petrochemical industry. We 
have two nuclear reactors 90 miles away down in Bay City, 
Texas. We are about to become the third largest city in terms 
of population. Sorry to my colleagues from Chicago, but those 
are the facts.
    So my point is, lots of damage can be done to America in 
terms of dollars to our economy, in terms of lives by cyber 
attacks in Houston, Texas, and as we know, one of the most 
important ways to combat cyber attacks is for companies and the 
federal government to work together to combat cyber attacks 
through robust information sharing, and that is why I voted for 
the Cyber Information Sharing and Protection Act last month 
because, as you know, the information-sharing process 
authorized by CISPA is completely voluntary, only ones and 
zeros, binary code, if my degree from Rice from 1985 in 
computer science is still relevant. No personally identified 
information will be exchanged between the private sector and 
the federal government. The House has done its job, and that is 
why I am encouraged by the Administration's commitment to a 
voluntary process that solicits input from industry to create 
the cybersecurity framework.
    My question is, as you know, cyber attackers adapt quickly 
with new attack methods almost overnight. How does the 
Administration and NIST plan to balance any additional 
regulatory requirements with the need for industries to remain 
flexible and be able to adapt to the changing cybersecurity 
environment?
    Dr. Gallagher. Well, one specific example I can give to 
that is something that you have probably heard quite a bit, 
which is the response capability for IT systems has to become 
quicker. In essence, we have to fully automate a lot of this 
response. It has to move at the speed of computation rather 
than human speed, and that in some sense is a policy issue. A 
lot of the information-sharing debate is around that, how do we 
enable that flow of signatures and key information to enable 
that, and some of that is the underlying technology. If I 
receive that threat information and I am a system operator, how 
do I deploy that automatically? And so NIST has been working 
with industry on developing security automation tools and 
protocols that can be deployed and can be used within their 
systems and can provide an interoperability between different 
vendors of software and different vendors of IT equipment to 
enable share of cybersecurity-specific information across these 
platforms. So we are trying to support what I think is going to 
be a movement towards full-scale automation of a large amount 
of the cybersecurity activity.
    Mr. Olson. Thank you. I yield back the balance of my time.
    Mrs. Blackburn. The gentleman yields back. Ms. Matsui, you 
are recognized for 5 minutes.
    Ms. Matsui. Thank you very much, and I would like to 
welcome Dr. Gallagher here. Cybersecurity is both a national 
and economic security issue, and I believe that industry and 
government must be partners in addressing our Nation's cyber 
threats. It is not a one-way street, and I believe the 
Administration's Executive order was a good first step but more 
will need to be done.
    Last October, I wrote to the White House urging them to 
consider the implications of including interactive computer 
services such as search engines and social networking 
platforms. I believe the Executive order got it right and made 
it clear that there is a fundamental difference between 
networks that manage infrastructure critical to public safety 
and those that provide digital goods and services to the 
public.
    Dr. Gallagher, how should federal agencies ensure that any 
sector-specific cybersecurity standards required under the 
cybersecurity framework are not imposed on non-critical 
infrastructure?
    Dr. Gallagher. Well, as I said, I believe the question of 
imposition is going to be one that largely falls to Congress 
and, you know, those agencies with sector-specific 
responsibilities. I actually view this almost in reverse, which 
is the actions we are taking to work with this broad collection 
of companies and interests to develop a set of general 
practices for cybersecurity performance may in fact be usable, 
in fact, cost-effectively usable, very broadly, in fact, maybe 
in areas outside of the specific critical infrastructure. So it 
could very well be that companies that are in media and other 
areas would now find it easier to buy secure equipment and 
secure software and lower vulnerability. This would be, in my 
view, a win. So without imposing any requirement, we still get 
the benefit of improved security performance.
    Ms. Matsui. OK. Now, how will the Executive order and the 
cybersecurity framework assist federal agencies in enabling 
more uniform security measures across all government-operated 
data centers?
    Dr. Gallagher. So this is part of the discussion that we 
have been working on pretty actively very recently, which is, 
how do we get the federal agencies to align to this framework 
process. I think if the private sector is going to go to all 
this trouble in developing this high-performance cybersecurity 
baseline, then I think the federal government should leverage 
that for a number of reasons. One is, it will be a high-
performing platform to use that as a baseline for any 
additional requirements that it would have internally, and also 
it helps achieve market scale. In other words, some of the 
government procurement now becomes supportive of helping the 
companies drive adoption.
    Ms. Matsui. OK. That is good.
    Dr. Gallagher. So I don't think we have any answers to that 
yet but that is certainly something we are actively discussing 
right now.
    Ms. Matsui. OK. Now, with the electricity subsector already 
subject to mandatory and enforceable cybersecurity standards, 
how is NIST working to ensure that the framework will include 
these existing standards?
    Dr. Gallagher. Well, what we have done is, we have invited 
those entities in from the beginning. So in fact, in the case 
of the electricity sector, that is fairly straightforward 
because in fact we are modeling a lot of this effort after the 
interaction we have had with that sector in smart grid. So we 
have well-established relationships with those companies, with 
those regulators, with those industry associations, and we have 
in fact not only invited them into the process but suggested 
that they, like other high-performing sectors, put their 
practices on the table as best practices for consideration 
under the framework.
    Ms. Matsui. OK. Now, another topic I would like to raise is 
securing the cloud. I am pleased that the Administration 
continues to pursue its Cloud First policy and is adopting 
cloud technologies to make the federal government more 
efficient and effective. Now, most government agencies are now 
adopting these cloud services. What kind of cyber protections 
and threats and what kinds of challenges do you foresee as the 
government continues to adopt cloud services?
    Dr. Gallagher. So in the case of government adoption of 
cloud, almost more than the technological challenges of dealing 
with this are that cloud in some sense breaks policy. 
Government-used policy for IT is based on the assumption that 
we are the owner/operators, that this is an enterprise system 
within our agencies and we manage and configure and control all 
of these assets. Cloud changes that because many of these 
assets now are provided via contract; they are services. And 
that shift now creates a challenge, which is, how do I meet my 
responsibilities as an agency head to protect my IT systems 
when my relationship with those that are operating that 
equipment or holding my data or running my applications has 
evolved. And so what we have been trying to do is work with a 
process where the cloud community, the companies and cloud 
service providers, are working with the CIOs from across the 
federal government and basically mapping out the different use 
cases, very specific use cases where we can take a government 
application, expose the requirements that those agencies have 
to meet, and then turn to the business community and say how do 
you help us ensure that we meet those requirements in this new 
space. So that is leading to a pretty robust process where some 
of the more straightforward areas we have been able to be early 
adopters. Some of the more challenging areas, at least we have 
identified the specific things we have to work on if we are 
going to go there.
    Ms. Matsui. OK. Thank you. I see my time is up. Thank you.
    Mrs. Blackburn. The gentlelady yields back. Mr. McKinley, 
you are recognized for 5 minutes.
    Mr. McKinley. Thank you, Madam Chairman.
    Dr. Gallagher, you may or may not be familiar. In West 
Virginia in the Fairmont area on that I-79 corridor, there is a 
consortium of about 50 different firms that are very much 
involved called the West Virginia High Technology Consortium. 
This issue is probably one of the most important issues facing 
them, so as a personal privilege, I am asking if we can get 
someone from Commerce to come sit down and talk to them about 
this because it is by far one of the most important issues 
other than perhaps sequestration.
    Dr. Gallagher. We would be happy to.
    Mr. McKinley. We got a few questions from some of them, and 
I would like to share that. One was, what is the percentage of 
industry that should be represented as a minimum to ensure that 
these initiatives have been successful?
    Dr. Gallagher. So I frankly haven't approached this from 
what fraction have to be involved in the development process. 
In the normal industry-led consensus process, you often don't 
get high penetration where the majority of companies are 
involved. But those that have key technology and key drivers, 
the question is making sure that the standards aren't shaped 
without having the right ideas around the room. I think the 
more important test for success is at the other end, which is 
what is the level of adoption. If these are really useful, if 
these are aligned with business practices and if these are 
high-performance, good cybersecurity practices and we don't see 
widespread adoption, that will be something I worry about.
    Mr. McKinley. I guess as an engineer, I always like the 
metrics. I want to see how the metrics work. I know under 
Section 2, it defines from a 30,000-foot elevation what the 
definition of critical infrastructure, but down where you and I 
are on the ground, who is actually going to make those calls? 
What encompasses critical infrastructure?
    Dr. Gallagher. I believe in the Executive order, that 
decision is made by the Department of Homeland Security. I know 
it is not NIST. And I believe it is based on determination 
under that operational definition that is given early in the 
Executive order. That determination is basically for purposes 
of supporting participation in the voluntary program.
    Mr. McKinley. And then in the Executive order, there is 
what is called the greatest risk list. That is interesting. 
Given all the discussion here in Washington lately about lists, 
who is going to be maintaining that list and following up with 
that list and who is going to be implementing based on that 
list?
    Dr. Gallagher. I am not an expert on the list but my 
understanding is, that is Department of Homeland Security 
responsibility and it is to assist them in prioritizing in a 
risk-based fashion, so if they are going to be taking risk-
based actions, they are trying to conform themselves of what 
would be the highest risk from industry so they can 
appropriately prioritize. But I would have to couch with that, 
you should double-check that with the Department of Homeland 
Security.
    Mr. McKinley. Thank you very much. I do hope that we will 
see you at the high-tech foundation where we can all get 
together and see if we can put to rest some of their concerns. 
When you are talking about 50 firms, probably as many as 50 
firms all interacting, it is very much of a concern how much is 
their exposure.
    Dr. Gallagher. One of the great things we don't have to 
worry about here is the companies not being behind this. They, 
I think, understand more than anyone how critically important 
this is, and that is probably our biggest ally in this entire 
effort.
    Mr. McKinley. Thank you very much. Madam Chairman, I yield 
back the balance of my time.
    Mrs. Blackburn. The gentleman yields back. Ms. Schakowsky, 
you are recognized for 5 minutes.
    Ms. Schakowsky. Thank you, Dr. Gallagher. I am trying to 
understand how the framework interfaces with the CISPA 
legislation. You know, there were some of us including the 
White House who felt that there were some deficiencies in the 
bill as it was voted on in the House, particularly dealing with 
reasonable efforts on the part of the companies, which of 
course we want to voluntarily comply, but in making sure that 
personally identifiable information wasn't shared among each 
other or with the federal government, and actually at the time 
when we were holding hearings in the Intelligence Committee, 
Paul Smoker from the Financial Services Roundtable argued that 
companies should be responsible for minimization, stating, 
``The provider of the information is in the best position to 
anonymize it,'' and then there was also a question of John 
Engler, President of the Business Roundtable, if he thought it 
was too much of a burden to ask the private sector to ``take 
reasonable steps where reasonable steps can be taken'' to 
minimize information, and Engler replied, ``No, I think it's 
reasonable. I think it's exactly fine.'' So that was one of the 
issues that raised in the SAP, the statement recommending a 
veto of the legislation, and the other was the broad immunity 
provision that was given. Is the framework consistent with what 
the White House has said about CISPA? Is it different? If you 
could explain that?
    Dr. Gallagher. So the way I understand it, of course, 
nobody is in disagreement that we have to enable information 
sharing. So the debate about CISPA in some ways are technical 
issues about how do you appropriately limit the scope of the 
information that is being shared, and the scope of the 
liability protection, and I leave that to the experts. What the 
framework does is in some ways enable that information sharing. 
In other words, if you receive threat information through 
information sharing, can you act on it, how do you deploy that 
protection through your system. In some ways, the framework may 
provide an answer to this question of cost-effectiveness of 
some of the things like minimization. If it is costly now for a 
smaller company to minimize information, it could very well be 
that through the framework process, we identify some technical 
means that are embedded in the technology that are supportive 
of this. So I think it is not that the framework depends on 
compatibility with CISPA or with the Administration position 
but it is related to information sharing in the sense that the 
adaptive part of cybersecurity, taking new threat information 
and being able to act on it, is a key part of the performance 
level we need to have. Hopefully the framework can provide some 
technical assistance in that as it goes forward, and it will be 
nice because that technology assistance will be coming directly 
from the industries that have to put it into practice.
    Ms. Schakowsky. I thank you for that, and I yield back.
    Mrs. Blackburn. The gentlelady yields back. Mr. Griffith, 5 
minutes.
    Mr. Griffith. Thank you.
    I appreciate you being here today, and obviously we are all 
trying to struggle through some concerns about privacy and 
appropriateness and when the government should be looking and 
when they shouldn't. But I think most of those questions you 
have already answered, and so I am willing to yield back, Madam 
Chair.
    Mrs. Blackburn. The gentleman yields back. Mr. Rush, you 
are recognized for 5 minutes.
    Mr. Rush. I want to thank you, Madam Chairman, and some of 
these questions may have been asked and answered already, but I 
think I have a different kind of slant on it.
    The Department of Homeland Security, nothing that cyber 
attacks against federal agencies increased 782 percent between 
2006 and 2012 for 48,562 separate incidents reported in 2012 
alone, and a number of experts have estimated that the economic 
impact from cyber crime to be in the billions of dollars each 
and every year, and we know that here in the United States, our 
most critical infrastructure including the electric grid, oil 
pipelines, communications networks and financial institutions, 
all are vulnerable to manipulation or attack by malicious 
actors who use technology in all parts of the world, and my 
constituents are as alarmed as most of America is about it. So 
are you confident that NIST has all the tools and the authority 
it needs to successfully implement cybersecurity framework in 
order to minimize and mitigate the risks of attack on the 
digital infrastructure?
    Dr. Gallagher. I think if the responsibility fell solely on 
our shoulders, my answer would be absolutely not. I would not 
believe we would have the capacity. But the approach we have 
taken is to actually get behind an industry-led effort. And so 
since so much of the capacity and the know-how and the 
expertise and the technology and the leadership comes from 
industry, and our role is to convene and support that effort, I 
am quite comfortable that we can do that.
    Mr. Rush. So this alliance of industry, are you satisfied 
with the level of participation and the level of concrete 
outcomes so as to prevent organized cyber attack?
    Dr. Gallagher. I am in fact very satisfied. My biggest 
concern when the Executive order process was announced was, 
would the concerns over potential regulation later, which has 
been part of the public debate, basically result in companies 
electing not to participate in the framework process. That de 
facto boycott would have been devastating. That would have been 
a failure of this entire process. And in fact, the opposite has 
happened. I would say there has been a very strong tipping-in 
effect. Companies, I think, have fully appreciated that letting 
them drive this process and own it and run it at market scale 
has enormous advantages, and I have been gratified, and I think 
the origin of any optimism I have here is based on the fact 
that we have so many leading companies participating in this 
effort. It is going to make all the difference.
    Mr. Rush. I don't know of anything that I can think of that 
doesn't have challenges, and what are the challenges that this 
framework faces and what are some of the challenges that NIST 
faces?
    Dr. Gallagher. I would agree. In fact, the sign of maturity 
that you should look for in a couple months is that we are up 
to our eyeballs in challenges. That means that this has become 
very real. I think there is going to be lots of them. At the 
very highest level, I think the challenge I am most interested 
to see how to resolve is the integration of cybersecurity into 
the business practices of these entities. This can't be a bolt-
on, add-on activity that companies do. It has to be embedded in 
what they do, and that means integration with the risk 
management that they do, with their business functions, with 
their costs. It has got to be good business to do good 
cybersecurity, and I think that is going to raise a number of 
interesting challenges. Some of those may touch on the 
incentive discussions that we have already had. But I think 
that among what will certainly be a long list of technical 
challenges and areas where we just have to do better and find 
better solutions.
    Mr. Rush. Thank you, Madam Chair.
    Mrs. Blackburn. The gentleman yields back. Mr. Johnson, you 
are recognized for 5 minutes.
    Mr. Johnson. Thank you, Madam Chair. First of all, thank 
you, Dr. Gallagher, for being here today. I don't really have 
any questions but just a brief comment.
    I spent nearly 30 years of my professional career in 
information technology, and I certainly understand the 
challenges that we face with cybersecurity. There are those 
that will always be out there that because they can, some of 
them for no other reason than that, try to wreak havoc and 
disrupt our networks. Some have a much more malicious intent in 
stealing information that doesn't belong to them, taking down 
our capabilities and so forth. So I am grateful to be serving 
on a committee here that takes this issue very, very seriously 
because I think it is indeed a very, very serious issue and I 
look forward to working with my colleagues and the 
Administration to make sure that we do the right things, and 
with that, Madam Chair, I will yield back.
    Mrs. Blackburn. The gentleman yields back. Chairman Pitts?
    Mr. Pitts. I will waive.
    Mrs. Blackburn. The chairman waives. Mr. Harper?
    Mr. Harper. Thank you, Madam Chair, and Dr. Gallagher, 
thank you taking the time. You can see by the attendance in 
here, this is a very important subject, and we appreciate your 
insight today.
    I am blessed to have a great university in my congressional 
district, Mississippi State University, which is designated as 
a National Center of Academic Excellence by the National 
Security Agency and the Department of Homeland Security in 
information assurance education. So my question is, what has 
academia's role been in the formulation of cybersecurity 
framework, and do you see that role expanding?
    Dr. Gallagher. I do, and I think that it is going to draw 
on the two great strengths of academia. I think on one hand it 
is the education of our youth and providing the knowledge base 
and the talent and the expertise to address this. This is not 
an easy thing, and it is going to need our best and brightest 
minds on it. And the other area is actually in the research 
function of our universities. I think we don't have all the 
answers. I think there is areas where the technology can do 
better, and I think we count on them to come up with those 
breakthrough ideas that will make this all a much more 
addressable problem. So I think it is going to draw on their 
two core strengths.
    Mr. Harper. Thank you, Dr. Gallagher, and with that, I 
yield back, Madam Chair.
    Mrs. Blackburn. The gentleman yields back, and Dr. 
Gallagher, that concludes our questioning for today. You have 
been very patient, and it will conclude our first panel, but 
before you go, I have to tell you, you mentioned for your 
workshops, you have said southern California and Pittsburgh. 
Nashville, it ought to be on that list. We would appreciate 
that. And we will go into recess for a moment while we set the 
second panel.
    [Recess.]
    Mrs. Blackburn. At this time we are ready to begin our 
second panel. I thank you all for moving quickly into your 
spots so that we can move forward. We welcome our second panel: 
Mr. Dave McCurdy, President and CEO of the American Gas 
Association; Mr. John McConnell, Vice Chairman of Booz Allen 
Hamilton and former Director of National Intelligence; 
Ambassador James Woolsey, Chairman of Woolsey Partners and 
former Director of Central Intelligence; Mr. Mike Papay, the 
Chief Information Security Officer and Vice President for Cyber 
Initiatives at Northrop Grumman; Dr. Phyllis Schneck, Vice 
President and Chief Technology Officer, Global Public Sector 
for McAfee. And I yield to Mr. Lance for the next brief 
introduction.
    Mr. Lance. Thank you, Madam Chair. I have the honor of 
introducing Charles Blauner from Citi, who is the head of 
information security for that great company, and he has 
extensive experience in both New York and London, and he is a 
resident of the district that I serve. He lives in Basking 
Ridge, Bernards Township, Somerset County, New Jersey. Thank 
you, Madam Chair.
    Mrs. Blackburn. The gentleman yields back, and we continue 
with Mr. Duane Highley, the President and CEO of Arkansas 
Electric Cooperative Corporation. Mr. Highley is appearing on 
behalf of the National Rural Electric Cooperative Association. 
And Mr. Robert Mayer, the VP of Industry and State Affairs at 
the United States Telecom Association. You all sound like the 
cast of characters in a sci-fi movie, and we are delighted that 
you all are here. Mr. McCurdy, we begin with you for 5 minutes 
of testimony to summarize.

 STATEMENTS OF HON. DAVE MCCURDY, PRESIDENT AND CEO, AMERICAN 
GAS ASSOCIATION, AND FORMER CHAIRMAN OF THE HOUSE INTELLIGENCE 
COMMITTEE; JOHN M. (MIKE) MCCONNELL, VICE CHAIRMAN, BOOZ ALLEN 
    HAMILTON, AND FORMER DIRECTOR OF NATIONAL INTELLIGENCE; 
 AMBASSADOR R. JAMES WOOLSEY, CHAIRMAN, WOOLSEY PARTNERS LLC, 
AND FORMER DIRECTOR OF CENTRAL INTELLIGENCE; DR. MICHAEL PAPAY, 
VICE PRESIDENT AND CHIEF INFORMATION SECURITY OFFICER, NORTHROP 
    GRUMMAN INFORMATION SYSTEMS; DR. PHYLLIS SCHNECK, VICE 
 PRESIDENT AND CHIEF TECHNOLOGY OFFICER, GLOBAL PUBLIC SECTOR, 
   MCAFEE, INC.; CHARLES BLAUNER, GLOBAL HEAD OF INFORMATION 
 SECURITY, CITIGROUP, INC., ON BEHALF OF THE AMERICAN BANKERS 
    ASSOCIATION; DUANE HIGHLEY, PRESIDENT AND CEO, ARKANSAS 
  ELECTRIC COOPERATIVE CORPORATION, ON BEHALF OF THE NATIONAL 
RURAL ELECTRIC COOPERATIVE ASSOCIATION; AND ROBERT MAYER, VICE 
 PRESIDENT, INDUSTRY AND STATE AFFAIRS, UNITED STATES TELECOM 
                          ASSOCIATION

                   STATEMENT OF DAVE MCCURDY

    Mr. McCurdy. Thank you, Madam Chair, and thank the ranking 
member as well for the opportunity to be here. I am Dave 
McCurdy, President and CEO of the American Gas Association, and 
also relevant to this hearing, I am a former chairman of the 
House Intelligence Committee in this body, and just to start 
off, thank you for your comments earlier about Moore, Oklahoma, 
which was in my district as well years ago.
    AGA represents over 200 local gas companies that deliver 
natural gas to more than 71 million U.S. residential, 
commercial, and industrial gas customers. AGA is an advocate 
for local natural gas utility companies and provides a range of 
programs to natural gas pipelines, marketers, gatherers and 
industry associates. Natural gas is the foundation fuel for a 
clean and secure energy future, providing benefits for the 
economy, our environment and our energy security.
    Alongside the economic and environmental opportunity 
natural gas offers comes a responsibility to protect its 
distribution pipeline systems from cyber attacks. Web-based 
tools have made natural gas utilities more cost-effective, 
safer and better able to serve our customers. However, the 
opportunity costs of a more connected industry is that we have 
become a target for sophisticated cyber terrorists. This said, 
natural gas utilities are meeting the threat daily via skilled 
personnel, a commitment to security, and the cybersecurity 
partnership with the federal government.
    This government-private partnership in cybersecurity 
management is critical for us. Our utilities deliver and our 
systems are the safest energy delivery system in the world. 
This said, industry operators recognize there are cyber 
vulnerabilities with employing web-based applications for 
industrial control and business operating systems. Because of 
this, gas utilities adhere to myriad cybersecurity standards 
and participate in an array of cybersecurity initiatives. 
However, the industry's leading cybersecurity tool is a 
longstanding cybersecurity information-sharing partnership with 
the federal government. Natural gas utilities work with 
government at every level to detect and mitigate cyber attacks, 
in particular, AGA members with the Transportation Security 
Administration, Pipeline Security Division of TSA, the agency 
tasked with overseeing distribution pipeline cybersecurity. In 
addition, gas utilities collaborate with ICS-CERT on 
cybersecurity awareness, detection and mitigation programs. 
Simply put, TSA and ICS-CERT understand cyber threats, natural 
gas utilities understand their operations, and we work together 
to protect critical infrastructure.
    AGA's perspective in this is that since the Executive 
order's impact on gas utility cybersecurity could be 
significant, we participated on the Executive order's cyber 
dependent infrastructure identification, cybersecurity 
framework collaboration, and the incentive working groups. In 
addition, AGA chairs the Cybersecurity Working Group of the Oil 
and Natural Gas Pipeline and Chemical Sector Coordinating 
Council, a panel established to address Executive order 
activities, and if I could, Madam Chair, in response to the 
questions from the committee make just a couple quick 
observations.
    Clearly, there is certain disagreement within sector-
specific agencies about whether natural gas facilities should 
be considered critical cyber dependent, cyber dependent being 
the word infrastructure. For natural gas entities which answer 
to multiple federal agencies, this uncertainty is unsettling. 
Regardless of the ultimate answer, we hope that the 
Infrastructure Identification Working Group will decide this 
question in an open and collaborative fashion.
    With regard to Dr. Gallagher's testimony on the NIST 
cybersecurity framework, at present the NIST cybersecurity 
framework development process appears headed in the proper 
direction. This said, natural gas utilities have some general 
concerns. First, the framework development process could 
benefit from more consideration of existing cybersecurity 
standards, including TSA standards applicable to gas utilities. 
In addition, framework provisions must be flexible and not 
morph into regulations, which will quickly become outdated due 
to an ever-changing cyber threat landscape. And finally, the 
framework must be flexible enough to allow companies to tailor 
cybersecurity systems to their own operational needs. And 
third, the Executive order directs DHS to help develop 
incentives that will spur industry adoption of the NIST 
framework. However, most of the proposed incentives put forth 
so far are little more than government services like enhanced 
cybersecurity support that in fact should be in any 
cybersecurity program. The fact is, absent new statutory 
authority to provide meaningful incentives like information 
safe harbors and cybersecurity liability protections, the 
government is limited in what it can do to entice 
participation. Industry would be better served via reinforced 
support for federal programs that provide training, onsite 
cybersecurity evaluations and system compromise support.
    And lastly, Madam Chair, the case for cybersecurity 
legislation or CISPA, ultimately AGA does believe there is a 
role for cybersecurity legislation to help counter cyber 
attacks and protect networks against future incursions, 
critical infrastructure needs, government to help identify, 
block and/or eliminate cyber threats. Harnessing the 
cybersecurity capabilities of the government intelligence 
community, so my colleagues, former colleagues on my left here, 
on behalf of the private sector and networks will go a long way 
towards overall network security. AGA supports----
    Mrs. Blackburn. Mr. McCurdy, please sum up.
    Mr. McCurdy. AGA supports the recently passed legislation 
and urges the Senate to follow suit, and we thank you for the 
opportunity to testify and will answer questions.
    [The prepared statement of Mr. McCurdy follows:]
    [GRAPHIC] [TIFF OMITTED] 82197.007
    
    [GRAPHIC] [TIFF OMITTED] 82197.008
    
    [GRAPHIC] [TIFF OMITTED] 82197.009
    
    [GRAPHIC] [TIFF OMITTED] 82197.010
    
    [GRAPHIC] [TIFF OMITTED] 82197.011
    
    [GRAPHIC] [TIFF OMITTED] 82197.012
    
    [GRAPHIC] [TIFF OMITTED] 82197.013
    
    [GRAPHIC] [TIFF OMITTED] 82197.014
    
    [GRAPHIC] [TIFF OMITTED] 82197.015
    
    [GRAPHIC] [TIFF OMITTED] 82197.016
    
    [GRAPHIC] [TIFF OMITTED] 82197.017
    
    [GRAPHIC] [TIFF OMITTED] 82197.018
    
    [GRAPHIC] [TIFF OMITTED] 82197.019
    
    [GRAPHIC] [TIFF OMITTED] 82197.020
    
    Mrs. Blackburn. Thank you.
    Mr. McConnell, you are recognized for 5 minutes, and as a 
reminder, you have the timers in front of you.

             STATEMENT OF JOHN M. (MIKE) MCCONNELL

    Mr. McConnell. Thank you, Madam Chairman. I want to first 
of all make the point that I am speaking as a citizen. I do not 
represent any company or organization.
    I have one main point to make to the committee. Legislation 
is required. Legislation is required. If we don't have it, we 
will not solve this problem. Now, the debate will be whether 
you incentivize participation by the private sector or you 
compel. That is something that Congress will have to debate.
    I have four main points to make. The government produces 
unique information. That is the community that I come from, 
unique information. It is not produced anywhere else in the 
world inside the United States. It is code breaking, it is 
intelligence, it is understanding threats before they happen. 
We must determine a way to share the information with the 
private sector. That means we have to change the rules. That is 
a requirement that will only be achieved through legislation.
    The second point I would make is, we must establish 
cybersecurity standards. They must be able to evolve and they 
must be dynamic. That will give us two choices to make: do you 
incentivize, as discussed earlier in the first panel, or do you 
compel. That is going to be a decision that this Congress will 
have to wrestle with, but one way or the other, we must have 
those standards. We also must finally address the privacy 
concerns, and I have fingerprints over a bill called FISA, 
Foreign Intelligence Surveillance Act. So the congressional 
record will show the 2-year debate, actually 3 years--I was 
only involved for 2 years--to get that to closure. The issue 
is, we must be able to do the intelligence mission of the 
country while protecting the privacy and civil liberties of our 
citizens. I have a single recommendation: put it in law what 
you don't want to happen, and the community will react to that 
law because we are a nation of laws. It is the responsibility 
of the Congress to oversee and ensure that that law is complied 
with.
    Now, the debate will be, is screening traffic coming in 
through an international gateway for malware, is that reading a 
citizen's mail. That will be the debate. You will have to 
wrestle with that question to get it resolved because today the 
Chinese, because they are clumsy and because they have a policy 
of building cyber tools for warfare but they have a policy of 
economic espionage, they are stealing the intellectual 
lifeblood of this country. We have to deal with that, and we 
strip out that malware at the international gateway. 
Fortunately for us, the Iranians, because they are hammering 
U.S. banks with denial-of-service attacks, are causing the 
Nation to focus on this issue. I have been focused on it for 20 
years. We are finally getting to a point of addressing it. It 
will require legislation. Thank you for your time.
    [The prepared statement of Mr. McConnell follows:]
    [GRAPHIC] [TIFF OMITTED] 82197.021
    
    [GRAPHIC] [TIFF OMITTED] 82197.022
    
    [GRAPHIC] [TIFF OMITTED] 82197.023
    
    [GRAPHIC] [TIFF OMITTED] 82197.076
    
    [GRAPHIC] [TIFF OMITTED] 82197.077
    
    [GRAPHIC] [TIFF OMITTED] 82197.078
    
    [GRAPHIC] [TIFF OMITTED] 82197.079
    
    [GRAPHIC] [TIFF OMITTED] 82197.080
    
    [GRAPHIC] [TIFF OMITTED] 82197.081
    
    [GRAPHIC] [TIFF OMITTED] 82197.082
    
    [GRAPHIC] [TIFF OMITTED] 82197.083
    
    [GRAPHIC] [TIFF OMITTED] 82197.084
    
    [GRAPHIC] [TIFF OMITTED] 82197.085
    
    [GRAPHIC] [TIFF OMITTED] 82197.086
    
    [GRAPHIC] [TIFF OMITTED] 82197.087
    
    [GRAPHIC] [TIFF OMITTED] 82197.088
    
    Mrs. Blackburn. Thank you, Mr. McConnell.
    Ambassador Woolsey, you are recognized for 5 minutes.

                 STATEMENT OF R. JAMES WOOLSEY

    Mr. Woolsey. Thank you, Madam Chairman. I am going to talk 
about a little different kind of cyber than normally comes into 
the picture. Congressman Burgess referred earlier to Dr. Peter 
Pry's and my op-ed in the Wall Street Journal this morning on 
this subject.
    It has to do with electromagnetic pulse. We don't get to 
define ourselves the problems we want to deal with and ignore 
them because they don't fit into some bureaucratic category of 
ours. Both Russia and China as well as North Korea and Iran 
include the use of electromagnetic pulse against our 
infrastructure as part of information warfare and cyber 
warfare, and they are working hard at it.
    Electromagnetic pulse may hit the world, the United States 
and other parts of it, through solar activity, and some people 
focus principally on this called coronal mass ejections. It is 
essentially a huge solar storm, much better than anything we 
normally experience. It happens about once every 100 years, and 
we are somewhat overdue for one of these. These could have a 
very, very powerful effect on our electric grid. But insofar as 
we are talking about human activity, the basic problem is that 
a detonation of even a relatively small blast nuclear weapon 30 
kilometers or more above the United States, let us say on a 
warhead that is in orbit or one that is carried aloft even by a 
weather balloon, can seriously, very seriously damage and 
indeed destroy a substantial share of the electricity 
connections that hold together our electric grid. One estimate 
from the report of the commission to assess the threat to the 
United States of electromagnetic pulse, a congressional 
commission that reported in 2004 and in 2008, is that with a 
relatively low-level attack launched only by a weather balloon 
could take out approximately 70 percent of the country's 
electricity with a single blast.
    What is going on here is that gamma rays are one of the 
products of a nuclear detonation. We are all used to thinking 
of nuclear detonations as being more powerful and more damaging 
if there is a lot of blast because blast is what would be used 
to attack a specific target on the ground--a military 
installation, an ICBM silo or whatever. Electromagnetic pulse 
is different. It is something that occurs because of the gamma 
rays that are sent out by a nuclear detonation but an extremely 
effective electromagnetic pulse weapon could have a lot of 
radiation and very little blast--two, three, four single-digit 
blast efforts coupled with a lot of gamma rays and nuclear 
emanations of different kinds. What that produces, even if it 
as high as several hundred kilometers, is three waves of 
electromagnetic pulse, the first and third being the damaging 
ones, the first one attacking essentially all electronic 
connections, and the third one attacking the grid itself, 
particularly the transformers and the long-range transfer 
systems.
    The Chinese leading theorist on this subject, Chang 
Mengxiong, says that information war and traditional war have 
one thing in common, namely that the country which possesses a 
critical weapon such as atomic bombs will have first-strike 
capabilities. As soon as its computer networks come under 
attack and are destroyed, the country will slip into a state of 
paralysis and the lives of its people will ground to a halt. 
North Korea appears to be attempting to implement information 
warfare doctrine with electromagnetic pulse. In December of 
2012, it demonstrated that it had the capability to launch a 
satellite on a polar orbit circling the earth at an altitude of 
500 kilometers. That high, it is not entirely clear that we 
would be able to destroy that satellite essentially carrying a 
nuclear weapon in orbit. We have canceled all of our programs 
dealing with boost-phase or space-based defensive systems, and 
indeed, the Administration has not even requested any study 
money for this type of system, which would potentially have a 
substantial effect on this type of threat.
    I would urge--and finally, I see the time is over--I would 
urge that we not get bogged down in the issue of volunteerism 
versus government order. On something like this, we have to 
have a national policy and a national commander-in-chief, 
presumably the President, but with someone reporting to him who 
is in charge of dealing with this kind of threat. The taking 
out of our electric grid takes out all 17 other critical 
infrastructures. It takes out food, it takes out water, it 
takes out natural gas, it takes out practically everything you 
can think of. The casualty estimates for electromagnetic pulse 
attack in the congressional report are up in the range of two-
thirds of the country dying under such an attack because there 
would be after a very short period of time no food, no 
electricity, no water, etc.
    Mrs. Blackburn. Ambassador, if you would wrap up.
    Mr. Woolsey. The North Koreans have already tested both 
low-yield and we believe high-gamma-ray nuclear weapons. They 
have tested satellites, put a satellite in orbit. The Iranians 
have put three satellites in orbit and are in the process of 
working very hard on having a nuclear weapon. We could well 
within months have two rogue states who are capable of 
launching this type of attack against the United States as part 
of their information warfare cyber campaign.
    Thank you, Madam Chairman.
    [The prepared statement of Mr. Woolsey follows:]
    [GRAPHIC] [TIFF OMITTED] 82197.024
    
    [GRAPHIC] [TIFF OMITTED] 82197.025
    
    [GRAPHIC] [TIFF OMITTED] 82197.026
    
    [GRAPHIC] [TIFF OMITTED] 82197.027
    
    [GRAPHIC] [TIFF OMITTED] 82197.028
    
    Mrs. Blackburn. And thank you.
    Dr. Papay for 5 minutes.

                   STATEMENT OF MICHAEL PAPAY

    Mr. Papay. Madam Chair and other members of the committee, 
Northrop Grumman appreciates the opportunity to discuss this 
critically important topic with you today. I am Mike Papay. I 
am the Chief Information Security Officer and Vice President 
for Cyber Initiatives for Northrop Grumman. That means I cover 
both the internal cyber business of Northrop Grumman as well as 
the external cyber strategy.
    Northrop Grumman is one of the leading cybersecurity 
providers to the federal government and has expansive and in-
depth knowledge, experience and expertise in these critical 
aspects of our Nation's technology framework. We build, supply 
and manage cyber solutions for customers that include the 
Department of Defense, intelligence communities, civilian 
agencies, international governments, state and local 
governments, and the private sector. Northrop Grumman is 
honored to be trusted with the challenge of protecting some of 
the world's most targeted systems.
    The Defense Industrial Base's information sharing program 
has demonstrated the benefits of industry-government 
collaboration. Northrop Grumman was a founding member of this 
groundbreaking framework. While this effort has demonstrated 
that public-private information sharing can yield many 
successes, we also learned that some of the toughest challenges 
are not technological but cultural and legal. Northrop Grumman 
was proud to announce last week that it will participate in the 
next-generation government-private sector information-sharing 
program, DHS's Enhanced Cybersecurity Services.
    Given our experience, Northrop Grumman very much 
appreciates the seriousness and urgency of the cyber threat. We 
do believe that the President's Executive order is an important 
step in the right direction, but the EO's ultimate success will 
be determined by the effectiveness of the individual agencies' 
efforts in implementing their assigned responsibilities. We 
appreciate the government's ongoing outreach to industry, and 
we recently actively engaged with NIST to support the 
development of its cybersecurity framework. However, the EO 
alone cannot address the full range of cybersecurity issues. 
Legislation is still required to facilitate and encourage 
companies to secure their own networks and break down the 
barriers to sharing cyber threat information.
    We applaud the House of Representatives' recent passage of 
cybersecurity legislation, especially the strong bipartisan 
vote in favor of the CISPA, which we hope will build momentum 
towards bills passing both chambers.
    Northrop Grumman is committed to utilizing our experience 
to support the development of successful cyber policies. We 
encourage legislation that improves the agility of the federal 
acquisition process to address rapidly evolving cyber threats, 
increases investments in cybersecurity technology and training 
of our current workforce, and supports the development of the 
next generation of scientists and engineers. We must be 
mindful, however, that our Nation's cybersecurity cannot be 
fixed with one law or policy change. Effective cybersecurity 
policies should be risk-based and as adaptable as the threat 
itself. These cyber efforts must also carefully balance civil 
liberties and greater security. These are not mutually 
exclusive goals. Indeed, if we do not strengthen our cyber 
defenses, we imperil the civil liberties that we hold dear.
    Please consider Northrop Grumman a resource. We look 
forward to working with Members of Congress on both sides of 
the aisle and the Administration to make our world safer and 
more secure.
    I look forward to answering any questions you might have.
    [The prepared statement of Mr. Papay follows:]
    [GRAPHIC] [TIFF OMITTED] 82197.029
    
    [GRAPHIC] [TIFF OMITTED] 82197.030
    
    [GRAPHIC] [TIFF OMITTED] 82197.031
    
    [GRAPHIC] [TIFF OMITTED] 82197.032
    
    [GRAPHIC] [TIFF OMITTED] 82197.033
    
    [GRAPHIC] [TIFF OMITTED] 82197.034
    
    [GRAPHIC] [TIFF OMITTED] 82197.035
    
    Mrs. Blackburn. Thank you, Dr. Papay.
    Dr. Schneck, you are recognized for 5 minutes.

                  STATEMENT OF PHYLLIS SCHNECK

    Ms. Schneck. Good afternoon, and thank you, Vice Chairman 
and other members of the committee, and thank you very much on 
behalf of McAfee for the opportunity to testify here today.
    I am the Vice President and Global Chief Technology Officer 
for Public Sector for McAfee looking at how our products adapt 
to protect global government, federal, State and local, and 
critical infrastructure, and I also have the honor of vice 
chairing the Information Security and Privacy Advisory Board 
that reports up to this committee. So thank you very much for 
that.
    McAfee protects 160 million points of presence across the 
world, global cybersecurity products, largest peer placed 
security company on the planet, wholly owned subsidiary of the 
Intel Corporation with headquarters in Santa Clara, Plano, 
Texas, as well as our large labs operation in Oregon.
    I want to start in the spirit of this testimony with an 
anecdote of the attack called Night Dragon on February of 2011 
that McAfee led an investigation where we saw five oil and gas 
companies lose their oil exploration diagrams, all that 
intellectual property in a matter of weeks, and it was sent off 
to another country, and overnight as we put the whole story 
together, worked with our partners to share that information, 
worked with other companies, wanted to warn the sector, legal 
counsel came out in the middle of the night and said please 
don't, and they were deeply concerned at that point that if the 
stock prices of those companies affected and others throughout 
the sector dropped the next morning, McAfee would be liable. At 
the same night, I got an angry phone call from a high-ranking 
official in law enforcement very upset that we didn't share the 
information with him sooner. This is a position that we are all 
in at some time, and this is what we need to fix. We should 
never have to choose between protecting a sector, protecting 
our country versus legal liabilities. So in that spirit, I want 
to talk about two things, the science and policy, that I 
believe that we can use to fix this.
    First, culling one of many technologies because it pertains 
so directly to the energy sector. The cybersecurity community 
has evolved. Instead of what we call blacklisting or letting 
everything in and then looking very carefully to figure out 
what we think might be bad and trying to block it, we instead 
what we now call whitelisting: only let in the things that we 
know are good, only let instructions execute if we know that 
they are good, and as a wholly owned subsidiary of Intel, I can 
tell you that we can do that all the way to the chip at the 
hardware. But going and evolving to that technology is 
difficult, and I will explain why in a moment, but this 
technology has expanded our ability to protect components as a 
community of the electric grid, of the energy sector, and 
across critical infrastructure.
    The other piece is information sharing. We greatly applaud 
the efforts of NIST, of DHS, looking at how we partner 
together, public and private. We all see an enormous piece of 
this picture but it is not enough until we put it together. We 
all fight an adversary that is fast and loose, has no legal 
boundaries and can execute on a moment's notice with all the 
power in the world and all the money in the world. If we can 
take our information and share it and put that puzzle together, 
we regain the power of our electronic infrastructures. This is 
what they cannot do. If you think about really sharing 
information at light speed between machines, we call this 
security connected at McAfee, but if you when block something, 
you are able to instantly in milliseconds warn other components 
around you and around the network and take their warnings, that 
is golden. And between people, like what happened in Night 
Dragon, we want to be able to share that, and we need the 
protections to do so.
    The key here is the small to medium businesses that were 
mentioned earlier, over 99 percent of our business fabric, many 
of those in the energy sector. We are missing not only not 
being able to protect them--they are probably building the 
next-gen engine--but we are missing the information we get from 
that entire piece of the global business sector by not getting 
that information back in, and that partnership with NIST and 
with Homeland Security exemplifies the importance of global 
standards to do this. And I want to highlight the financial 
community, the financial sector, who has gone out and worked 
with NIST and DHS to build those global standards to be able to 
share, no matter what product you have to be able to share 
mathematical indicators, preserving civil liberties and just 
doing math on what might be dangerous coming toward you.
    How do we do this? With positive incentives. First off, 
driving by innovation. That whitelisting technology, our 
customers begged for that in the CIP requirements but it was 
mandated that they only use blacklisting, so for compliance so 
they wouldn't get penalized, they used a weaker form and were 
not as secure. Now 2 years later, because regulation moves so 
slowly, we are finally looking at getting whitelisting in there 
as an acceptable form of ``compliance.''
    The other piece: liability protections. Help us share. 
There is so much information we want to share, per previous 
testimony, be able to get information from the government, give 
information to the government and provide again that privacy, 
that civil liberties that makes our country so unique. We have 
to be able to do all this and we have to be able to get it 
right. This is the agility and the alacrity that today is only 
enjoyed by the cyber adversary. Today at 320 gigs per second on 
the finest routing equipment in the world, bad people are 
sending bad things to good infrastructure. This is our danger 
to the energy infrastructure. You could risk intellectual 
property theft. You could risk credential harvesting where 
people pretend to be you and access our infrastructure and 
effect negative change, and also of course destruction and the 
things that we see in the movies. Insurance provisions, tax 
provisions, all these other positive incentives help us drive 
the innovation to put our information together and to improve 
technology as fast as the adversary does to us.
    Thank you very much for requesting McAfee's views on these 
issues. I am happy to answer any questions.
    [The prepared statement of Ms. Schneck follows:]
    [GRAPHIC] [TIFF OMITTED] 82197.036
    
    [GRAPHIC] [TIFF OMITTED] 82197.037
    
    [GRAPHIC] [TIFF OMITTED] 82197.038
    
    [GRAPHIC] [TIFF OMITTED] 82197.039
    
    [GRAPHIC] [TIFF OMITTED] 82197.040
    
    [GRAPHIC] [TIFF OMITTED] 82197.041
    
    [GRAPHIC] [TIFF OMITTED] 82197.042
    
    [GRAPHIC] [TIFF OMITTED] 82197.043
    
    [GRAPHIC] [TIFF OMITTED] 82197.044
    
    Mrs. Blackburn. Thank you.
    Mr. Blauner for 5 minutes.

                  STATEMENT OF CHARLES BLAUNER

    Mr. Blauner. Chairman Blackburn, Ranking Members, members 
of the committee, my name is Charles Blauner. I am the Global 
Head of Information Security for Citi, and I set the 
information security strategy for Citi. I am accountable for 
the information security risk posture across all of our lines 
of businesses, functions and regions. In addition, I serve as 
the Chairman of the Financial Service Sector Coordinating 
Council, also known as FSSCC, which coordinates protection of 
critical financial services infrastructure focusing on 
operational risks. I appreciate the opportunity to be here 
today to testify on behalf of the ABA.
    I would like to begin by commending the House for its 
recent passage of the Cyber Intelligence Sharing and Protection 
Act. This legislation, if enacted, will greatly facilitate 
information sharing regarding the serious threats to our 
Nation's critical infrastructures. We are also supportive of 
the Administration's Executive order, which provides important 
direction to both the public and private sector to enhance our 
Nation's cybersecurity protections.
    There are three key points I would like to highlight today. 
First, the public and private partnership between government 
and the financial services sector is critical to protecting 
firms against cyber threats, and we pledge to continue this 
collaboration to further our mutual goals. The most recent 
example of our collaboration is a unified response to the cyber 
attacks that have targeted the U.S. financial services sector 
since September 2012. This partnership, facilitated by the FS-
ISAC, or the Financial Services Information Sharing and 
Analysis Center, allows for real-time collaboration on measures 
to mitigate the attacks and provides a forum to request and 
acquire specific governmental technical assistance.
    Second, the ABA believes that the development and 
implementation of the NIST cybersecurity framework should 
leverage existing standards, regulations or processes. 
Financial institutions are already subject to significant 
federal and state law and regulations that emanate from the 
Gramm-Leach-Bliley Act of 1999. These requirements are 
substantially similar to those developed by NIST, and it is 
extremely important that the implementation of the NIST 
cybersecurity framework be leveraged and complementary to the 
existing audit and examination process. Otherwise we will end 
up with redundant audit requirements that become a compliance 
exercise and do absolutely nothing to enhance cybersecurity.
    Third, the ABA also believes that timely cross-sector 
information sharing is key to cybersecurity protection. While 
the existing mechanisms play a vital role in incident response 
coordination, improving and encouraging information sharing is 
essential to protecting the financial services sector and the 
Nation. It is of utmost importance to increase the volume, 
timeliness and quality of threat information shared by federal 
agencies, law enforcement and the U.S. intelligence community 
with the private sector so they may better protect themselves 
against cyber threats. Thus, we need our government partners to 
expedite the processing of security clearances and to 
declassify and more broadly disseminate threat information 
critical to enhancing our Nation's ability to protect itself 
from cyber threats.
    It is important to note that a key factor in the success of 
information sharing is trust, which takes years to develop. The 
ABA, the FS-ISAC and FSSCC have worked hard to develop trust 
between its members and public and private sector partners. We 
can't afford to dismantle that trust, and we will continue to 
develop trust and confidence now sharing efforts.
    The ABA also believes that foundational work needs to be 
done to share our goal of enhanced cybersecurity. The 
development of technical capabilities relies on robust research 
and development that can quickly yield new commercial products 
to protect individual firms and critical shared infrastructure. 
I would also like to note that these efforts, often supported 
by the resources of banks like Citi and other large financial 
firms, help create tools and defenses that help banks of all 
size cope with cyber threats. Beyond technical capabilities, 
the demand for skilled resources outstrips supply today. A 
coordinated effort is required to develop a skilled worker 
force as up to the task of defending us against today's and 
tomorrow's cyber threats.
    In conclusion, cybersecurity is top priority for banks and 
other financial services companies. We have invested an 
enormous amount of time, energy, and resource into placing the 
highest level of security, and we are subject to stringent 
regulatory requirements. We also look forward to continuing to 
work with Congress and the Administration towards our mutual 
goal of protecting our Nation's critical infrastructure.
    Thank you, and I would be happy to answer any questions you 
might have.
    [The prepared statement of Mr. Blauner follows:]
    [GRAPHIC] [TIFF OMITTED] 82197.045
    
    [GRAPHIC] [TIFF OMITTED] 82197.046
    
    [GRAPHIC] [TIFF OMITTED] 82197.047
    
    [GRAPHIC] [TIFF OMITTED] 82197.048
    
    [GRAPHIC] [TIFF OMITTED] 82197.049
    
    [GRAPHIC] [TIFF OMITTED] 82197.050
    
    [GRAPHIC] [TIFF OMITTED] 82197.051
    
    [GRAPHIC] [TIFF OMITTED] 82197.052
    
    [GRAPHIC] [TIFF OMITTED] 82197.053
    
    [GRAPHIC] [TIFF OMITTED] 82197.054
    
    [GRAPHIC] [TIFF OMITTED] 82197.055
    
    Mrs. Blackburn. We thank you.
    Mr. Highley, you are recognized for 5 minutes.

                   STATEMENT OF DUANE HIGHLEY

    Mr. Highley. Thank you, Madam Chair, Ranking Member and 
members of the committee. Thank you for the invitation to 
testify today regarding the electric power sector's work on 
cybersecurity. I serve as President and CEO of Arkansas 
Electric Cooperative, which is a nonprofit power supply system 
serving 17 distribution systems who in turn serve about 1 
million Arkansans.
    Like other cooperative managers, I report to a 
democratically elected board representing the customers I 
serve. Cooperatives work for the members we serve, and that 
keeps us focused solely on their needs. The electric 
cooperatives of Arkansas are members of the National Rural 
Electric Cooperative Association, a service organization for 
over 900 nonprofit electric utilities serving over 42 million 
people in 47 states.
    Today I am offering testimony on behalf of the Arkansas 
cooperatives and the NRECA, but I am also sharing information 
from an overall industry perspective based on my work with the 
NERC Electric Subsector Coordinating Council and the National 
Infrastructure Advisory Council.
    Whether cooperative, investor-owned or public power, 
electric providers agree on the need for robust and rapid 
recovery from natural disasters, physical attacks and cyber 
attacks. I think I can summarize my testimony in two 
statements, each 10 words or less. First, NERC has it covered; 
please don't mess it up. Second, we need to talk.
    Now, on the first subject, we appreciate the Energy and 
Commerce Committee's engagement on this topic. You played a 
large role in the discussions that led to the creation of the 
North American Electric Reliability Corporation, or NERC, and 
its standards regime. Under that regime, the Federal Energy 
Regulatory Commission can order NERC today without any 
additional legislation, FERC can order NERC to develop 
mandatory, enforceable standards on any topic. NERC has 
developed a number of standards for cybersecurity in electric 
power systems, and can and does enforce these standards through 
audits, inspections, and fines. The standards are developed in 
a collaborative process with all stakeholders, which has 
resulted in enforceable standards that have improved the 
reliability of the North American electric grid.
    To my knowledge, the electric power sector is the only 
critical infrastructure sector with such a robust regulatory 
framework, and I believe that this framework can serve as a 
model for the other critical infrastructures. The grid is an 
extremely complex machine, and changes to the way it operates 
must be carefully coordinated with all stakeholders or 
reliability will suffer. The NERC standard-setting process 
provides a platform to vet all potential impacts with input 
from those who understand the grid the best. Regulations issued 
without consideration of these impacts run the risk of reducing 
grid resiliency rather than enhancing it. We have already 
developed a method that has been proven to work, so in summary, 
NERC has it covered. Please don't mess it up.
    On the second topic, we need to talk, we are glad to see 
the Executive order's emphasis on information sharing. We have 
recently begun a top-level dialog between utility CEOs and 
government, as recommended by the National Infrastructure 
Advisory Council. We very much appreciate the leadership shown 
by many members of this committee in developing CISPA and 
getting it passed overwhelmingly in the House.
    This year we have seen some progress in getting security 
clearances for key personnel in our industry. It is hard to 
have a partnership when one party can't tell the other what is 
going on, and our staff must be able to conduct honest 
conversations with government representatives about the threat 
environment. While relationships have developed over time, and 
we do receive useful information through mechanisms such as the 
ES-ISAC, we still know of instances where government is slow to 
share information or has developed plans for our industry's 
response to cyber events but yet has been classified as top 
secret. So we welcome the continued dialog and hope that the 
Senate will join in crafting mechanisms and law that will 
ensure our owners and operators get timely, actionable 
information. In summary, we need to talk.
    Other witnesses have raised the issue of electromagnetic 
pulse. Utilities can do a lot, but we cannot defend against 
nuclear strikes from enemy nations or other terrorist 
organizations. Electromagnetic pulse and its related 
geomagnetic disturbance from solar storms are very real 
threats, and FERC has just issued a rule directing NERC to 
develop standards on geomagnetic disturbances within the next 6 
months for phase I and 18 months for phase II, so action is 
being taken. Experts outside the utility sector often 
recommended untested technical solutions that really should 
require detailed analysis and studies before installation to 
ensure that grid reliability is not harmed. Some even propose 
technology-specific solutions that could greatly reduce the 
ability for utilities to use other useful products and 
solutions. As I said before, the grid is very complex and one-
size-fits-all fixes are generally not appropriate and may 
actually reduce grid reliability. That is why we support the 
continuance of the NERC standard-setting process. It brings 
together all stakeholders, including government and industry 
experts, to design practicable, buildable and cost-effective 
solutions.
    Thank you for the opportunity to testify.
    [The prepared statement of Mr. Highley follows:]
    [GRAPHIC] [TIFF OMITTED] 82197.056
    
    [GRAPHIC] [TIFF OMITTED] 82197.057
    
    [GRAPHIC] [TIFF OMITTED] 82197.058
    
    [GRAPHIC] [TIFF OMITTED] 82197.059
    
    [GRAPHIC] [TIFF OMITTED] 82197.060
    
    [GRAPHIC] [TIFF OMITTED] 82197.061
    
    [GRAPHIC] [TIFF OMITTED] 82197.062
    
    Mrs. Blackburn. Thank you.
    Mr. Mayer.

                   STATEMENT OF ROBERT MAYER

    Mr. Mayer. Thank you, Chairman Blackburn and members of the 
committee for giving me the opportunity to appear before you 
today. My name is Robert Mayer, and I serve as Vice President 
of Industry and State Affairs at the United States Telecom 
Association. I have had the privilege in the past of sharing 
the communications sector coordinating council through which 
the Department of Homeland Security works to coordinate the 
infrastructure protection activities of our industry sector 
with those of the federal, state, local, territorial and tribal 
governments. Currently, I chair our sector coordinating 
council's cybersecurity committee.
    USTelecom member companies, indeed, our entire sector, 
including wireless and cable broadband providers, stand on the 
front lines of cybersecurity. Protecting our networks and our 
customers from cyber threats is our highest priority and 
requires our members to innovate literally every single day to 
meet the challenges posed by increasingly sophisticated 
adversaries.
    In our industry's view, the single most important policy 
step that can be taken to combat this scourge is giving 
appropriately cleared personnel in our companies access to 
real-time actionable cyber threat information. USTelecom 
supported passage of the Cyber Intelligence Sharing and 
Protection Act, or CISPA, because voluntary, real-time sharing 
of threat information will provide both the private sector and 
the government with the essential tools needed to address 
malicious cyber activity. We especially appreciate the effort 
to balance the many factors necessary to gain overwhelming 
bipartisan passage of CISPA, including providing necessary 
liability protections while at the same time ensuring 
appropriate safeguards for privacy and civil liberties. We 
commend and thank Chairman Mike Rogers, Ranking Member Dutch 
Ruppersberger, the authors of several helpful Floor amendments, 
as well as all of those who voted for the bill.
    Turning to the President's February 12th Executive order, 
we are pleased that the Order reaffirms the importance of the 
public-private partnership in assessing and combating threats 
and that it envisions a voluntary and collaborative framework 
for achieving its goals. USTelecom believes that the government 
can encourage private sector acceptance and adoption of that 
framework by ensuring, among other things, that it remains a 
true partnership among all parties at all levels with the 
flexibility that rapidly changing technological threats require 
and with strong legal protections and incentives for 
participation.
    I want to express our industry's hope and optimism that the 
process of implementing the Executive order will turn out well 
and will lead to widespread acceptance and adoption. We have 
been working constructively to date with NIST, DHS and the FCC, 
and hope those good relationships will continue. But do we want 
to bring to the committee's attention Sections 9 and 10 of the 
Order, because the manner in which they are ultimately 
interpreted and implemented may spell the difference between 
the success and failure of this effort.
    Section 9 relates to the identification of critical 
infrastructure ``at greatest risk.'' Overly expansive 
designations of critical infrastructure may harm innovation by 
leading to predictability and stagnation. Conversely, Section 9 
may preemptively exempt a major portion of the Internet 
ecosystem from even being considered as critical 
infrastructure, a similarly problematic starting point for 
effective cybersecurity strategy. We are watching the 
implementation of Section 9 closely.
    Section 10 requires federal agencies to review the 
preliminary framework and determine whether their own current 
cybersecurity regulatory requirements are sufficient. While 
this section contains language that would encourage agencies to 
reduce ineffective regulation, it arguably also serves as a 
hunting license to regulate, the very thing that would 
undermine the purported goal of the Order: a partnership with 
government to make its citizens safer. We do not believe that 
regulatory proceedings are compatible with addressing 
cybersecurity threats which emerge and evolve at lightning 
speeds.
    Likewise, with respect to the agency most closely 
associated with our industry, the Federal Communications 
Commission, we appreciate and value the contributions it makes 
to the areas of public safety and emergency communications, 
including the work of the Communications Security, Reliability 
and Interoperability Council, or CSRIC, in which we 
participate. A voluntary and consensus-driven approach, as 
contrasted with a regulatory approach, is what has made the 
CSRIC process productive and worthwhile.
    In closing, thank you for holding this timely hearing. We 
are of course on guard against the kind of potential regulatory 
overreach that would slow our response to cyber attacks or 
result in static, Maginot Line-type defenses that our opponents 
will easily bypass. Implemented prudently, however, the 
Executive order may enhance our ability to respond to cyber 
threats and represent the triumph of government-private sector 
cooperation. Thank you.
    [The prepared statement of Mr. Mayer follows:]
    [GRAPHIC] [TIFF OMITTED] 82197.063
    
    [GRAPHIC] [TIFF OMITTED] 82197.064
    
    [GRAPHIC] [TIFF OMITTED] 82197.065
    
    [GRAPHIC] [TIFF OMITTED] 82197.066
    
    [GRAPHIC] [TIFF OMITTED] 82197.067
    
    [GRAPHIC] [TIFF OMITTED] 82197.068
    
    [GRAPHIC] [TIFF OMITTED] 82197.069
    
    [GRAPHIC] [TIFF OMITTED] 82197.070
    
    [GRAPHIC] [TIFF OMITTED] 82197.071
    
    [GRAPHIC] [TIFF OMITTED] 82197.072
    
    [GRAPHIC] [TIFF OMITTED] 82197.073
    
    [GRAPHIC] [TIFF OMITTED] 82197.074
    
    [GRAPHIC] [TIFF OMITTED] 82197.075
    
    Mrs. Blackburn. Thank you, Mr. Mayer. I thank each of you 
for your testimony, and I yield myself 5 minutes for questions.
    Mr. Mayer, I am going to begin with you. Let us talk for 
just a second about what you just mentioned, and I want to hear 
just a little bit more from you on why you think that the 
interpretation and implementation of Sections 9 and 10 of the 
Executive order may spell--what was your statement there?--
spell the difference between success and failure of the effort. 
So just another couple of sentences on that?
    Mr. Mayer. OK. Sure. So the vast body of the Executive 
order governing critical infrastructure under Section 2 is 
under a voluntary framework. Section 9 carves out what is 
determined to be critical infrastructure at greatest risk, and 
there is a process right now where DHS is working with industry 
and others to determine what is on that list of critical 
infrastructure. To the extent that that list becomes overly 
expansive, it will overcome, so to speak, the nature and 
usefulness from our perspective of the voluntary framework, and 
I think it was interesting that Secretary Gallagher mentioned 
as a concern that that very provision might operate to be a 
disincentive for folks who participate in the voluntary 
framework. We are going forward with the presumption that it is 
all going to turn out well and that the voluntary framework 
will dominate and that there will be----
    Mrs. Blackburn. So the fear is overreach and uncertainty 
basically?
    Mr. Mayer. Yes, ma'am.
    Mrs. Blackburn. OK. Mr. Highley, I want to come to you. I 
will just work right down the line. Listening to Mr. Waxman, it 
made it sound like our electric utilities are just getting 
bombarded every day, and my understanding was, these attacks 
are really fairly rare for you all, and more often than not, it 
is an attack on the consumer-facing side like most businesses. 
So I just want to be certain, don't you already have mandatory 
standards that are governing how you should protect your 
operations?
    Mr. Highley. Yes. The answer is yes. The majority of those 
attacks, while large in number, are the same attacks that every 
business receives to their Internet portal, and those are on 
the public-facing sides of the business. They are all stopped 
at the gate, and the supervisory control and data acquisition 
systems have mandatory enforceable standards for how you 
interface to those. We don't have significant problems with 
attacks to those today.
    Mrs. Blackburn. OK. Let me just very quickly, a show of 
hands, how many of you prefer staying with standards, the 
voluntary standards as opposed to going to regulation? How many 
of you prefer standards? OK. All right. I just was curious 
about that. And then I would like to have one statement from 
each of you. As we look at the cybersecurity framework and the 
plans that are in place for implementation, I would like to 
know what your primary concern is, and Mr. McCurdy, I would 
like to start with you and just work down the line, and then I 
will yield my time.
    Mr. McCurdy. Thank you, Madam Chair. I think our primary 
concern is that when you are developing the risk profile and 
the definitions of what is critical infrastructure, that they 
look at existing tools that DHS has used and TSA, we work 
through those. We have a lot of self-assessment tools that 
companies run. So that experience should inform a lot in this 
process.
    Mrs. Blackburn. OK. So you kind of match up with Mr. Mayer 
on the concerns?
    Mr. McCurdy. Yes.
    Mrs. Blackburn. OK. Mr. McConnell?
    Mr. McConnell. My primary concern is it does not have the 
effect of law and so therefore it cannot grant liability 
protection as an incentive to industry to comply with these 
standards.
    Mrs. Blackburn. OK. Ambassador?
    Mr. Woolsey. I believe that we are at war without wanting 
to be so, and whether it is North Korea or Iran, they believe 
they are at war with us. They have the hardware to do us huge 
damage in various ways but particularly through electromagnetic 
pulse, and trying to defend against them with 3,500 generals--
the utilities--each commanding essentially its own force is 
going to fail.
    Mrs. Blackburn. OK. Dr. Papay?
    Mr. Papay. Madam Chair, I think it is important for 
businesses to have that ability to break down barriers to 
sharing information. I will go along with what Dr. Schneck was 
saying earlier. It has got to be as easy as possible for us to 
share that critical cybersecurity information with each other, 
and the EO is getting there but we need legislation to follow 
it up.
    Mrs. Blackburn. Great. Dr. Schneck?
    Ms. Schneck. I completely agree with Dr. Papay. I will add 
more, and that is on the technology front, right tool for the 
right job. We have so many technologies as a community all over 
the world. I mentioned one that many people provide, a 
whitelisting concept. We have to have a framework that allows 
people to very quickly not only build on those and innovate but 
assign the right technology to the right job for what the 
attacker is doing today.
    Mrs. Blackburn. OK. I am running over time but I want to 
finish the panel. Mr. Blauner?
    Mr. Blauner. Since everyone already mentioned information 
sharing, to us, I would say the most critical thing is, we are 
already a regulated environment, which is why I didn't raise my 
hand earlier. We just don't need extra complexity added into 
that and having another agency come in and try to regulate us a 
second time.
    Mrs. Blackburn. Mr. Highley?
    Mr. Highley. For electric utilities, I would say don't 
short-circuit the existing regulatory framework we have where 
FERC can order NERC to write standards as needed.
    Mrs. Blackburn. I am going to have to get you that app. Mr. 
Mayer?
    Mr. Mayer. With the exception of Section 9 in the context 
of the voluntary framework, one of the primary concerns that we 
have and I think Representative Eshoo mentioned this, is that 
we can't have a one-size-fits-all solution, not only across the 
sectors but even within the sectors because different companies 
have different business models and different abilities to 
recover for investment and security.
    Mrs. Blackburn. Thank you. I am way over my time. Mr. 
McNerney for 5 minutes.
    Mr. McNerney. Thank you, Madam Chair.
    Mr. Woolsey, very sobering testimony. Do you think that the 
solution to the threat is hardware-based that you discuss in 
EMP threat or do you think it is software-based? I mean, there 
must be some way to protect the critical components from EMP.
    Mr. Woolsey. There are various things. The surge arrestors 
can help with one part of it, Faraday boxes for other 
components. There are a number of things that can be done. They 
overlap, some of them, with traditional cyber defenses; surge 
arrestors are one example. Others do not. What will fail, I 
think, disastrously is for 3,500 utilities each voluntarily 
going off on its own because they don't want to be regulated 
trying to figure out what to do about electromagnetic pulse. 
They will lose. Anybody who is facing an enemy who is commanded 
by somebody as shrewd as the senior leadership in Iran or, I am 
afraid, probably also North Korea, who is focused on defeating 
us, anybody who is facing an enemy like that with 3,500 
generals all going off in different directions will lose. We 
will lose.
    Mr. McNerney. So you mentioned that some of the hardware 
that we need is actually going to help provide protection at 
the cyber level as well, so I appreciate that comment.
    Now, Mr. Highley was talking about the NERC process 
providing sufficient protection and us not messing it up. Do 
you agree with that perspective?
    Mr. Woolsey. Well, the first order after 9/11 that came out 
of NERC in response to a query, as I understand it, or a 
direction from FERC in total took 44 months, I believe. That 
is--World War II took 3 years and 8 months for us. So if 
response to one part of one problem is timely and useful when 
it comes within the time that we went from Pearl Harbor to 
accepting Japan's surrender, then OK. But I think that standard 
for promptness and effectiveness of response in circumstances 
in which you are dealing with an enemy is nuts. It is nuts to 
suggest that that will be effective against an enemy, against 
solar-based electromagnetic pulses. If we are lucky, maybe it 
will work.
    Mr. McNerney. Thank you. Ms. Schneck, you mentioned the 
issue of legal liability and protection on that issue, but that 
is a huge gift to a company to be given legal liability 
protection. What would you be willing to give back in terms of 
first of all protection to get that kind of legal liability 
protection yourself?
    Ms. Schneck. So to clarify, we would want the protection. 
We work very hard in analytics, as does our community, all the 
different companies.
    Mr. McNerney. Right. You want legal liability protection 
but personal information--I mean, what would you be willing to 
trade to get that kind of gift from the federal government?
    Ms. Schneck. To also clarify, we don't ever share personal 
information. That is not what we do. We share cyber indicators. 
A good example is the address of a machine that is sending 
something bad to, say, 30,000 different places or feeding that 
information to 30,000 different machines to form a botnet. Our 
understanding is that a certain link goes to a site that will 
feed you code to hook you up to steal your intellectual 
property. That is the kind of information we want to share 
between machines, and between humans, we want to be able to say 
things like, if you are looking at a weather map, I see danger 
there, or I see the same type of attack because we protect such 
a wide part of the globe. If we see the same type of event 
happening to some in the same sector, we want to be able to 
tell that to the whole sector. We want to act in good faith, 
which we do today. We certainly applaud CISPA and the work 
there. We want to be able to share more with the community 
without fearing we will get hurt.
    Mr. McNerney. OK. I am going to ask a question similar to 
what the chairwoman asked. If NIST develops performance-based 
standards--and anyone can answer this--how would industry 
cooperate in terms of implementing or compelling those 
standards to be enforced?
    Mr. McConnell. If you are going to grant industry liability 
protection, you are going to have to have some audit that will 
allow you to determine to verify that they had met the 
standards. The way I think about this issue is, the set of 
standards are established, businesses comply with those 
standards, and then if there is a breach, they would have 
liability protection against the fact of a cyber breach.
    Mr. McNerney. Thank you. I will yield back.
    Mrs. Blackburn. Thank you. Chairman Walden for 5 minutes of 
questioning.
    Mr. Walden. Thank you very much, Madam Chair.
    Mr. Mayer and Ms. Schneck, Dr. Gallagher has emphasized 
that the Executive order framework would remain voluntary. Are 
you confident it will? Mr. Mayer, do you want to go first?
    Mr. Mayer. I am confident that NIST in its current work has 
every intention of developing a voluntary framework, and in 
fact, it is their mandate as an organization to do that.
    Mr. Walden. And you are confident it will stay voluntary? I 
know nobody can really predict the future well but----
    Mr. Mayer. The concern or the caution is around what 
happens after framework is developed and when it moves toward 
sector-specific available. When you combine that with the list 
that we still do not have settled, it can morph into something 
that, as I've indicated before, takes on a different quality, 
and that would be problematic. But we are--from every 
indication in talking with all of the key federal entities, 
right now we are quite sanguine that it is going to be a 
voluntary process.
    Mr. Walden. Dr. Schneck?
    Ms. Schneck. So thank you. We are very participatory in the 
framework process as well. We have yet to fully finish studying 
the Executive order as a whole, but at present we are very 
supportive of the framework of the voluntary focus of the idea 
that all different technologies could be explored, innovation 
could be made more rapid. More cybersecurity jobs could come as 
a result of that. Believing it would make us more secure, we 
work in very close partnership with NIST. We have just signed 
an MOU with their cybersecurity center to foster that 
innovation even faster as have many other companies. So at 
present, it does look optimistic and we have been very 
supportive of that.
    Mr. Walden. And again in your testimony, Dr. Schneck, you 
highlight your security-connected products as comprehensive. Do 
you believe that the Executive order's approach to 
cybersecurity is comprehensive?
    Ms. Schneck. I think that remains to be seen. We are in the 
early stages. So far we have been working, again, in 
partnership with NIST. A full response to the RFI focused a lot 
on this need for private sector innovation to drive where 
security can go because that adversary is so fast, the only way 
to be out front ahead of those that wish to do us harm is to 
band together, and I think thus far--again, we are not finished 
studying the full effects of the EO.
    Mr. Walden. All right. Mr. Highley, you are here 
representing some of the electrical co-ops, right?
    Mr. Highley. Yes.
    Mr. Walden. Mr. Woolsey, who has extraordinary service in 
the government, has indicated, if I am hearing him right, that 
he has deep concerns about a more voluntary structure with so 
many utilities and power suppliers. Can you comment on his 
comments relative to FERC and the ability to enforce and your 
organizations and others that you are representing today, 
ability to protect the grid?
    Mr. Highley. So on behalf of the trade association, the 
National Rural Electric Cooperative Association, they are 
engaged in discussions with NIST and with FERC and NERC on the 
regulation to protect us from these issues. I agree, it is a 
very serious concern. What we want to do is see that work 
through a deliberate process that involves all the 
stakeholders. That is why we support the NERC process. I also 
agree with Mr. Woolsey that the process has been very slow in 
the past and we are taking actions to improve the speed at 
which that can move, and I think you saw in the recent FERC 
order, they are asking for the geomagnetic disturbance actions 
to be taken within 6 months. So we are trying to accelerate 
that process in order to get actionable, enforceable standards 
that utilities will meet.
    Mr. Walden. All right. And Mr. Mayer, again, what sort of 
industry best practices are most effective from your experience 
in combating cyber threats and how can such practices be 
identified, incorporated and encouraged under the Executive 
order?
    Mr. Mayer. So I think clearly I am biased, but I would say 
that the communications sector is a leading sector in terms of 
advanced cybersecurity capabilities. Not only do we have to 
protect our networks because that is an ongoing business 
against attacks, but we have to protect our customers, and many 
of those customers are some of the largest corporations in the 
United States and some of the largest government agencies. So 
we have over the years invested significant amounts of money 
and capabilities into innovating and developing all sorts of 
preventative response, mitigation, technologies, tools, 
practices. The interesting thing also is that many of our 
companies compete in this space for services, so it is a very 
active market that encourages innovation and then encourages 
further investment, and you know, we are in constant 
conversations either through the council or other mechanisms, 
some business-to-business mechanisms, in which we talk about 
these capabilities, and we will bring these capabilities to 
discussions at NIST at these workshops and demonstrate some of 
the things that we do, and much of the work that we have done 
in developing best practices, for example, at the FCC through 
CSRIC.
    Mr. Walden. Thank you, and thanks for your generosity on 
the time.
    Mrs. Blackburn. Absolutely. Mr. Waxman for 5 minutes.
    Mr. Waxman. Thank you very much, Madam Chair. We are 
talking about cybersecurity for a range of critical 
infrastructure sectors, but I want to focus on the electric 
grid, as I did earlier, because it is the foundation for every 
one of these sectors. Protecting the grid from cyber attacks 
and other threats is essential to our economy.
    Ambassador Woolsey, you touched on some of these issues but 
I want to bring them out for the record. It is not just our 
civilian infrastructure that depends on the grid. What about 
our national security installations? Aren't they also largely 
dependent on the electric grid?
    Mr. Woolsey. Absolutely, Congressman Waxman. To the best of 
my knowledge, there is one military base in the United States, 
China Lake, which has its own water steam system, has a geyser 
underneath it, essentially, and it sends electricity to Los 
Angeles when it doesn't need it itself. Everybody else is on 
the grid. So if the grid goes down, soldiers and sailors are as 
hungry as everybody else.
    Mr. Waxman. Thank you very much. We only have a limited 
time so I want to get some more points in here. The problem is 
that the Federal Energy Regulatory Commission, what we call 
FERC, lacks authority to ensure that the grid is protected. The 
industry-controlled North American Electric Reliability 
Corporation, or NERC, issues the cyber and physical security 
standards for the grid. Now, NERC operates by a consensus. 
Standards have to be approved by a supermajority vote of the 
utilities. It takes them years to develop a standard. The most 
recent version of NERC's critical infrastructure protection 
standards took 43 months to develop and they are still not in 
effect, and these standards do not include measures to address 
specific viruses or cyber threats. Once NERC submits a 
standard, FERC cannot directly fix an inadequate standard. So 
the process will start all over again.
    Mr. Ambassador, what do you think of NERC's track record on 
grid security threats? Is this the right regulatory model for 
national security issues?
    Mr. Woolsey. I don't believe it is the right model, 
Congressman, and I think NERC's record on security against the 
kinds of sophisticated threats we face today in traditional 
cyber and electromagnetic pulse is virtually nonexistent.
    Mr. Waxman. In 2010, Fred Upton, now a chair, and Ed 
Markey, soon to be Senator from Massachusetts, had a bipartisan 
grid security bill. It would have provided FERC with the 
authority it needs to improve the security of the electric 
grid. This committee passed that bill by a vote of 47 to 
nothing. The House passed the bill by voice vote. Members 
viewed it a national security issue.
    Ambassador Woolsey, in April of 2010, you and several other 
prominent national security experts, former national security 
advisors and Secretaries of Defense and Homeland Security wrote 
to the committee to strongly endorse the bipartisan GRID Act. 
Do you still think that FERC needs additional authority to 
protect the electric grid against threats and vulnerabilities?
    Mr. Woolsey. Yes, I do, absolutely.
    Mr. Waxman. The GRID Act also provided FERC with authority 
to address the threat posed by electromagnetic pulses. How 
worried should the committee be about this threat for which 
there is no mandatory standard?
    Mr. Woolsey. I think the committee should be quite 
concerned and all Americans should. It is an extremely 
dangerous situation we are in now, and we are where we were 
yesterday.
    Mr. Waxman. Well, I thank you for your testimony and your 
answers to my questions. I just wanted to make it very, very 
clear because you and I see this issue in the same way. We have 
got to rely on clear regulatory authority to get this job done.
    Mr. Woolsey. Thank you, Congressman. I think that NERC 
could deal adequately with squirrels and tree branches, which 
is what the main problem is for a lot of electricity 
maintenance regular delivery, but North Korea and Iran, I 
think, are quite beyond their competence.
    Mr. Waxman. Thank you for your answers and thank you for 
your service. I yield back the time.
    Mrs. Blackburn. The gentleman yields back. Mr. Latta for 5 
minutes.
    Mr. Latta. Thank you, Madam Chair, and again, thanks very 
much to this panel for your very instructive information that 
we have received this morning and this afternoon.
    You know, as I was sitting here thinking that there is a 
lot of folks, I would say a great majority of Americans, don't 
understand the threat that we are under and how important it is 
that we come to real grips in this country of the cybersecurity 
that we have to have to protect ourselves, and if I could just 
start with Mr. Papay. In your testimony, you talk about 
Northrop Grumman's focus on internal cybersecurity awareness 
training as part of your internal protection efforts and your 
cyber academy. Can you share a few points about what kind of 
training that people go through when they are at that?
    Mr. Papay. Yes, sir. Thank you for the question. It is a 
voluntary participation within the company for everybody to 
sign up for at least a lower level of cybersecurity awareness 
training to understand where the threats are coming from and 
what they can do as an employee of the company to combat those 
because, really, all of my 70,000 employees in the company are 
really my first line of defense against incoming cyber threats 
that they might get in their email or through a malicious Web 
link. So above the basic cybersecurity awareness, it moves on 
up the pyramid, as we call our cyber academy pyramid, to really 
get to those certifications where somebody wants to go off and 
advance their knowledge of cyber and move it on up all the way 
up through penetration testing and forensics and secure coding 
to where we have really got a set of experts within the company 
because cybersecurity for us is not just about the defense of 
our company but it is also the primary business that we are in. 
So that is our cyber academy in a nutshell, sir.
    Mr. Latta. Thank you.
    Mr. McConnell, if I could ask you a quick question, and I 
really appreciate your knowledge of the severity of the cyber 
threats that face our Nation. Do you have any estimates as to 
what the economic espionage costs are to this country every 
year?
    Mr. McConnell. There is a huge debate about that issue now. 
The community struggled with a National Intelligence estimate, 
and they could not agree. I personally would put it in the cost 
of billions of dollars and millions of jobs, and that is based 
on my best guess at looking at all the information over the 
past 20 years, billions of dollars and millions of jobs every 
year.
    Mr. Latta. Well, and one of the things again, like I said, 
I have had a couple of informational meetings with the FBI in 
my district. We are doing one again next week. How do we get 
this information out? You know, a lot of the larger companies 
out there are worried about the cybersecurity and it is getting 
the folks back home in the smaller companies to say, you know 
what, this could affect us because we might be the largest part 
of the chain, the weakest link that they get into and move up 
from there. But, you know, have you in your experience talked 
with individuals out there, companies out there that might be 
smaller in nature and expressed to them how serious 
cybersecurity is for them?
    Mr. McConnell. The answer is yes, quite a bit, but let me 
make a point with regard to sharing the information. The rules 
that we have were created in World War II and they served us 
well in the Cold War, and both Ambassador Woolsey and I have 
had the position of being responsible for protecting sources 
and methods of the U.S. intelligence community. The rules are 
in place. That community will not change, will not share unless 
the rules change so they can share information with the private 
sector. I have observed this over a long career, and the rules 
must change. Therefore, we have a process for flowing 
information to corporate America. The point is, why do we 
collect this information, why do we analyze it? It is to 
protect the Nation. So we have to then have a forcing function 
to cause a bureaucratic organization that will not comply with 
that process of sharing information unless they are compelled 
to do so.
    Mr. Latta. Thank you. And also, Mr. Mayer, if I could just 
briefly, I am running out of time here. Again, I thank you for 
being here today. You know, in your testimony you highlight the 
number of your member companies, the entire communications 
industry on the front of cybersecurity, and when you are 
looking at the overall picture, given that USTelecom represents 
a large range of companies from small rural providers to some 
of the largest in the country, what would be the effect of 
labeling some of these businesses and networks as critical 
infrastructure?
    Mr. Mayer. I didn't hear the last part, sir.
    Mr. Latta. What would be the effect of labeling these 
businesses and networks as critical infrastructure?
    Mr. Mayer. Well, there are criteria that are being 
established to define what critical infrastructure is under 
Section 9. Under Section 2, it is vague, and I think there is 
an assumption that the broad sector is determined to be 
critical infrastructure under that element. So the question 
becomes, to what extent can different companies of different 
sizes have incidents that result in catastrophic situations, 
and the truth is, not very substantially. Obviously, the 
greater the footprint, the different customers that are served, 
the concentration of facilities in an area, all will make a 
difference. But for purposes of the voluntary framework under 
Section 2, the entire sector is captured as critical 
infrastructure.
    Mr. Latta. Thank you. Madam Chair, my time is expired and I 
yield back.
    Mrs. Blackburn. The gentleman yields back. Ms. Eshoo for 5 
minutes.
    Ms. Eshoo. Thank you, Madam Chair. I want to thank the 
entire panel. This is a panel with enormous depth and breadth 
of expertise, and a special welcome to our former colleague, 
Dave McCurdy, who served as the chairman of the House 
Intelligence Committee, to Admiral McConnell, who served our 
Nation as a Director of National Intelligence, and to 
Ambassador Woolsey, who served as the Director of the CIA. With 
your collective presence, but most especially from this end of 
the table, this is a confirmation that this is a national 
security issue, period. It is a national security issue. It is 
not an ``and'' or an ``or.'' We can't be squishy about it. I 
mean, we really have to put the pedal to the metal, and I know 
that probably all of you and just about all of us have been 
asked to give speeches on cyber attacks and cybersecurity over 
the last several years.
    These attacks are really the new normal. They are the new 
normal, and I don't think there is any question about that. I 
don't know what day I pick up the newspaper that there isn't 
some article about who is doing what to our country. So it is a 
question about how we are going to handle this. Now, what is 
very interesting to me today is our grid, and I want to go to 
Ambassador Woolsey, and I heard Dr. Gallagher from NIST talking 
about a lot of voluntary cooperative measures, and I think 
there is a place for it, but I have to tell you from what I 
think we are all experiencing, I don't think our national grid 
should be left up to that. So can you just spend a moment--and 
I have a couple of other questions if I have time--but I think 
when there is only one defense operation in our Nation that can 
rely on its own energy so that this doesn't occur to them, I 
think we are leaving ourselves absolutely wide open. I mean, it 
is like here we are, come get us.
    Mr. Woolsey. Congresswoman, I completely agree with you. I 
have been very concerned and speaking and writing about this 
issue for some years. I think that the problem is that our grid 
grew up in the beginning of the late 19th century and it is 
still growing, but mainly in the 20th century. During the 
period of time in which the only time we had to worry about 
security inside the country at all was really right after Pearl 
Harbor with Japanese and German submarines off the coast. Yes, 
in the Cold War, we and the Soviets deterred one another but 
generally speaking, the only time Americans were really worried 
somebody might be coming ashore, might go after, you know, a 
utility or something like that was from 1941 to around 1946. I 
think that that mentality has meant that we have put together 
an electric grid that is designed for openness, for ease of 
access, for being cheap, providing electricity as cheaply as 
possible, and without a single thought being given to security 
except for nuclear power plants, and even the nuclear power 
plants, most of the time their transformers are outside the 
fence, even though the plant itself may have great guards and 
so forth, and----
    Ms. Eshoo. Do you believe, if I might, I would appreciate 
this, and we are going to have a working group and I think that 
I would like to have you come back to be instructive to us, but 
do you think that this deserves a different kind of set of 
approaches because it is what it is? And, you know, God forbid 
that this goes down, we are cooked.
    Mr. Woolsey. Technology has caught up with us. At the same 
time we were doing the Y2K fixes in the late 1990s, the Web was 
coming heavily into use and everybody decided hey, what could 
go wrong if we put the control systems for the electric grid on 
the Web and the SCADA systems, some of them, Supervisory 
Control and Data Acquisition systems. So you have a situation 
now where our control systems for our electricity are open to 
hackers. That wasn't the case some years ago. So we have not 
only ignored security, we have done really, really dumb things 
without thinking about security, and we are now faced with a 
situation with the grid in which we have to make some very 
substantial changes very quickly because of really serious 
dangers, and a lot of people want to put the blinders on and 
say gee, that is tough, we don't want to deal with that. I am 
delighted to help in any way I can.
    Ms. Eshoo. Well, I think it gets into a debate of whether 
the government should regulate or not in this area. That is 
really where the rub comes. But I think that we really have to 
scrub this with the seriousness that needs to be brought to it 
because this is an enormous vulnerability for our country. It 
is a very serious one, and I appreciate your work. I have so 
many questions that I want to ask. I wish I were the only one 
here and could just go on and on, but I will submit my 
questions to you, and thank you to all of you for testifying, 
and for those of you that spent considerable time serving our 
government, thank you.
    Mrs. Blackburn. The gentlelady yields back. Mr. Lance, you 
are recognized for 5 minutes.
    Mr. Lance. Thank you, Madam Chair, and it is an honor to 
meet all of you, and this is certainly among the most 
distinguished panels I have heard as a member of the committee.
    Regarding cybersecurity, I usually think of challenges from 
China and Iran and from Russia, and to the distinguished 
members of the panel, and I would start with you, Ambassador 
Woolsey, and also Admiral McConnell, I have heard several times 
this morning North Korea. Might you go into a little more 
detail regarding your belief in the threat from North Korea?
    Mr. Woolsey. Yes, Congressman, not particularly cyber, 
although they do some cyber attacking. Mike would know more 
about that than I. The problem is that one way to launch an 
electromagnetic pulse attack against the United States, and 
this is, by the way, in my op-ed in the Wall Street Journal 
this morning too, is to use what is called a fractional orbital 
bombardment system, FOBS, which was invented by the Soviets. It 
is essentially a way to bypass all of our defenses by launching 
a satellite into orbit, usually relatively low Earth orbit, and 
launching it toward the south because our detection systems, 
our radars and so forth, are focused north, and the one North 
Korean satellite and the two, or now three, I think, Iranian 
satellites have all been launched toward the south and they 
have all been launched at an altitude to have an orbit over us 
that would be pretty optimal with respect to the detonation of 
a nuclear weapon and the creation of an electromagnetic pulse. 
All you really need for that is a nuclear weapon. You can make 
it more effective with more gamma rays if you design it that 
way. It does not have to have a high yield. It can be two, 
three, four, five kilotons, it doesn't matter. It is not the 
blast that matters, it is the generation of the gamma rays from 
space. If that is done, it is a relatively simple task. You 
don't need heat shields. You don't need accuracy. You are not 
trying to hit anything on the ground. You are just detonating 
up there at several hundred kilometers. And that means that 
that type of capability could be in the hands of the North 
Koreans, and as the President said a few months ago, even 
within this year, in the hands of the Iranians.
    Now, that is a very different situation than their having 
to come at us to attack American bases, to engage us where our 
military forces are or anything like that, or even attack South 
Korea with American troops helping defend South Korea. To 
simply put a satellite into orbit at a few hundred kilometers 
and detonate a simple nuclear weapon is, I am afraid, not that 
hard if you already have the weapon and you already have the 
launch vehicle, the ballistic missile. So that is why I talk 
about North Korea as well. Iran doesn't have a nuclear weapon 
yet but it may well in relatively short order. So those two 
countries, especially since they hate us so much, or at least 
their governments do, and in the case of North Korea, they 
issue extremely strident statements about destroying the United 
States. Putting those things together, I take them at their 
word, they would like to do that, and then we have to find some 
way to keep them from doing it.
    Former Secretary of Defense Bill Perry and current Deputy 
Secretary of Defense Ashton Carter in the Washington Post back 
in 2006 urged President Bush not to let the North Koreans test 
their medium-range missile, which is the same thing that had 
been used for the launch vehicle, but to attack their launching 
pad with conventional weapons if they ever hold one of these 
ballistic missiles out to launch. They have now done that 
several times, and I think Bill and Ash were right and 
President Bush was unwise not to follow their advice, and now 
we are in a situation where both countries have the launch 
vehicles but only one has a nuclear weapon so far.
    Mr. Lance. Thank you. Admiral McConnell, your thoughts?
    Mr. McConnell. On a scale of one to 10, 10 being the best, 
the best in the world, the Russians and Chinese are probably a 
seven. The Iranians are probably a four. The issue is, about 80 
percent of what is out there is from the Chinese. They have a 
policy of economic espionage. They have 100,000 just in the 
military, probably another 100,000 scattered throughout, and 
they are after economic advantage, competitive advantage. So 
that is what we are facing.
    I didn't mention terrorist groups. On a scale of one to 10, 
they are pretty low. But the Chinese and others are producing 
thousands of these malware attack tools. These are exploitation 
attack. How long is it before some extremist group who wants to 
change the world order gets their hands on some of these 
weapons and then they go after something like a critical 
infrastructure, for example, the grid.
    Mr. Lance. Thank you. My time is expired. Thank you very 
much.
    Mrs. Blackburn. The gentleman yields back. Mr. Doyle for 5 
minutes.
    Mr. Doyle. Thank you, Madam Chair, and thank you to all our 
witnesses here today. It has been very interesting testimony.
    Like many of my colleagues on this committee, I have been 
engaged in this issue for quite some time now, and there are 
many aspects of this debate that we have weighed in on, most 
specifically the importance of protecting consumer privacy, but 
today I want to address the ways we can successfully develop a 
cybersecurity framework that protects and defends our critical 
infrastructure while being nimble enough to adapt to new and 
emerging threats.
    I come from Pennsylvania. We have a complex electric and 
telecommunications distribution network, miles and miles of new 
natural gas pipeline being built every day and several large 
nuclear power plants. So protecting our critical infrastructure 
in my State and across the country is of the utmost urgency.
    I can see that everyone here today agrees with the urgency 
and the seriousness of the task, and as NIST develops its 
cybersecurity framework, I am hopeful that the testimony at 
this hearing today will be considered. A lot of that testimony 
deals with the need for voluntary standards that aren't 
prescriptive, and while I agree that codifying prescriptive 
standards this month that could be out of date by next month 
isn't the best approach. I am not convinced, however, that 
voluntary incentive-based standards will properly protect our 
critical infrastructure.
    So I mentioned in Pennsylvania, we have several nuclear 
power plants including the Beaver Valley plant, which sits just 
outside my district. Now, you are all probably aware that the 
NRC issued its cybersecurity regulations after September 11. 
The regulations they developed for nuclear power plants were 
performance-based standards that once approved were 
incorporated into a plant's operating license giving it proper 
enforcement mechanisms.
    So I would like to ask Ambassador Woolsey and Admiral 
McConnell, do you think it makes sense to develop performance-
based cybersecurity standards for our critical infrastructure 
sectors?
    Mr. McConnell. I think performance-based standards are what 
we should strive for. The reason for that is they have to be 
dynamic. The question will be, how do you get compliance with 
those standards. So the argument will come down to, do you 
incentivize industry to allow them to get some reward for 
following the standards or do you compel it, so that will be 
the debate that Congress will have to wrestle with.
    Mr. Doyle. Ambassador?
    Mr. Woolsey. I think that is a good idea, but the problem 
is, if one expects innovation to come from utilities, it is not 
where it is going to come from. Just former Deputy Director of 
the Advanced Research Projects Agency for DOE, ARPA-E, told me 
about 3 or 4 weeks ago that he had just done the calculation 
and that the 3,500 utilities in the United States spend less on 
research and development than the American dog food industry. I 
don't know what those totals are. I haven't looked up the dog 
food industry's total yet. There are some fine institutions, 
the Edison Electric Institute and so forth, that do some R&D 
work, but we have not designed our system so that the electric 
grid demands, takes advantage of or is a mecca for security 
measures, and something has to drive that and drive it really 
hard within that framework. If one can figure out a way to use 
performance-based standards, yes, but if one just hopes that 
performance is going to be met, I don't see anything that is 
going to improve the current situation, which I think is really 
very bad.
    Mr. Doyle. Thank you, Ambassador. Dave?
    Mr. McCurdy. Congressman, thank you. I want to put 
something in context here, and I have dealt with this issue as 
well for quit some time, and part of my indoctrination or 
introduction to the cyber level was in your home district in 
Pittsburgh. I was on the board of the Software Engineering 
Institute at Carnegie Mellon, and there, they develop the best 
practices and understanding of cybersecurity, and it was their 
CERT, which is now the basis of the U.S. CERT, because the 
government, when they formed DHS after 2001, you know, used 
that expertise. It has evolved. In fact, as a founder of the 
Internet Security Alliance, I was in Tokyo on 9/11 talking to 
the OECD about the role of board directors and corporate 
leadership in raising the awareness of the importance of 
cybersecurity, then we called it Internet security. It has 
evolved. And even though we can talk about the extreme cases, 
and it is true, and I spent seven terms across the hall in the 
Armed Services Committee, which is a lot of conversation that 
we have gotten into, don't just assume that the worst case here 
is applying in the cyber arena. First of all, these attacks 
that occur, a number of them are repelled at the border. We 
have to assume that many are going to penetrate, but that is 
why we have also gone to other layers of defense where we have 
penetration, understanding, detection capability and in 
mitigation. That is working with this entire array of 
government agencies and outside contractors, et cetera, that 
are raising the level of protection. So I just wanted to get 
that on the record, Madam Chair, because I think we have 
perhaps gotten a little on one extreme of the severity as 
opposed to likelihood of occurrence and what actually happens 
on a daily basis.
    Mr. Doyle. Thank you, Madam Chair.
    Mrs. Blackburn. Thank you. Dr. Olson for 5 minutes.
    Mr. Olson. I thank the chairwoman, and welcome to our 
witnesses, and before I ask my questions, I want to let 
Congressman McCurdy know that the people back home in Texas 22 
have the people of Moore, Oklahoma, in our hearts and in our 
prayers. I know that is your old district. And Mary Fallin, my 
former colleague, is doing a great job. But if you all need 
some help, just ask. We will swim across the Red River. God 
bless the people of Moore, Oklahoma, and everybody impacted by 
those terrible tornados.
    As you know, we are having an energy renaissance right here 
in America because of new technology: hydraulic fracturing and 
directional so-called horizontal drilling. The Administration 
just this last week said the Barnett shale play has twice the 
oil and gas they thought they had up there just 6 months ago. 
The Barnett shale play in the Dallas-Fort Worth area is still 
going strong. The Permian Basin in West Texas is booming again 
and the Eagle Ford shale play is off the charts. With all this 
new energy, thousands of miles of pipelines have to be built 
including the Keystone XL pipeline that is actually being built 
right now from Port Arthur to the Port of Houston up to 
Cushing, Oklahoma, your home State, and with that NASA-like 
automation of modern pipelines, that makes them safer but 
obviously it opens them to cyber attacks. So I know that your 
membership takes these threats seriously. Could you expand on 
what steps the industry is taking to protect itself from cyber 
attacks from malicious actors who might attempt to alter the 
operations of pipelines themselves? What are you doing as an 
agency or as an association?
    Mr. McCurdy. Well, thank you, Congressman. First of all, 
safety is the number one priority of our sector, and there are 
2.4 million miles of natural gas pipeline in this country, 
which is the envy of the world, and coincident with the comment 
I just made to Congressman Doyle, this has to start at the top, 
the awareness of the importance of cybersecurity. Our current 
chairman is the CEO of Questar in Utah. He as an engineer was 
working on cybersecurity issues post 9/11 and has made it very 
clear that during his term as chairman of AGA, this is a top 
concern. So we have established not only task forces working, 
we chair a number of coordinating committees within the 
framework but also in the oil and gas sector. In fact, Mr. 
Jibson and Questar, there is a tool that DH uses called CSAT, 
which is an evaluation tool that takes multiple weeks to 
actually run to assess your own security, and he not only had 
that run several times but he also had reported to his board of 
directors the outcomes so that they could prioritize their 
investments, and ultimately, it is making sure that the utility 
commissions that not only regulate but they also approve the 
rate mechanisms, rate recoveries, understand the importance. So 
there is a whole panoply of action that is occurring, not only 
at the technical level--we have technical experts meeting every 
day--we had FBI walk into us and talk about risks. We had DHS. 
We have met with DOE, met with NSA. So there is a good, you 
know, kind of information flow. However, the gist of this 
hearing is, how do you improve information exchange, and that 
goes from making sure that the clearances are there for 
industry and potential protection because of this kind of 
litigious society that we belong to so that there is a free 
flow of information and it is relevant and it is timely. When 
they come to us and they say here is a perceived threat, they 
have also identified not only the nature of the threat but also 
some actions that can be taken to mitigate it or defeat it. 
That is an important flow of information and exchange.
    Mr. Olson. In your opening comments, you said the 
cybersecurity framework is ``headed in the right direction.'' 
So my question for you is, headed in the right direction, that 
is a good thing--that is not a great thing but a good thing. So 
my question is, what do you hope to see out of this framework 
and what do you not want to see out of this framework? One on 
each category.
    Mr. McCurdy. There was a question earlier about are they 
confident that NIST was going to maintain the voluntary nature, 
and I think NIST on its own would. We work with NIST and other 
organizations I have worked with, there are standards 
developing. They work with industry. I think given that 
background and that direction, they will build a consensus and 
it would be a voluntary set of incentives and guidelines and 
the like. It is beyond that. So what happens in the 
Administration that says maybe that is not enough. So in the 
hands of NIST and the current framework, I think it is a good 
step.
    Mr. Olson. Thank you. I yield back the balance of my time. 
Thank you so much, and again, we have the people in Moore, 
Oklahoma, in our thoughts and prayers. God bless you, sir.
    Mrs. Blackburn. The gentleman yields back. Mr. Griffith for 
5 minutes.
    Mr. Griffith. Thank you, Madam Chair. This is a question 
for Mr. McConnell. Softbank, a Japanese company, has offered to 
purchase Sprint. My understanding is, the National Security 
Committee on Foreign Investment in the United States has a 
review ongoing. Do you have any concerns about placing a major 
infrastructure provider like Sprint, which has some security 
issues for our national security, under the control of 
Softbank?
    Mr. McConnell. Yes, I do. If you are in the intelligence 
business, as I was and some would argue still am, the one thing 
you would love to do is to run the infrastructure of some other 
country if you considered them a potential adversary. So having 
a foreign country own and control the telecommunications 
industry inside the United States, I would not be in favor of.
    Mr. Griffith. All right. I appreciate that.
    I do want to get back to, because I found it very 
interesting, and I am very concerned about the electromagnetic 
pulse issue, but I do want to give Mr. Highley an opportunity 
to respond. There have been some comments that the current 
structure won't work. Do you agree or disagree?
    Mr. Highley. I disagree.
    Mr. Griffith. Tell me why.
    Mr. Highley. There is a item called the Electric Subsector 
Information Sharing and Analysis Center, which is part of NERC, 
and it was stated earlier that NERC can't respond quickly 
enough to developing threats, but the whole purpose of this 
center is to disseminate developing threats as soon as they are 
released by government or the information sharing work that is 
done. As soon as they can declassify a threat, whether it is 
physical or cyber, that is sent out to the utilities, and 
believe me, we respond when we get those actionable-threat 
updates. Recently the CFOs met with a number of Cabinet-level 
officials to discuss threats to the electric system, and EMP 
was not raised as a top priority, top concern, but I guarantee 
you that when we are informed of that, we will respond.
    Mr. Griffith. But let me say, don't you think that should 
be a major concern? I mean, we do have two enemies, and of 
course, then there are natural causes as well that might cause 
this problem. Don't you think it should have been discussed and 
shouldn't it be on the list?
    Mr. Highley. Absolutely. It is of great concern.
    Mr. Griffith. Let me go back to you, if I might, Ambassador 
Woolsey, because I do find this very interesting, and in his 
whole discussion we have talked about launching south. Who else 
gets affected? Because obviously it is not just going to be the 
United States if you release that magnetic pulse out there. If 
you launch south from either Iran or North Korea, what other 
countries are going to be impacted? I guess what I am asking 
also is, are they going to be impacted or can they launch it 
such a way that it doesn't affect them as well?
    Mr. Woolsey. It depends on the altitude that the detonation 
occurs at and where it is. The lower the altitude, the less you 
get of at least one of the three types of electromagnetic pulse 
effects, because some of the effect is line of sight and others 
of the effects travel along the transmission lines and so 
forth. So it is kind of a complicated question. You are 
probably OK on the other side of the earth from the detonation 
but it would certainly be the case that if the heart of the 
United States was taken out of the electric grid by something 
like this, certainly Canada would be in very serious trouble 
and the like.
    It would also be pretty difficult, I think, although 
perhaps not impossible to detonate at appropriate altitude to 
only affect a relatively small country. So I think a better 
witness on this than me is Peter Pry, who is sitting behind me, 
who worked on both of the electromagnetic pulse commissions.
    Mr. Griffith. Maybe they can steer us to some information 
that we can look at on that issue.
    Mr. Woolsey. I would be glad to.
    Mr. Griffith. And then you made a comment earlier that it 
was less likely, understandable because they are our enemies 
but there was also the threat of the solar-based impulse. Can 
you explain that a little bit, and when was ht last time we had 
one strong enough to take out the electric grid?
    Mr. Woolsey. The huge one was in 1859, and most of the 
physicists and people who study the sun and work on these 
things think that the big ones occur about once a century, and 
we are about 150 years, so we are about 50 years overdue, but 
these things don't occur with real regularity. There have been 
several since at a much lower level than the one that occurred 
in 1859.
    Mr. Griffith. Let me stop you there, because another one of 
my questions that I am interested in is, doesn't that also have 
impacts on our weather conditions, and what happened in 1859 
with the weather?
    Mr. Woolsey. I don't know that, but solar events of all 
different kinds including much, much smaller ones than this 
have substantial effects sometimes on weather and climate. But 
you need somebody up here who----
    Mr. Griffith. I understand. You go on back to what you do 
know. I appreciate that. And go ahead and tell me some more 
about what--well, I am out of time anyway. Maybe we can have 
this discussion another time or at a later date. I appreciate 
it, Madam Chair, and I yield back.
    Mrs. Blackburn. The gentleman yields back, and I will 
remind all of our members that you have 10 business days to 
submit additional questions. Indeed, as you all can see, there 
will be some more questions coming your direction, and that 
would put the deadline for questions at June 5th. I would ask 
that our witnesses, as patient as you have been with us today, 
that you please respond promptly to the questions where a 
written answer is requested, and without objection, this 
hearing is adjourned.
    [Whereupon, at 1:24 p.m., the Subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

                 Prepared statement of Hon. Fred Upton

    Today's hearing continues the Energy & Commerce Committee's 
oversight of a topic of great national significance--
cybersecurity. The committee continues to closely monitor the 
cybersecurity protection and mitigation efforts of those vital 
sectors within the committee's jurisdiction, including oil and 
gas pipelines, the electric grid, nuclear energy, chemical 
facilities, sewer and water, and telecommunications.
    As the nation becomes more reliant on digital 
communications technology, we also increase our exposure to 
cyber threats. Indeed, cyber risks to our nation's critical 
infrastructure have increased significantly in recent years, 
including multiple high-profile cyber incidents that have 
confirmed the steady rise in cyberattacks.
    But combatting such threats requires a cybersecurity regime 
that provides ample flexibility to afford owners and operators 
of critical infrastructure the ability to protect against and 
respond to rapidly evolving threats. A one-size-fits-all 
approach to cybersecurity is ill-suited for the diverse range 
of critical infrastructure sectors, each of which has its own 
complex characteristics. Owners and operators know best how to 
protect their own systems, and it is nearly impossible for the 
speed of bureaucracy to keep pace with ever changing threats.
    Undertaking certain reasonable actions in the short-term 
can have a marked improvement in protecting critical assets. 
These actions include enhanced information sharing between the 
federal government and the private sector, greater emphasis on 
public-private partnerships, and improved cross-sector 
collaboration. Regarding information sharing, we continue to 
support Intelligence Committee Chairman Rogers's legislation, 
which passed the House last month.
    I believe that the best approach to improving cybersecurity 
is for existing regulators to work with industry stakeholders, 
and for robust information sharing between government and 
stakeholders. In contrast, I continue to be skeptical of 
continued calls for a top-down, command-and-control regulatory 
approach centralized at the Department of Homeland Security or 
any other federal agency. Along those lines, the committee will 
continue to monitor with great interest implementation of the 
President's Executive order on cybersecurity.

                                #  #  #

                              ----------                              

[GRAPHIC] [TIFF OMITTED] 82197.089

[GRAPHIC] [TIFF OMITTED] 82197.090

[GRAPHIC] [TIFF OMITTED] 82197.091

[GRAPHIC] [TIFF OMITTED] 82197.092

[GRAPHIC] [TIFF OMITTED] 82197.093

[GRAPHIC] [TIFF OMITTED] 82197.094

[GRAPHIC] [TIFF OMITTED] 82197.095

[GRAPHIC] [TIFF OMITTED] 82197.096

[GRAPHIC] [TIFF OMITTED] 82197.097

[GRAPHIC] [TIFF OMITTED] 82197.098

[GRAPHIC] [TIFF OMITTED] 82197.099

[GRAPHIC] [TIFF OMITTED] 82197.100

[GRAPHIC] [TIFF OMITTED] 82197.101

[GRAPHIC] [TIFF OMITTED] 82197.102

[GRAPHIC] [TIFF OMITTED] 82197.103

[GRAPHIC] [TIFF OMITTED] 82197.104

[GRAPHIC] [TIFF OMITTED] 82197.105

[GRAPHIC] [TIFF OMITTED] 82197.106

[GRAPHIC] [TIFF OMITTED] 82197.107

[GRAPHIC] [TIFF OMITTED] 82197.108


                                 
