[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
    CYBER THREATS FROM CHINA, RUSSIA, AND IRAN: PROTECTING AMERICAN 

                        CRITICAL INFRASTRUCTURE

=======================================================================

                                HEARING

                               before the

                     SUBCOMMITTEE ON CYBERSECURITY,

                       INFRASTRUCTURE PROTECTION,

                       AND SECURITY TECHNOLOGIES

                                 of the

                     COMMITTEE ON HOMELAND SECURITY

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 20, 2013

                               __________

                            Serial No. 113-9

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC] [TIFF OMITTED] TONGRESS.#13


                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________





                  U.S. GOVERNMENT PRINTING OFFICE
82-583                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Paul C. Broun, Georgia               Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice    Brian Higgins, New York
    Chair                            Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Jeff Duncan, South Carolina          Ron Barber, Arizona
Tom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah                 Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania           Filemon Vela, Texas
Chris Stewart, Utah                  Steven A. Horsford, Nevada
Keith J. Rothfus, Pennsylvania       Eric Swalwell, California
Richard Hudson, North Carolina
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
                       Greg Hill, Chief of Staff
          Michael Geffroy, Deputy Chief of Staff/Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 ------                                

SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY 
                              TECHNOLOGIES

                 Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama                 Yvette D. Clarke, New York
Jason Chaffetz, Utah                 William R. Keating, Massachusetts
Keith J. Rothfus, Pennsylvania       Filemon Vela, Texas
Steve Daines, Montana                Steven A. Horsford, Nevada
Scott Perry, Pennsylvania            Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
               Alex Manning, Subcommittee Staff Director
                    Dennis Terry, Subcommittee Clerk


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Patrick Meehan, a Representative in Congress From 
  the State of Pennsylvania, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Oral Statement.................................................     1
  Prepared Statement.............................................     5
The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     9

                               Witnesses

Mr. Frank J. Cilluffo, Director, Homeland Security Policy 
  Institute, Co-Director, Cyber Center for National and Economic 
  Security, The George Washington University:
  Oral Statement.................................................    11
  Prepared Statement.............................................    13
Mr. Richard Bejtlich, Chief Security Officer and Security 
  Services Architect, Mandiant:
  Oral Statement.................................................    21
  Prepared Statement.............................................    23
Mr. Ilan Berman, Vice President, American Foreign Policy Council:
  Oral Statement.................................................    25
  Prepared Statement.............................................    27
Mr. Martin C. Libicki, Senior Management Scientist, Rand 
  Corporation:
  Oral Statement.................................................    30
  Prepared Statement.............................................    32

                             For The Record

The Honorable Patrick Meehan, a Representative in Congress From 
  the State of Pennsylvania, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Article, ``Iran's Global Business Is Murder Inc.'' by Michael 
    Oren.........................................................     3
  Statement of Dean Picciotti, President, Lexington Technology 
    Auditing.....................................................    43


    CYBER THREATS FROM CHINA, RUSSIA, AND IRAN: PROTECTING AMERICAN 

                        CRITICAL INFRASTRUCTURE

                              ----------                              


                       Wednesday, March 20, 2013

             U.S. House of Representatives,
                    Committee on Homeland Security,
 Subcommittee on Cybersecurity, Infrastructure Protection, 
                                 and Security Technologies,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:05 p.m., in 
Room 311, Cannon House Office Building, Hon. Patrick Meehan 
[Chairman of the subcommittee] presiding.
    Present: Representatives Meehan, McCaul, Chaffetz, Rothfus, 
Perry, Clarke, and Vela.
    Mr. Meehan. The Committee on Homeland Security's 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies will come to order.
    The subcommittee is meeting today to examine the cyber 
threat that is posed by China, Russia, and Iran.
    I now recognize myself for an opening statement.
    I would like to welcome this distinguished panel, and 
everyone to today's hearing, which is our first subcommittee 
hearing of the 113th Congress. This being our first hearing, I 
would also like to welcome the new Members and extend my 
appreciation to Chairman McCaul for naming me the Chairman of 
the crucial subcommittee.
    I would also like to recognize, which we don't customarily 
do, but it is a special opportunity to have 16 students from 
the Valley Forge Military Academy, which is in my district, so 
I am privileged on that factor as well, to join us here today.
    I had the good privilege to chair the Subcommittee on 
Counterterrorism and Intelligence in the last Congress, and 
there are many overlapping issues in the cyber realm. I look 
forward to engaging on those again in the coming 2 years.
    I would also like to begin by taking the opportunity to 
credit Ranking Member Clarke for her leadership on 
cybersecurity and the tremendous work she has been doing for 
some period of time on this issue. I know she has been tied up, 
but will be joining us very shortly. Representative Clarke has 
been at this for a while and I look forward to working together 
in a bipartisan fashion as we move forward on the issue.
    I would also like to salute Dan Lungren--take an 
opportunity to say thank you to him for his previous 
Chairmanship of this subcommittee and the very, very important 
work he did on this issue before. His substance, knowledge, and 
exceptional legal acumen is going to missed by our body, and I 
wish him well and thank him for his service.
    I am looking forward to serving with each of the new 
Members who will join us here on this committee.
    Today's hearing is timely and very relevant. We are 
examining the cyber threat today that is posed by nation-
states, namely China, Russia, and Iran. I focus on the nation-
state aspect of this threat because it represents a new 
battlefield in state relationships and one in which we must 
prepare accordingly.
    Since the new year, there have been significant 
developments in the cyber domain, highlighted by the fact that 
the U.S. Government has finally begun to name the nation-states 
most responsible for cyber attacks against the United States. I 
believe identifying the threat is critical to combating this 
problem and protecting our critical infrastructure.
    Over the last 2 months, the Obama administration has 
rightly placed cybersecurity at the top of its public agenda. 
In his State of the Union speech, President Obama specifically 
cited foreign countries swiping our corporate secrets, 
attacking our financial institutions, and sabotaging our power 
grid.
    Last week, Tom Donilon, the President's National security 
adviser, outed China as the place where cyber intrusions are 
emanating on an unprecedented scale. Also last week, the annual 
threat assessment by the United States intelligence community 
delivered to Congress--Director of National Intelligence, James 
Clapper, named cyber as the top threat to the United States' 
National security. This represents a major shift in the threat 
assessment by the United States intelligence community and 
makes our work on this committee even more important.
    Last, President Obama last week discussed cybersecurity 
during a congratulatory phone call to the new Chinese 
president. That, coupled with the talks currently taking place 
or which just have concluded between Secretary Jack Lew and the 
new leaders in Beijing mean that this is an excellent 
development for our Nation that this issue has been addressed 
at the highest levels.
    With respect to identifying the threat, this subcommittee 
has a history of identifying the threat, naming it publicly, 
often before it manifests itself. In fact, last year, former 
Representative Lungren and I held a joint subcommittee hearing 
entitled, ``The Iranian Cyber Threat to the Homeland.''
    We identified Iran as a cyber growing threat. Since that 
hearing, it has been reported widely that Iran conducted 
distributed denial-of-service, the DDOS attacks, against 
multiple American financial institutions.
    Both Mr. Cilluffo and Mr. Berman testified at the hearing 
and accurately predicted Iran's growing intent and capability 
to conduct a cyber attack against the United States homeland. I 
credit both of you with foresight on the issue, when many 
underestimated the Iranian threat in itself, to our Nation, and 
particularly the Iranian cyber threat. I view today's hearing 
as a continuation of last year's hearing and look forward to 
seeing and hearing how you believe it has evolved.
    With respect to the Iranian cyber threat, I believe clarity 
is critically important. Iran is the world's largest state 
sponsor of terrorism and continues to pursue nuclear weapons 
to, ``wipe Israel off the map.'' In that sense, we must 
question whether we are dealing with a potentially irrational 
actor, which makes the Iranian cyber threat even more 
dangerous.
    I believe that any regime willing to detonate a bomb in a 
Washington, DC, restaurant to assassinate a Saudi ambassador to 
the United States would truly be willing to conduct a major 
cyber attack against United States' critical infrastructure. 
The U.S. Government must make clear to the Iranians our red 
lines, and if they escalate their attempts to infiltrate our 
critical infrastructure, we will respond accordingly.
    For the Iranians, cyber is just another tool with which to 
sow terror and to repress its people. In the words of Michael 
Oren, the Israeli ambassador to the United States, ``Iran's 
main export is murder.'' It is important we all realize that, 
especially within the context of cyber.
    To ensure we have clarity about the Iranian threat, I would 
like to enter into the record a February 16 op-ed in The Wall 
Street Journal by Ambassador Oren, which provides great detail 
on Iran's regime. I have also asked staff to provide a copy of 
the op-ed to Members at today's hearing and encourage you to 
read it closely. In my view, we must assess the Iranian cyber 
threat through Ambassador Oren's perspective, in the context 
of, and I quote: ``murder, bombings, kidnappings, and trade in 
drugs and guns. The cyber attack capability is increasing and 
their intent may well be murderous. We must not forget it.''
    This is the op-ed. I will ask that it be ordered into the 
record.
    Without objection, so ordered.
    [The information follows:]
          Article Submitted For the Record by Chairman Meehan
                 iran's global business is murder inc.
By Michael Oren, February 11, 2013.
            Bombings in capital cities, kidnappings, trade in drugs and 
                    guns--Iranian exports, all. Now Tehran wants nukes.
    A bomb explodes in Burgas, Bulgaria, leaving five Israeli tourists 
and a local driver dead. Mysteriously marked ammunition kills countless 
Africans in civil wars. Conspirators plot to blow up a crowded cafe and 
an embassy in Washington, DC. A popular prime minister is assassinated, 
and a despised dictator stays in power by massacring his people by the 
tens of thousands.
    Apart from their ruthlessness, these events might appear unrelated. 
And yet the dots are inextricably linked. The connection is Iran.
    In 25 cities across five continents, community centers, consulates, 
army barracks and houses of worship have been targeted for destruction. 
Thousands have been killed. The perpetrators are agents of Hezbollah 
and the Quds Force, sometimes operating separately and occasionally in 
unison. All take their orders from Tehran.
    Hezbollah's relationship with Tehran is ``a partnership arrangement 
with Iran as the senior partner,'' says America's director of national 
intelligence, James Clapper. The Lebanon-based terror group provides 
the foot soldiers necessary for realizing Iran's vision of a global 
Islamic empire. Hezbollah chief Hassan Nasrallah says his organization 
was founded to forge ``a greater Islamic republic governed by the 
Master of Time [the Mahdi] and his rightful deputy, the jurisprudent 
Imam of Iran.''
    With funding, training, and weapons from Iran, Hezbollah terrorists 
have killed European peacekeepers, foreign diplomats, and thousands of 
Lebanese, among them Prime Minister Rafiq Hariri. They have hijacked 
American, French, and Kuwaiti airliners and kidnapped and executed 
officials from several countries. They are collaborating in Bashar 
Assad's slaughter of opposition forces in Syria today.
    A deadly suicide attack in Burgas leaving five Israeli tourists and 
a local driver dead in last July.
    Second only to al-Qaeda, Hezbollah has murdered more Americans--at 
least 266--than any other terrorist group. The United States designated 
Hezbollah as a terrorist organization in 1997, though the European 
Union has yet to do so.
    Above all, Hezbollah strives to kill Jews. It has fired thousands 
of rockets at Israeli civilians and tried to assassinate Israeli 
diplomats in at least six countries. Its early 1990s bombing of a 
Jewish community center and the Israeli Embassy in Argentina killed 
115.
    The attack in Burgas occurred last July, and this month the 
Bulgarian government completed a thorough inquiry into who was behind 
it: Hezbollah. ``The finding is clear and unequivocal,'' said John 
Kerry in one of his first pronouncements as U.S. Secretary of State. 
``We strongly urge other governments around the world--and particularly 
our partners in Europe--to take immediate action and to crack down on 
Hezbollah.''
    Then there is the Quds Force, the elite unit of Iran's 
Revolutionary Guard Corps, which takes orders directly from Iranian 
Supreme Leader Ali Khamenei. The U.S. has repeatedly accused the Quds 
Force of helping insurgents kill American troops in Iraq and 
Afghanistan, and of supplying weapons to terrorists in Yemen, Sudan, 
and Syria. In 2007, Quds Force operatives tried to blow up two Israeli 
jetliners in Kenya and kill Israel's ambassador in Nairobi.
    Hezbollah and the Quds Force also traffic in drugs, ammunition, and 
even cigarettes. Such illicit activities might seem disparate but they, 
too, are connected to terror and to Tehran.
    In 2011, the New York Times reported that Hezbollah was working 
with South American drug lords to smuggle narcotics into Africa, the 
Middle East, and Europe. The terror group laundered its hundreds of 
millions of dollars in profits through used-car dealerships in America.
    Also in 2011, the FBI exposed a plot in which senior Quds Force 
operatives conspired with members of Mexico's Los Zetas drug cartel to 
assassinate Saudi Arabia's ambassador to Washington by bombing the 
restaurant where he dined. The Israeli Embassy in Washington was also 
targeted. The middleman between the terrorists and the drug dealers was 
an Iranian-American used-car salesman.
    And still the dots proliferate. U.S. authorities have implicated 
Hezbollah in the sale of contraband cigarettes in North Carolina, and 
Iran has manufactured and sold millions of rounds of ammunition to 
warring armies in Africa. So while skirting Western sanctions, Iran 
funds terror world-wide.
    But Iran's rulers are counting on the West's inability to see the 
larger pattern. Certainly the European Union would take a crucial step 
forward by designating Hezbollah a terrorist organization, but terror 
is only one pixel.
    Tehran is enriching uranium and rushing to achieve military nuclear 
capabilities. If it succeeds, the ayatollahs' vision of an Islamic 
empire could crystallize.
    Iran and its proxies have already dotted the world with murderous 
acts. They need only nuclear weapons to complete the horrific picture.
    Mr. Oren is Israel's ambassador to the United States.

    Mr. Meehan. We are joined today by the chief security 
officer of Mandiant Corporation, who is here to testify on the 
cyber threat posed by China. While I have already mentioned the 
administration's naming of the Chinese threat, a great deal of 
credit goes to Mandiant for its long-term work identifying the 
specific Chinese military unit responsible for looting our 
intellectual property and technological innovations and for 
publicly naming its actual geographic location. That threat is 
a service--that report is a service to all policymakers trying 
to combat the Chinese cyber threat.
    I also look forward to hearing from today's witnesses with 
respect to the threat from Russia. Russia is often overlooked 
in the cyber-threat realm, but they have capability and have 
illustrated the intent to use it in Estonia and Georgia.
    While we fear the theft of classified information, 
intellectual property, and source codes, as well as grave, 
crushing attacks on our critical infrastructure from nations 
who aim to harm us, the threat of monetary and identity theft 
of our citizens remains a top concern. As our traditional 
adversary in the game of espionage, I view cyber space as a 
new, modern Cold War battlefield between the United States and 
Russia, and we must prepare to respond appropriately.
    Let me close my comments by focusing on today's hearing. 
The point that I believe it is worth pointing out that North 
Korea has been the source of increased rhetoric pertaining to 
nuclear weapons, and the Obama administration has responded by 
announcing the addition of missile interceptors in Alaska over 
the last few years. North Korea's cyber capability should not 
be underestimated and its intent is difficult to assess.
    I note for the record, as recently as today, the incidents 
which are being attributed to North Korea by many with respect 
to the denial of services on banking and communications 
entities in South Korea, another escalation in the tension 
between those two, but seen by many--and I may be interested in 
the testimony of this distinguished panel--to be in response to 
actions by the United Nations and other civilized countries to 
rein in the Iranian--I mean the North Korean nuclear 
capability.
    So once again we are seeing this connection of cyber 
activity in relation to efforts by the civilized world to 
address both Iran and North Korea.
    As Chairman McCaul indicated in last week's full committee 
hearing, the committee plans to pass cybersecurity legislation 
in the coming weeks and months. We have been meeting with 
stakeholder groups affected by this issue, and we encourage 
continued dialogue.
    The vast majority of critical infrastructure is owned by 
the private sector, so there must be a true partnership between 
Government and industry to ensure we are protected. I look 
forward to a continuing conversation on these issues.
    Now, let me take a moment to recognize the Ranking Member, 
and I appreciate that she had been hustling over after being 
tied up with some other responsibilities. But it is a great 
privilege to be able to share this responsibility on this 
committee with my good friend, the gentlelady from New York. As 
I had identified at the outset, we have been working already 
together with our staffs.
    But I respectfully--I respect greatly the great body of 
work which the Ranking Member has already put into this issue 
from her previous service. I look forward in working together 
with her as this committee moves forward on this very, very 
important work.
    So let me turn it over to the Ranking Member. Thank you.
    [The statement of Chairman Meehan follows:]
                  Statement of Chairman Patrick Meehan
                             March 20, 2013
    I'd like to welcome everyone to today's hearing, which is our first 
subcommittee hearing of the 113th Congress. This being our first 
hearing, I'm going to take care of a few housekeeping items right off 
the bat.
    As some of you know, I chaired the Subcommittee on Counterterrorism 
and Intelligence last Congress. There are many overlapping issues in 
the cyber realm and I look forward to engaging in them over the next 2 
years.
    I'd like to begin by taking the opportunity to credit Ranking 
Member Clarke for her leadership on cybersecurity. You have been at 
this for a while and I look forward to working together in a bipartisan 
manner moving forward.
    Second, I'd also like to take the opportunity to salute the former 
Chairman of this subcommittee, Rep. Dan Lungren from California. Rep. 
Lungren served in Congress during the 1980s and after a stint at 
Attorney General of California in 1990s, felt compelled to serve again 
after September 11. He was elected to the House again in 2004 and was 
involved in virtually every post-9/11 Government policy response. His 
substance, knowledge, and exceptional legal acumen will be missed in 
this body. I wish him well and thank him for his service.
    Finally, I'd like to welcome the new Members to the subcommittee. 
In my experience, this committee has operated in a bipartisan manner 
and I expect that to continue in the 113th Congress. I look forward to 
working with all of you.
    Today's hearing is timely and relevant. We are examining the cyber 
threat posed by nation states: China, Russia, and Iran. I focus on the 
``nation-state'' aspect of this threat because it represents a new 
battlefield in state relations and we must prepare accordingly.
    Since the New Year, there have been significant developments in the 
cyber domain, highlighted by the fact the U.S. Government has finally 
begun to name the nation-states most responsible for cyber attacks 
against the United States. I believe identifying the threat is critical 
to combatting this problem and protecting our critical infrastructure.
    Over the last 2 months, the Obama administration has rightly placed 
cybersecurity at the top of the public agenda. In his State of the 
Union speech, President Obama specifically cited ``foreign countries'' 
swiping our corporate secrets, attacking our financial institutions, 
and sabotaging our power grid.
    While he didn't name any specific countries, last week, Tom 
Donilon, the President's National Security Advisor, outed China as the 
place where cyber intrusions are emanating on ``an unprecedented 
scale.''
    Also last week, in the Annual Threat Assessment by the U.S. 
intelligence community delivered to Congress last week, the Director of 
National Intelligence (DNI), James Clapper, named cyber as the top 
threat to U.S. National security. This represents a major shift in the 
threat assessment by the U.S. intelligence community and makes our work 
on this committee even more important.
    Last, The New York Times reported last week the President Obama 
discussed cybersecurity during a congratulatory phone call with the new 
Chinese President. The fact this issue is being addressed at the head-
of-state level is an excellent development. I credit the Obama 
administration for naming the threat and pushing for action.
    With respect to identifying the threat, this subcommittee has a 
history of identifying the threat and naming it publicly, often before 
it manifests itself. In fact, last year, former Rep. Lungren and I held 
a joint subcommittee hearing entitled, ``The Iranian Cyber Threat to 
the Homeland'' which identified Iran as a growing cyber threat.
    Since that hearing, it has been widely reported that Iran conducted 
distributed denial-of-service (DDoS) attacks against multiple American 
financial institutions. If true, I'd say that we were all correct in 
our predictions last July. Both Mr. Cilluffo and Mr. Berman testified 
at that hearing and aptly predicted Iran's growing intent and 
capability to conduct a cyber attack against the U.S. homeland. I 
credit you both for your foresight on this issue when many 
underestimated the Iranian cyber threat.
    I view today's hearing as a continuation of last year's hearing and 
I look forward to learning how the threat has evolved.
    With respect to the Iranian cyber threat, I believe clarity is 
critically important. Iran is the world's largest state sponsor of 
terrorism and continues to pursue nuclear weapons to ``wipe Israel off 
the map.'' In that sense, I believe we are dealing with a potentially 
irrational actor, which makes the Iranian cyber threat even more 
dangerous.
    Common sense dictates that any regime willing to detonate a bomb at 
a Washington, DC restaurant to assassinate the Saudi Ambassador to the 
United States would surely be willing to conduct a major cyber attack 
against U.S. critical infrastructure. The U.S. Government must make 
clear to the Iranians our ``red lines'' and make clear to them that if 
they escalate any cyber attacks against U.S. critical infrastructure, 
we will respond appropriately.
    For the Iranians, cyber is just another tool through which to sow 
terror and repress its people. In the words of my good friend Michael 
Oren, Israeli Ambassador to the United States, Iran's main export is 
murder. It is important we all realize that, especially within the 
context of cyber.
    To that ensure we have the clarity about the Iranian threat, I 
would like to enter into the record a February 16 op-ed in The Wall 
Street Journal by Ambassador Oren entitled ``Iran's Global Business is 
Murder, Inc.'' The op-ed provides great detail on Iran's murderous 
regime. I have also asked staff to ensure a copy of the op-ed has been 
provided to Members at today's hearing and encourage you to read it 
closely.
    In my view, we must assess the Iranian cyber threat through 
Ambassador Oren's perspective: ``in the context of murder, bombings, 
kidnappings, and trade in drugs and guns.'' Their cyber attack 
capability is increasing and their intent is murderous. We must not 
forget it.
    Without objection, so ordered.
    Members are also lucky to have a representative from Mandiant Corp. 
here today to testify on the cyber threat posed by China. While I've 
already mentioned the administration's naming of the Chinese threat, a 
great deal of credit goes to Mandiant for its long-term work 
identifying the specific Chinese military unit responsible for looting 
our intellectual property and technological innovations and publicly 
naming its actual geographic location. That report is a service to all 
policymakers trying to combat the Chinese cyber threat.
    As the ultimate credit to Mandiant's report on China's cyber 
threat, I will quote perhaps the premier American intelligence 
official, former CIA and NSA Director and fellow Pennsylvanian, General 
Michael Hayden, who simply stated: ``It was a wonderful report.'' 
General Hayden knows a thing or two about intelligence analysis so I 
view this as the ultimate validation of Mandiant's work.
    With respect to the Russian cyber threat, I look forward to hearing 
from today's witnesses. Russia is often overlooked in the cyber threat 
realm, but they have the capability and have illustrated the intent to 
use it in Estonia and Georgia.
    As our top traditional adversary in the game of espionage, I view 
cyber space as a new, modern Cold War battlefield between the United 
States and Russia and we must prepare and respond appropriately. While 
not the focus of today's hearing, I believe it is worth pointing out 
that North Korea has been the source of increased rhetoric pertaining 
to nuclear weapons and the Obama administration has responded by 
announcing the addition of missile interceptors in Alaska over the next 
few years.
    North Korea's cyber capability should not be underestimated and its 
intent is difficult to assess. It was widely reported North Korea 
conducted cyber attacks against South Korea and the United States in 
July 2009. We must keep a watchful eye on this continued threat actor.
    As Chairman McCaul indicated at last week's full committee hearing, 
the committee plans to pass cybersecurity legislation in the coming 
weeks and months. We have been meeting with stakeholder groups affected 
by this issue and we encourage continued dialogue. The vast majority of 
critical infrastructure is owned by the private sector so there must be 
a true partnership between Government and industry to ensure we are 
protected.
    I look forward to continuing the conversation on these issues.

    Ms. Clarke. I thank you, Mr. Chairman, and I thank you for 
holding this hearing today.
    First, I would like to congratulate you, Chairman Meehan, 
on your appointment to Chair of our subcommittee. I look 
forward to working with you to continue this subcommittee's 
proud history of bipartisan oversight and legislative action.
    I think that the topic at hand is an appropriate one for 
our subcommittee's first hearing at this Congress. I don't have 
to tell you, Mr. Chairman, that the cyber threats to our 
critical infrastructure are growing and serious, and 
cybersecurity is perhaps the most prominent National security 
issue we face this Congress.
    Last week in the intelligence community's annual world-wide 
threat assessment report to Congress, Director of National 
Intelligence, James Clapper, named cyber as the leading threat 
to our National security, ahead of terrorism, transnational 
crime, and WMD proliferation.
    To set the stage for the important actions that our 
committee must take to enhance our Nation's cybersecurity, it 
is important that we first examine the evolving nature of the 
threat we are facing.
    Each month seems to bring a new wrinkle in our 
understanding of the threat to our Government, to our 
businesses, and to individuals. Malicious cyber actors have 
destroyed 30,000 computers on an oil company's network in the 
blink of an eye.
    They have bombarded dozens of our banks with denial-of-
service attacks on a weekly basis in a concerted campaign 
dragging on for months. They have infiltrated the manufacturer 
of smart grid industrial control systems, which are currently 
installed all across the Nation in our critical infrastructure.
    These are just reports that have been made public in the 
last 9 months. We have long since passed the time when our 
biggest challenge in cyber space was dealing with the 
stereotypical teenager in his parent's basement.
    A small group of nation-states are taking advantage of the 
internet's openness to conduct cyber-espionage, not only 
against traditional Government targets, such as defense and 
intelligence agencies, but against all variety of economic 
targets and critical infrastructure.
    But though I think we have recognized this for some time, 
what has been missing is a public discussion of this bad 
behavior. That is why I think the events of the last few weeks 
have been a real tipping point in the way our Nation responds 
to cyber threats.
    Foreign actors can no longer be permitted to commit 
industrial-strength espionage against our Government and 
businesses without being brought to account. I have been 
heartened to see that the Obama administration has recently 
made great strides in this area.
    Two weeks ago, National Security Adviser Tom Donilon went 
on the record about China's aggressive behavior in cyber space, 
outlining key areas where the United States will require 
China's engagement moving forward. Then, last week, President 
Obama himself expanded upon the threat posed by the Chinese and 
other state actors, and the strong messages that we are 
beginning to send.
    I applaud the administration's willingness to raise this 
issue to the Presidential level. I hope that it leads to 
substantive engagement with foreign governments on proper 
conduct in cyber space.
    Finally, I am pleased that we are joined today by this very 
distinguished panel of witnesses. I look forward to learning 
more about the cyber threats to our critical infrastructure and 
further informing the public debate on cybersecurity.
    I yield back, Mr. Chairman.
    [The statement of Ranking Member Clarke follows:]
              Statement of Ranking Member Yvette D. Clarke
                             March 20, 2013
    I think that the topic at hand is an appropriate one for our 
subcommittee's first hearing this Congress.
    I do not have to tell you, Mr. Chairman, that the cyber threats to 
our critical infrastructure are growing and serious, and cybersecurity 
is perhaps the most prominent National security issue we will face this 
Congress.
    Last week, in the intelligence community's Annual Worldwide Threat 
Assessment report to Congress, Director of National Intelligence James 
Clapper named cyber as the leading threat to our National security, 
ahead of terrorism, transnational crime, and WMD proliferation.
    To set the stage for the important actions that our committee must 
take to enhance our Nation's cybersecurity, it is important that we 
first examine the evolving nature of the threat we are facing.
    Each month seems to bring a new wrinkle in our understanding of the 
threat to our Government, to our businesses, and to individuals.
    Malicious cyber actors have destroyed 30,000 computers on an oil 
company's network in the blink of an eye.
    They have bombarded dozens of our banks with denial-of-service 
attacks on a weekly basis in a concerted campaign dragging on for 
months.
    They have infiltrated the manufacturer of smart grid industrial 
control systems which are currently installed all across the country in 
our critical infrastructure.
    These are just reports that have been made public in the last 9 
months.
    We have long since passed the time when our biggest challenge in 
cyber space was dealing with the stereotypical teenager in his parents' 
basement.
    A small group of nation-states are taking advantage of the 
internet's openness to conduct cyber espionage, not only against 
traditional Government targets such as defense and intelligence 
agencies, but against all variety of economic targets and critical 
infrastructure.
    But though I think we have recognized this for some time, what has 
been missing is a public discussion of this bad behavior.
    That's why I think the events of the last few weeks have been a 
real tipping point in the way our Nation responds to cyber threats.
    Foreign actors can no longer be permitted to commit industrial-
strength espionage against our Government and businesses without being 
brought to account, and I have been heartened to see that the Obama 
administration has recently made great strides in this area.
    Two weeks ago, National Security Advisor Tom Donilon went on the 
record about China's aggressive behavior in cyber space, outlining key 
areas where the United States will require China's engagement moving 
forward.
    Then, last week, President Obama himself expanded upon the threat 
posed by the Chinese and other state actors and the strong messages 
that we are beginning to send.
    I applaud the administration's willingness to raise this issue to 
the Presidential level, and I hope that it leads to substantive 
engagement with foreign governments on proper conduct in cyber space.
    Finally, I am pleased that we are joined today by this 
distinguished panel of witnesses, and I look forward to learning more 
about the cyber threats to our critical infrastructure and further 
informing the public debate on cybersecurity.

    Mr. Meehan. Well, thank you, Ranking Member Clarke.
    One little housekeeping issue here, because one of the 
realities of our work here in Congress is the most important 
responsibility, which is to vote, and as you can see, we were 
just called to vote.
    So I am going to use the little window that we have here to 
try to do some quick introductions of our panel, and then I am 
going to ask--we are going to try to get through the testimony 
of two of the first witnesses.
    We will then quickly return from votes and, hopefully, 
gavel it down as quickly as we can after we are finished voting 
to hear the testimony of the last two, and then we will move 
into questions from the Members who are able to join us again. 
So let us--the rest of the committee is reminded, opening 
statements can be submitted for the record.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                             March 20, 2013
    The list of significant cyber intrusions against our critical 
infrastructure keeps growing.
    Our top Government officials are going on the record about state 
sponsors of aggressive cyber activities that have been stealing our 
trade secrets and intellectual property as well as targeting our most 
sensitive critical infrastructure networks.
    National Security Advisor Tom Donilon and Director of National 
Intelligence James Clapper have spent recent weeks identifying state 
sponsors of aggressive cyber activities--including China, Iran, and 
Russia.
    Just last week, President Obama raised the issue of cyber attacks 
with the Chinese president, instantly raising the importance of 
cybersecurity in the U.S.-China relationship.
    But even though we have made great strides in our response to 
state-sponsored cyber activities, we cannot expect the problem to go 
away overnight.
    It would be prudent to expect the future to bring new, more 
sophisticated attacks.
    Even the best, most secure critical infrastructure in our country 
is no match for a determined adversary backed by the resources of a 
government.
    That is why it is so important for this committee to pass 
comprehensive cybersecurity legislation.
    We must act to provide a framework which will improve the 
partnership between the owners and operators of our critical 
infrastructure and the Government to work together collaboratively to 
protect our networks.
    I look forward to working with you, Chairman Meehan and Ranking 
Member Clarke, as well as Chairman McCaul, to ensure that this 
legislative necessity becomes a reality.
    But while the threats we face are severe, it is important that we 
do not overstate them or call for a militarized response.
    Not all attacks require a military response. The vast majority of 
attacks are against individual citizens and the private sector.
    We need a measured civilian response that permits these threats to 
be addressed by DHS and the FBI working together to mitigate and 
respond to the attacks, investigate the perpetrators, and help prevent 
future attacks.
    Just last week, NSA Director Keith Alexander testified before 
Congress that cyber attacks on U.S. soil required a civilian-led 
response.
    The evolution or increase in threats is no justification for 
abandoning the traditional separation of foreign and domestic 
intelligence and law enforcement authorities.
    We cannot allow cyber attacks to provide a reason to jettison the 
precious and hard-won American values of privacy and civil liberties.
    I am convinced that any measure we put forth must embrace privacy 
and civil liberties as a bedrock principle.
    As we move forward with cybersecurity legislation, with those 
values firmly embedded, we must take the time to fully investigate and 
understand the scope of the threats we face.
    So, I am pleased that we are joined today by this panel of experts, 
who can speak to the diverse array of cyber threats to our critical 
infrastructure, and I look forward to their testimony.

    Mr. Meehan. Let me now identify the distinguished panel of 
witnesses before us here today on this topic--and no stranger, 
any of them, to this issue. Mr. Frank Cilluffo directs the 
Homeland Security Policy Institute at the George Washington 
University, where he works on a wide variety of homeland 
security issues, including counterterrorism, counter security, 
transportation security, and emergency management.
    Mr. Cilluffo joined G.W. in April 2003 after leaving the 
White House, where he was a special assistant to the President 
for homeland security.
    Mr. Richard Bejtlich is the chief information security 
officer for Mandiant, the security firm that recently released 
a widely-publicized report on the hacking activities of the 
Chinese government. Mr. Bejtlich has more than 13 years' 
experience of enterprise-level intrusion detection and incident 
response, working with the Federal Government, defense, and 
private industry.
    Mr. Ilan Berman is the vice president of the American 
Foreign Policy Council, where he specializes in regional 
security in the Middle East, Central Asia, and Russia. 
Throughout his career, Mr. Berman has consulted for numerous 
Government agencies, including the CIA and the Department of 
Defense. Mr. Berman has also authored several books, and serves 
as the editor of The Journal of International Security Affairs.
    Mr. Martin Libicki is a senior management scientist at RAND 
Corporation, where he focuses on the impacts of information 
technology on domestic and National security. His most recent 
research has focused on assisting the United States Air Force 
prepare for cyber war, exploiting cell phones in 
counterinsurgency, developing post-9/11 information technology 
strategy for the Department of Justice, and assessing the 
terrorist information awareness program for the Defense 
Advanced Research Project Agency.
    The witnesses' full written statements will appear in the 
record, so the Chairman now recognizes Mr. Cilluffo for 5 
minutes to testify.

 STATEMENTS OF FRANK J. CILLUFFO, DIRECTOR, HOMELAND SECURITY 
 POLICY INSTITUTE, CO-DIRECTOR, CYBER CENTER FOR NATIONAL AND 
      ECONOMIC SECURITY, THE GEORGE WASHINGTON UNIVERSITY

    Mr. Cilluffo. Well, thank you, Mr. Chairman.
    Chairman Meehan, Ranking Member Clarke, distinguished 
Members of the committee; I would like to thank you for the 
opportunity to appear before you today.
    Mr. Chairman, I think you deserve the foresight for having 
been prescient in terms of identifying the Iranians cyber 
threat the last go-around. So hats off to you.
    Quite honestly, I think we need to have continued 
leadership on these issues as the threat continues to grow in 
terms of scale, scope, and the consequences are becoming more 
and more clear. Put simply, both our National security and our 
Nation's economic security are at risk, and the stakes are 
exceedingly high.
    When prepping for this hearing and thinking about how to 
convey a whole lot of information in a very short amount of 
time, I thought perhaps the best way to do so is to provide a 
frame for how to think about some of these issues.
    I did put in my prepared remarks a couple of charts that 
get to the point where we can start racking and stacking the 
threats, understanding the different intentions and 
capabilities of the actors, and to be able to put it into some 
sort of context.
    I also will be very brief, and I know my fellow witnesses 
here will touch on all the various specific threats. But I 
would like to applaud the Mandiant report. I think it provided 
a smoking keyboard. We have all known about the Chinese 
activity, but in this case it provided both empirical evidence 
and did so with strong data. We need more of that in the open 
community.
    Very quickly, a couple of contextual thoughts and 
assumptions before I jump into the charts. It is becoming more 
and more clear that the future of conflict will include a cyber 
component. This is military and other forms of conflict. 
Computer network operations, including exploits and attacks 
will be and are being integrated into military planning, 
doctrine, and operations.
    Nations that can best marshal and mobilize their cyber 
power and integrate it into their strategy in war fighting, I 
would argue, will ensure significant National security 
advantage in the future. These efforts not only enhance their 
ability to project power in terms of a battlefield context, but 
also to stymie the power of others, and that is important to 
keep in mind when we are looking at some of the threat actors 
we are discussing today.
    Moreover, not all hacks are the same, nor are all hackers 
the same. The threat spectrum is wide-ranging. It comes in 
various shapes, sizes, and forms, ranging from nation-states 
who are integrating computer network attack and exploit into 
their war fighting capability down to those kids that are still 
operating out the basements of their parents' homes. So we do 
have that broad spectrum.
    I would underscore that nations themselves have different 
capabilities and different intentions. In the charts, what I 
tried to lay out in a very simple axis is a capability and 
intent axis, both in terms of what the steady-state threat 
matrix is to the United States and our homeland and also to 
what sorts of triggering events could cause an escalation.
    I spliced out what I call computer network exploit. Think 
of that as espionage, traditional espionage: Political, 
military secret-stealing, but also obviously economic 
espionage, which is the theft of intellectual property and 
economic secrets, as well as industrial espionage, where 
companies are stealing secrets to benefit--where countries are 
stealing to benefit individual companies. You have got to look 
at it in all those realms.
    Then you have got computer network attack, which is where 
they turn to computer network attack capabilities to be able to 
cause harm.
    So if you were to rack and stack the various countries we 
are talking about right now, obviously, China and Russia are 
what you would call APT threats, advanced persistent threats. 
They are at the very high end in terms of capability.
    When you look at the exploit side or the espionage side, 
they are blinking to the far right, both in terms of intentions 
and in terms of capabilities. When you look in terms of 
computer network attack, they are more on the left axis. In 
other words, they have some modicum of responsibility and 
recognize that we could retaliate and have some 
responsibilities to be able to at least harness some of that 
capability in a smart way.
    When you look at Iran, on the other hand, while the good 
news they are not at the same level of capability as Russia and 
China, the bad news is for what they lack in capability, they 
more than make up for in intent. What intent they don't have, 
they can turn to their proxies or they can simply buy or rent. 
Botnets are available for a small amount of money, and they can 
still cause harm.
    But the bar to entry, when we talk about cyber, is not very 
high. That said, those with more sophisticated capabilities, 
that they, in my eyes, are a much greater concern.
    North Korea, they are the wild card. North Korea, I think 
clearly has intent, and they are turning to computer network 
attack. Much like Iran, they are not curtailed in terms of some 
of their responsibilities in this space. So I put them on the 
very high end in terms of computer network attack and in terms 
of consequence and likelihood.
    As I know my time is running out, one thing to keep in mind 
that I think needs to be underscored, and this is with respect 
to Russia and China. If you can exploit, you can attack. In 
other words, if they have the intent to attack--we know what 
they are doing in terms of computer network exploitation. It is 
brazen. It is wholesale. It is significant.
    If their intent is to attack, the same techniques they are 
using to exploit can be flipped, literally. It is as simple as 
flipping a switch to attack. Here I think we have to take that 
very seriously, and there are a whole host of triggering events 
that could cause that escalation, which I am happy to get into 
during the Q & A.
    Bottom line, we are never going to firewall our way out of 
this problem. We need to improve our defenses, but we also need 
to invest in our offensive capabilities and get to a point 
where we can deter our enemies; dissuade, deter, and compel. I 
will leave it at that.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Cilluffo follows:]
                Prepared Statement of Frank J. Cilluffo
                             March 20, 2013
    Chairman Meehan, Ranking Member Clarke, and distinguished Members 
of the subcommittee, thank you for this opportunity to testify before 
you today. The subcommittee has demonstrated real leadership in this 
issue area with hearings and other work undertaken long before the 
cyber domain and its challenges were front and center on the National 
agenda as is now the case. For example, your hearing last April on the 
Iranian cyber threat to the United States was quite prescient.\1\ That 
challenge, and the broader one under study today, remains crucial to 
explore, understand, and respond to, because of all that is at stake--
namely U.S. National and economic security.
---------------------------------------------------------------------------
    \1\ ``The Iranian Cyber Threat to the United States'', Testimony of 
Frank J. Cilluffo before the House Subcommittee on Cybersecurity, 
Infrastructure Protection, and Security Technologies; and the House 
Subcommittee on Counterrorism and Intelligence (April 26, 2012). http:/
/www.gwumc.edu/hspi/policy/
Iran%20Cyber%20Testimony%204.26.12%20Frank%20Cilluffo.pdf.
---------------------------------------------------------------------------
    My statement below is designed to help frame how the United States 
can and should assess and respond to cyber threats, especially those 
posed by nation-states. A great deal of excellent, deep-dive analysis 
is already being performed on specific threats, including the work of 
my fellow witnesses. For example, the recent Mandiant report tracing 
extensive hacking activity against the United States (and other 
countries and corporations) back to the doorstep of China's Army, the 
PLA, was a significant contribution to the discourse, in that it 
provided both forensic and empirical data, which are in short supply in 
the open-source literature, yet sorely needed.\2\ What is also needed, 
however, is a broader typology of the cyber threat, structured to help 
us rack and stack the challenges that we face, and prioritize our 
efforts to meet them. I will propose such a typology today to assess 
the relative severity of cyber threats, and also suggest how the United 
States might re-focus its cyber efforts accordingly.
---------------------------------------------------------------------------
    \2\ Mandiant Report, ``APT-1: Exposing one of China's Cyber 
Espionage Units'' (February 2013). http://intelreport.mandiant.com/, 
and https://www.mandiant.com/blog/mandiant-exposes-apt1-chinas-cyber-
espionage-units-releases-3000-indicators/.
---------------------------------------------------------------------------
    The cyber threat comes in various shapes, sizes, and forms. The bar 
to entry is low to launch a relatively rudimentary, but still 
potentially damaging, cyber attack. The threat spectrum ranges from 
nation-states plus their proxies, to foreign terrorist organizations, 
criminal syndicates and information brokers, to hacktivists, to ankle-
biters operating out of their parents' home. Each of these categories, 
in turn, also breaks down into a number of sub-categories. Regarding 
nation-states, for example, they vary widely in their sophistication, 
capability, intent, motivation, and so on. Taking a top-line 
perspective, however, it is nation-states (and their proxies) that the 
United States should be most concerned about when it comes to threat. 
This finding is supported by a recent Homeland Security Policy 
Institute (HSPI) Flash Poll conducted right after the President issued 
an Executive Order, ``Improving Critical Infrastructure 
Cybersecurity'',\3\ this February. According to our poll, to which over 
100 HSPI stakeholders responded: Nearly 70% of respondents indicated 
that nation-states posed the greatest threat to cybersecurity, by 
comparison to other categories of actors. The remainder of responses 
were split between foreign terrorist organizations, ``hacktivists'', 
organized crime, and ``other''.\4\
---------------------------------------------------------------------------
    \3\ http://www.whitehouse.gov/the-press-office/2013/02/12/
executive-order-improving-critical- infrastructure-cybersecurity.
    \4\ http://www.gwumc.edu/hspi/frontincludes/
Cyber%20EO%20Flash%20Poll%20Press- %20Release%202-15-2013.pdf.
---------------------------------------------------------------------------
    For too long, though, we have assessed and appreciated the nation-
state threat in overly general terms. The volume and nature of activity 
directed against us, and our allies, should serve as a wake-up call to 
raise our game. Now is the time to focus on the high-end threat, and to 
rack and stack our priorities. We simply cannot afford to do 
otherwise--not in the current economic climate, and not in light of the 
critical U.S. assets and infrastructure that are still vulnerable and 
at risk.
    Every day, new news of cyber intrusions, exploits, and attacks 
comes to light. The Nation's most sensitive sectors, from defense to 
energy to finance, are often the targets. Our adversaries have engaged 
in brazen activity, from computer network exploitation (CNE) to 
computer network attack (CNA). Foreign militaries are, increasingly, 
integrating CNE and CNA capabilities into their warfighting and 
military planning and doctrine. These efforts may allow our adversaries 
to enhance their own weapon systems and platforms, as well as stymie 
those of others. CNE may also support intelligence preparation of the 
battlefield, to include the mapping of critical infrastructures that 
could be targeted in a more strategic campaign or attack plan. CNAs may 
occur simultaneously with other forms of attack (kinetic, insider 
threats, etc).
    Last month, against this background, the President issued an 
Executive Order intended to improve critical infrastructure 
cybersecurity.\5\ The goal is closer collaboration between Government 
and the private sector to protect critical networks. The Executive 
Order is a good start, but it is no substitute for legislation--which 
can introduce a range of incentives (such as tax provisions, liability 
protections, and procurement preferences which factor security 
requirements into Federal acquisitions) plus sticks to accompany those 
carrots, and thereby raise the bar higher when it comes to critical 
infrastructure standards and practices.\6\
---------------------------------------------------------------------------
    \5\ http://www.whitehouse.gov/the-press-office/2013/02/12/
executive-order-improving-critical- infrastructure-cybersecurity.
    \6\ Frank J. Cilluffo and Andrew Robinson, ``While Congress 
dithers, cyber threats grow greater'' Nextgov.com (July 24, 2012). 
http://www.nextgov.com/cybersecurity/2012/07/while-congress-dithers-
cyber-threats-grow-greater/56968/.
---------------------------------------------------------------------------
    To refine and reinforce its stance in relation to the threat, the 
United States must focus upon actors and their particular behaviors, 
rather than upon technology per se, or upon means and modalities of 
attack. Doing so means digging deeper into specifics, and factoring 
those case-by-case (actor- and country-specific) details about our 
adversaries into a tailored U.S. response that is also designed to 
dissuade, deter, and compel our adversaries accordingly. Our response 
must be calibrated to address and thwart (among other things) the 
adversary's motivation--be it to steal money, intellectual property, or 
military secrets, etc. U.S. response must also be calibrated to address 
and thwart the adversary's intent--be it commercial gain, military 
advantage, criminal activity, etc. To complicate matters, both 
motivation and intent are multidimensional, and thus may consist of 
some combination of these factors. Motivation and intent may also 
change over time, and the various factors that comprise each may shift 
at a given moment. Nation-states and their proxies may also differ in 
their motivation and intent.
    Parsing our understanding of U.S. adversaries down to (and beyond) 
this level of granularity will yield insights upon which more effective 
strategies and tactics may be built and implemented. At first glance, 
such a task may seem overwhelming, given the number and complexity of 
the potential variables. The good news is that a robust but general 
posture should help us deal with the signal-to-noise ratio and suffice 
to handle 80% of the nefarious activity that comes our way. The other 
20% is where we need to keep a closer eye on the ball. I turn now to 
those harder cases, to offer a snapshot of who they are, what they have 
done, why they have done it, and what they might do in future.
    Naming and shaming is an approach that has been invoked with 
varying degrees of success across a range of contexts. Until recently, 
however, only a few of the boldest of U.S. officials (current and 
former) had walked out on that limb in the context under examination 
today. Lately, however, the number of U.S. Government and private-
sector voices has become more of a chorus. The President's National 
Security Advisor Thomas Donilon publicly cited and elaborated upon U.S. 
cybersecurity concerns in connection with China, in a speech earlier 
this month.\7\ Before that, and among other developments, the New York 
Times published an account of intrusions against its own networks \8\ 
by Chinese hackers--which in turn seems to have prompted a cascade of 
similar revelations, including in relation to the Washington Post and 
the Wall Street Journal. In this context, as in others, there is power 
in numbers.
---------------------------------------------------------------------------
    \7\ ``The United States and the Asia-Pacific in 2013'', before The 
Asia Society (March 11, 2013). http://www.whitehouse.gov/the-press-
office/2013/03/11/remarks-tom-donilon-national-security-advisory-
president-united-states-a.
    \8\ Nicole Perlroth, ``Hackers in China Attacked the Times for Last 
4 Months'', New York Times (January 30, 2013). http://www.nytimes.com/
2013/01/31/technology/chinese-hackers-infiltrate-new-york-times- 
computers.html?pagewanted=all&_r=0.
---------------------------------------------------------------------------
    Capabilities do matter, of course. Our most challenging adversaries 
in the cyber domain are commonly known as Advanced Persistent Threats 
(APT). China and Russia indisputably fall in this category although the 
two can and should be characterized and understood somewhat differently 
(see below). Iran is another difficult case, though a bit different in 
kind, as it makes up in intent what it may lack in capability--though 
its capabilities are noteworthy, especially when proxies are factored 
in. To the list of truly concerning nation-state actors one could and 
should also add North Korea. A worst-case scenario would combine 
kinetic and cyber attacks, and the cyber component would serve as a 
force multiplier to increase the lethality or impact of the physical 
attack(s).
    Though I will focus exclusively on China, Russia, and Iran in the 
limited space that remains, North Korea is a troubling case as well as 
an unusual one. Ordinarily, it is organized crime that seeks to 
penetrate the state. In this case, however, it is the other way around, 
with the state trying to penetrate organized crime in order to ensure 
the survival of the regime/dynasty. Like Iran, the DPRK is more likely 
to turn to CNA to achieve its objectives. In this regard, Iran and 
North Korea stand in contrast to China and Russia which operate under 
greater constraints. Precisely because North Korea has fewer 
constraints, I would underscore that it poses an important ``wild 
card'' threat, not only to the United States but also to the region and 
broader international stability.
    Since a picture is often worth a thousand words, I have tried to 
encapsulate findings and cross-country comparisons in the two charts 
that follow. The graphics are a rough attempt to rank each of the 
countries at issue according to capability and intent, as well as in 
terms of the CNE and CNA threat that they each pose, including in 
relative terms to one another. For the purposes of the matrices below, 
CNE is defined as traditional, economic, and industrial espionage, as 
well as intelligence preparation of the battlefield (IPB). However, IPB 
is also included in the definition of CNA used here, as it may well be 
a precursor, such as surveillance and reconnaissance of targets to be 
attacked. Bear in mind that if one can exploit, one can also attack if 
the intent exists to do so. Note also that, for present purposes, CNA 
is defined as activities that alter (disrupt, destroy, etc.) the 
targeted data/information. 


    The second chart reflects the shifts in position that may occur if 
triggering or unforeseen events lead to potential escalation: 


    Unless and until we wrap our heads around the challenge posed by 
each of these cases, and do so in a way that appreciates both the 
similarities and differences between and among them, our National and 
economic security (including our critical infrastructure) will remain 
at risk. Not all actors, nor capabilities, nor intentions, are the 
same. Tradecraft and its application may also differ widely. So too 
motivations, which may include blackmail, coercion, fraud, and theft. 
Heightening our understandings of each of these elements as they apply 
to key actors is all the more important, as countries continue to 
integrate CNA/CNE into war-fighting and military planning, and 
interweave the cyber domain into the activities of their foreign 
intelligence services, to include intelligence derived from human 
sources (HUMINT).
China
    China possesses sophisticated cyber capabilities and has 
demonstrated a striking level of perseverance, evidenced by the sheer 
number of attacks and acts of espionage that the country commits. 
Reports of the Office of the U.S. National Counterintelligence 
Executive have called out China and its cyber espionage, characterizing 
these activities as rising to the level of strategic threat to the U.S. 
National interest.\9\ The U.S.-China Economic and Security Review 
Commission notes further: ``Computer network operations have become 
fundamental to the PLA's strategic campaign goals for seizing 
information dominance early in a military operation''.\10\ China's 
aggressive collection efforts appear to be intended to amass data and 
secrets (military, commercial/proprietary, etc.) that will support and 
further the country's economic growth, scientific and technological 
capacities, military power, etc.--all with an eye to securing strategic 
advantage in relation to (perceived or actual) competitor countries and 
adversaries.
---------------------------------------------------------------------------
    \9\ ``Foreign Spies Stealing U.S. Economic Secrets in Cyberspace'', 
Report to Congress on Foreign Economic Collection and Industrial 
Espionage, 2009-2011 (October 2011). http://www.ncix.gov/publications/
reports/fecie_all/Foreign_Economic_Collection_2011.pdf [referred to 
hereafter as NCIX Report]. See also Frank J. Cilluffo, ``Chinese 
Telecom Firms Pose a Threat to U.S. National Security'', U.S. News & 
World Report (November 19, 2012). http://www.usnews.com/opinion/
articles/2012/11/19/chinese-telecom-firms-pose-a-threat-to-us-national-
security.
    \10\ Patton Adams, George Bakos, and Bryan Krekel, ``Occupying the 
Information High Ground: Chinese Capabilities for Computer Network 
Operations and Cyber Espionage,'' Report prepared for the U.S.-China 
Economic and Security Review Commission by Northrop Grumman Corp. 
(March 3, 2012). http://www.uscc.gov/RFP/2012/
USCC%20Report_Chinese_Capabilities- 
forComputer_NetworkOperationsandCyberEspionage.pdf.
---------------------------------------------------------------------------
    China denies the various charges leveled against it, and has raised 
its own hacking allegations, in which the country claims to have been 
victimized. The latter claim is difficult to accept completely, 
especially since China appears to take its own cybersecurity efforts 
seriously. According to Microsoft's security blog, ``China had the 
lowest malware infection rate . . . of any of the 105 locations 
included in volume 13 of the [Microsoft] Security Intelligence 
Report'', which refers back to 2012.\11\ Perhaps China is as focused on 
self-inoculation as it is on hacking others? And perhaps this posture 
derives from an attempt to protect against precisely the points of 
vulnerabilities that China saw in others? Consider also the Mandiant 
report referenced earlier, which identifies Chinese PLA Unit 61398 as 
the most likely culprit behind the theft of ``hundreds of terabytes of 
data from at least 141 organizations across a diverse set of 
industries, beginning as early as 2006.''
---------------------------------------------------------------------------
    \11\ Tim Rains, ``The Threat Landscape in China: A Paradox'' (March 
11, 2013). http://blogs.technet.com/b/security/
---------------------------------------------------------------------------
    As a domain, cyber space is made for plausible deniability. 
Attribution remains a challenge, because smoking keyboards can be hard 
to find; and in the case of China, the PLA may also outsource certain 
activities and operations to skilled hackers, to distance the PLA from 
any smoking keyboards.\12\ The attribution challenge is just one reason 
the Mandiant report is significant. Separate and apart from attempts to 
mask involvement in activity targeting the United States, there may 
also be powerful reasons for China to restrict itself from acting 
against the United States in certain ways, at least at a particular 
moment in time. Director of National Intelligence James Clapper 
testified last week that China and Russia are ``advanced'' cyber 
actors, but that he did not foresee ``devastating'' cyber attacks by 
these two actors against the United States in the near future \13\--
``outside of a military conflict or crisis that they believe threatens 
their vital interests.''\14\ The vital interests caveat is important, 
since it is fairly easy to identify potential triggers in this 
category, such as Taiwan.
---------------------------------------------------------------------------
    \12\ Perlroth, http://www.nytimes.com/2013/01/31/technology/
chinese-hackers-infiltrate-new-york-times-
computers.html?pagewanted=all&_r=0.
    \13\ Mark Mazetti and David E. Sanger, ``Security Leader Says U.S. 
Would Retaliate Against Cyberattacks'', New York Times (March 12, 
2013). http://www.nytimes.com/2013/03/13/us/intelligence-official-
warns-congress-that-cyberattacks-pose-threat-to-us.html?src=twr&_r=0.
    \14\ Tom Gjelten, ``Is All The Talk About Cyberwarfare Just Hype?'' 
NPR.org (March 13, 2013). http://www.npr.org/2013/03/15/174352914/is-
all-the-talk-about-cyberwarfare-just-hype.
---------------------------------------------------------------------------
    The administration's public pronouncements on China have taken on a 
tougher tone this month, which represents a good step forward--but this 
is only a first step down a path that, for far too long, we have been 
traveling too slowly and too weakly. National Security Advisor Thomas 
Donilon emphasized ``the urgency and scope of this problem''--meaning 
``sophisticated, targeted theft of confidential business information 
and proprietary technologies through cyber intrusions emanating from 
China on an unprecedented scale''. Donilon then called on China ``to 
investigate and put a stop to these activities'' as well as ``engage 
with us in a constructive direct dialogue to establish acceptable norms 
of behavior in cyberspace''.\15\ Days later, President Obama himself 
raised U.S. cyber concerns (of volume, scale, and scope) in a phone 
call with China's President, Xi Jinping.\16\ Sustained U.S. leadership 
and engagement, at the highest levels, will be required, moving 
forward.
---------------------------------------------------------------------------
    \15\ Donilon, supra.
    \16\ Steve Holland, ``Obama, China's Xi discuss cybersecurity 
dispute in phone call'', Reuters (March 14, 2013). http://
www.reuters.com/article/2013/03/14/us-usa-china-obama-call-
idUSBRE92D11G20130314.
---------------------------------------------------------------------------
    Since the line between CNE and CNA is thin, with the distinction 
between the two turning largely on intent, it is crucial that there be 
consequences for the actor that engages in sophisticated and persistent 
CNE. The principle applies regardless of the perpetrator. Indeed, one 
could argue that the only difference between China and Russia in this 
regard is that China got caught. It is a numbers game, after all. And 
China may not even be that concerned about getting caught, since the 
country may have taken a conscious decision to throw as much as 
possible at us, in terms of human resources dedicated to CNE--in the 
hope that some, even if not all, of their efforts would yield fruit. 
Unless and until there are consequences for such behavior, China (and 
others) have no real reason to care if they are caught in the act of 
CNE. To date, there have been no significant consequences for China's 
massive intrusions into critical U.S. networks. By failing to call 
attention to their CNE campaign (much less retaliating in any way at 
all) earlier on, we have encouraged it. Last month's White House report 
announcing a new strategy to mitigate the theft of U.S. trade secrets 
is at least a step in the right direction.\17\
---------------------------------------------------------------------------
    \17\ Executive Office of the President of the United States, 
``Administration Strategy on Mitigating the Theft of U.S. Trade 
Secrets'' (February 2013) http://www.whitehouse.gov/sites/default/
files/omb/IPEC/
admin_strategy_on_mitigating_the_theft_of_u.s._trade_secrets.- pdf.
---------------------------------------------------------------------------
Russia
    Russia's cyber capabilities are, arguably, even more sophisticated 
than those of China. The Office of the U.S. National 
Counterintelligence Executive (NCIX) observes: ``Moscow's highly 
capable intelligence services are using HUMINT [human intelligence], 
cyber, and other operations to collect economic information and 
technology to support Russia's economic development and security.\18\ 
Russia's extensive attacks on U.S. research and development have 
resulted in Russia being deemed (along with China), ``a national long-
term strategic threat to the United States,'' by the NCIX.
---------------------------------------------------------------------------
    \18\ NCIX Report, supra, at p. 5. http://www.ncix.gov/publications/
reports/fecie_all/For- eign_Economic_Collection_2011.pdf.
---------------------------------------------------------------------------
    In 2009, the Wall Street Journal reported that cyber-spies from 
Russia and China had penetrated the U.S. electrical grid, leaving 
behind software programs. The intruders did not cause damage to U.S. 
infrastructure, but sought to navigate the systems and their controls. 
Was this reconnaissance or an act of aggression? What purpose could the 
mapping of critical U.S. infrastructure serve, other than intelligence 
preparation of the battlefield?
    Ambassador David Smith notes: ``Russia has integrated cyber 
operations into its military doctrine; though not fully successful . . 
. Russia's 2008 combined cyber and kinetic attack on Georgia was the 
first practical test of this doctrine . . . [and] we must assume that 
the Russian military has studied the lessons learned''.\19\ Russia was 
also behind the 2007 distributed denial-of-service (DDoS) attacks on 
Estonia (its government, banks, etc.) although Russia denies official 
involvement. Relying upon ``patriotic hackers'' guided by government 
handlers plus a little help from the Russian intelligence service, 
however, does not alter the reality that activity undertaken by those 
hackers is state-sponsored and directly implicates Russia.
---------------------------------------------------------------------------
    \19\ ``How Russia Harnesses Cyberwarfare'', American Foreign Policy 
Council Defense Dossier (August 2012) http://www.afpc.org/files/
august2012.pdf.
---------------------------------------------------------------------------
    Hackers and criminals based in Russia have also made their mark. 
Cyber space has proven to be a gold mine for criminals, who have moved 
ever more deeply into the domain as opportunities to profit there 
continue to multiply. Russia's slice of the 2011 global cyber crime 
market has been pegged at $2.3 billion, and there are indications that 
the forces of Russian organized crime have begun to join up ``by 
sharing data and tools'' to increase their take.\20\ Just last week, 
moreover, hackers based in Russia posted what seemed to be personal 
financial information about the Vice President, the Director of the 
FBI, and a number of other current and former senior U.S. 
officials.\21\ Russia's history has demonstrated a toxic blend of 
crime, business, and politics--and there are few, if any, signs that 
things are changing today. Indeed, as the former ranking member of the 
KGB in London said recently, Moscow has as many spies in the United 
Kingdom now as it did in the Cold War.\22\ Similarly, former CIA 
officer Hank Crumpton has said: ``I would hazard to guess there are 
more foreign intelligence officers inside the U.S. working against U.S. 
interests now than even at the height of the Cold War.''\23\
---------------------------------------------------------------------------
    \20\ Group IB, State and Trends of the Russian Digital Crime Market 
2011, p. 6, http://group- ib.com/images/media/Group-
IB_Report_2011_ENG.pdf; see also http://group-ib.com/images/media/
Group-IB_Cybercrime_Inforgraph_ENG.jpg (graphics).
    \21\ Ken Dilanian and Jessica Guynn, ``Obama meets with CEOs to 
push cyber-security legislation'', L.A. Times (March 13, 2013) http://
www.latimes.com/business/la-fi-obama-hacking-20130314,0,2583428.story.
    \22\ Luke Harding, ``Gordievsky: Russia has as many spies in 
Britain now as the USSR ever did'', The Guardian (March 11, 2013). 
http://www.guardian.co.uk/world/2013/mar/11/russian-spies-britain-oleg-
gordievsky.
    \23\ ``More spies in U.S. than ever, says ex-CIA officer.'' 60 
Minutes (May 10, 2012). http://www.cbsnews.com/8301-18560_162-57431837/
more-spies-in-u.s-than-ever-says-ex-cia-officer/.
---------------------------------------------------------------------------
Iran
    In April 2012, as mentioned earlier, I testified before a joint 
hearing of this subcommittee and the Subcommittee on Counterterrorism 
and Intelligence, on the subject ``The Iranian Cyber Threat to the 
United States.''\24\ What follows is an attempt to distill the essence 
of that 9-page statement into just a few paragraphs here.\25\
---------------------------------------------------------------------------
    \24\ http://www.gwumc.edu/hspi/policy/
Iran%20Cyber%20Testimony%204.26.12%20Frank%20- Cilluffo.pdf.
    \25\ For an in-depth treatment of Iran, see Gabi Siboni and Sami 
Kronenfeld, ``Iran and Cyberspace Warfare'' in Military and Strategic 
Affairs, Vol. 4, No. 3 (Dec. 2012) at 77-99. http://www.gwumc.edu/hspi/
policy/INSS.pdf.
---------------------------------------------------------------------------
    Iran is investing heavily to deepen and expand its cyber warfare 
capacity.\26\ A range of proxies for indigenous cyber capability also 
exist. There is an arms bazaar of cyber weapons, and our adversaries 
need only intent and cash to access it. Capabilities, malware, weapons, 
etc.--all can be bought or rented. Iran has also long relied on proxies 
such as Hezbollah--which now has a companion organization called Cyber 
Hezbollah--to strike at perceived adversaries. Elements of Iran's 
Revolutionary Guard Corps (IRGC) have also openly sought to pull 
hackers into the fold. There is evidence that at the heart of IRGC 
cyber efforts one will find the Iranian political/criminal hacker group 
Ashiyane;\27\ and the Basij, who are paid to do cyber work on behalf of 
the regime, provide much of the manpower for Iran's cyber 
operations.\28\
---------------------------------------------------------------------------
    \26\ Yaakov Katz, ``Iran Embarks on $1b. Cyber-Warfare Program,'' 
Jerusalem Post (December 18, 2011) http://www.jpost.com/Defense/
Article.aspx?id=249864.
    \27\ Iftach Ian Amit, ``Cyber [Crime/War],'' paper presented at 
DEFCON 18 conference (July 31, 2010).
    \28\ ``The Role of the Basij in Iranian Cyber Operations'', 
Internet Haganah (March 24, 2011) http://internet-haganah.com/
harchives/007223.html.
---------------------------------------------------------------------------
    In January 2013, the Wall Street Journal reported on ``an 
intensifying Iranian campaign of cyber attacks [thought to have begun 
months earlier] against American financial institutions'' including 
Bank of America, PNC Financial Services Group, Sun Trust Banks Inc., 
and BB&T Corp.\29\ In the latest chapter in this story, six leading 
U.S. banks--including J.P. Morgan Chase--were targeted just last week, 
in ``the most disruptive'' wave of this campaign, characterized by DDoS 
attacks.\30\ The Izz ad-Din al-Qassam Cyber Fighters claim 
responsibility for all of these incidents.
---------------------------------------------------------------------------
    \29\ Siobhan Gorman and Danny Yadron, ``Banks Seek U.S. Help on 
Iran Cyberattacks'', Wall Street Journal (January 15, 2013) http://
online.wsj.com/article/
SB10001424127887324734904578244302923178548.html.
    \30\ Tracy Kitten, ``DDoS: 6 Banks Hit on Same Day'' (March 14, 
2013) http://www.bankinfosecurity.com/ddos-6-banks-hit-on-same-day-a-
5607.
---------------------------------------------------------------------------
    There has also been considerable speculation about government of 
Iran involvement in a number of hacking incidents including against 
Voice of America, and Dutch firm DigiNotar which issues security 
certificates. Fallout from the latter case was significant, and 
affected a range of entities including Western intelligence and 
security services, Yahoo, Facebook, Twitter, and Microsoft.\31\ The 
DigiNotar case, moreover, reflected a new and concerning level of 
sophistication on the part of Iran and its capabilities. Iran and 
Hezbollah are also suspected in connection with the August 2012 cyber 
attacks on the state-owned oil company Saudi Aramco and on Qatari 
producer RasGas, which resulted in the compromise of approximately 
30,000 computers.\32\
---------------------------------------------------------------------------
    \31\ Kevin Kwang, ``Spy agencies hit by CA hack; Iran suspected,'' 
ZDNet Asia (September 5, 2011) http://www.zdnetasia.com/spy-agencies-
hit-by-ca-hack-iran-suspected-62301930.htm. See also Bill Gertz, 
``Iranians hack into VOA website,'' The Washington Times (February 21, 
2011).
    \32\ Adam Schreck, ``Virus origin in Gulf computer attacks 
questioned'', Associated Press.  http://www.nbcnews.com/technology/
technolog/virus-origin-gulf-computer-attacks-questioned-978717. See 
also Siboni and Kronenfeld, supra, at pp. 90-91.
---------------------------------------------------------------------------
    On the kinetic side, from Bulgaria to Bangkok, we have seen an 
uptick in attacks and assassinations (attempted and actual) targeting 
Israeli, Jewish, U.S., and Western interests. Iranian agents and 
proxies (Hezbollah) have been implicated, although Iran has tried to 
distance itself from these incidents and denied responsibility. Also 
recall the recently thwarted Iranian plot to assassinate Saudi Arabia's 
Ambassador to the United States on U.S. soil. Based on recent activity, 
the Los Angeles Police Department has elevated the government of Iran 
and its proxies to a Tier One threat.
                               conclusion
    Looking ahead, with the described threat spectrum in mind, the 
United States must strike a careful and powerful balance between 
offense and defense, to include a well-developed and well-articulated 
cyber deterrence strategy.\33\ Historically, that balance has tilted 
heavily toward defense.\34\ More recently, however, we have seen and 
heard evidence that the pendulum has shifted significantly. These 
indicators include General Alexander's testimony before the Senate 
Armed Services Committee last week (in his capacity as head of U.S. 
Cyber Command and director of the National Security Agency), in which 
he referenced and detailed a series of cyber teams attached to Cyber 
Command--and underscored the role of these teams in contributing to and 
supporting offensive capabilities.\35\ As for U.S. cyber deterrence 
strategy, it must reflect the best ways and means of raising the 
(actual and perceived) costs and risks of action, to our adversaries, 
so as to prevent them from taking steps that would harm U.S. interests.
---------------------------------------------------------------------------
    \33\ Frank J. Cilluffo, Sharon L. Cardash, and George C. 
Salmoiraghi, ``A Blueprint for Cyber Deterrence: Building Stability 
through Strength'', in Military and Strategic Affairs, Vol. 4, No. 3 
(Dec. 2012) at 3-23. http://www.gwumc.edu/hspi/policy/INSS.pdf
    \34\ Frank Cilluffo and Sharon Cardash, ``Defense Cyber Strategy 
Avoids Tackling the Most Critical Issues'' in Nextgov.com (July 28, 
2011) http://www.nextgov.com/cybersecurity/2011/07/commentary-defense-
cyber-strategy-avoids-tackling-the-most-critical-issues/49494/.
    \35\ Ellen Nakashima, ``Pentagon creating teams to launch 
cyberattacks as threat grows'', Washington Post (March 12, 2013). 
http://www.washingtonpost.com/world/national-security/pentagon-
creating-teams-to-launch-cyberattacks-as-threat-grows/2013/03/12/
35aa94da-8b3c-11e2-9838-d62f083ba93f_print.html.
---------------------------------------------------------------------------
    An ``active defense'' capability, meaning the ability to 
immediately attribute and counter attacks, is needed to address future 
threats in real-time. U.S. companies cannot be expected to go it alone, 
unassisted, against foreign intelligence services. If a thief robs a 
bank, the police will not stand idly by as the robber races away with 
his take. Similarly, the public and private sectors must partner 
together to prevent major heists on-line--and when private defenses are 
breached, the U.S. Government must work closely with companies to 
ensure that there are consequences for the perpetrator(s). Active 
defense is a complex undertaking however, as it requires meeting the 
adversary closer to their territory, which in turn demands the merger 
of our foreign intelligence capabilities with U.S. defensive and 
offensive cyber capabilities (and potentially may require updating 
relevant authorities).\36\ At the end of the day, however, perhaps the 
best deterrent--irrespective of the threat/actor--is the ability to 
recover, reconstitute, and bounce back quickly.
---------------------------------------------------------------------------
    \36\ Testimony of Frank J. Cilluffo before the Senate Committee on 
Homeland Security & Governmental Affairs, ``The Future of Homeland 
Security: Evolving and Emerging Threats'' (July 11, 2012). http://
www.gwumc.edu/hspi/policy/Testimony%20-%20SHSGAC%20Hearing%20- 
%2011%20July%202012.pdf. See also: Testimony of Frank J. Cilluffo 
before the House of Representatives' Homeland Security Committee, ``The 
Department of Homeland Security: An Assessment of the Department and a 
Roadmap for its Future'' (September 2012).
---------------------------------------------------------------------------
    In conclusion, the threat is clear, but it is not monolithic. It 
will also continue to evolve over time. We may see nation-states 
intertwine increasingly with proxy actors, to include skilled hackers 
for hire.\37\ Now is the time to examine and deconstruct the high-end 
threat in its many permutations and combinations, so as to devise 
nuanced and effective counterstrategies and tactics. Thank you again, 
to the subcommittee and its staff, for the opportunity to testify 
today. I would be pleased to try to answer any questions that you may 
have.
---------------------------------------------------------------------------
    \37\ Frank J. Cilluffo and Joseph R. Clark, ``Thinking About 
Strategic Hybrid Threats: In Theory and in Practice'', PRISM 4, no. 1 
(December 2012) http://www.ndu.edu/press/strategic-hybrid-threats.html.

    Mr. Meehan. Mr. Cilluffo, thank you for that very, very 
sobering assessment.
    It is my judgment that we would be better positioned at 
this point in time to move over as quickly as we can, vote, and 
then I will ask the members of the panel to, as quickly as 
possible after the last vote, to return here so we can 
continue.
    Mr. Bejtlich, I would rather you have the comfort of not 
feeling rushed. Your testimony, the great work that you did 
with Mandiant, your organization, and your testimony, I think, 
are too important for us to rush through.
    So I thank the panel for your recognition. We look forward 
to joining you again shortly after votes.
    So the committee stands in recess until such time is called 
back to order. Thank you.
    [Recess.]
    Mr. Meehan. The Committee on Homeland Security Subcommittee 
on Cybersecurity, Infrastructure Protection, and Security 
Technologies will now come back into order after our break to 
conduct our votes.
    When we were last together we enjoyed the opportunity to 
hear Mr. Cilluffo's testimony and we are going to continue now 
at this point in time to continue to listen to the testimony of 
our distinguished panel and I am grateful to the panel for your 
forbearance in working with us during those votes.
    So at this time, the Chairman recognizes Mr. Bejtlich for--
oh I am sorry--yes, Mr. Bejtlich for your testimony.
    Thank you.

   STATEMENT OF RICHARD BEJTLICH, CHIEF SECURITY OFFICER AND 
             SECURITY SERVICES ARCHITECT, MANDIANT

    Mr. Betjlich. Thank you Mr. Chairman.
    Thank you Ranking Member Clarke and distinguished members 
of the panel.
    My name is Richard Bejtlich and I am the chief security 
officer of Mandiant.
    As chief security officer, part of my role at the company 
is to protect Mandiant and our customers from digital threats. 
Last month, Mandiant gave the world a glimpse of one of these 
threats.
    It was a Chinese military unit we identified internally as 
APT or Advanced Persistence Threat One. We identified that unit 
as being 61398, which is a term the Chinese military uses 
itself to assign to this unit.
    This unit, we found to be operating approximately 141 
companies in the United--primarily in the United States and 
then in some other locations as well. This is only one of the 
two dozen or so groups that we track. Many of those are Chinese 
but there are several that are Russian and we have a second 
category of groups that we have not formally attributed, some 
of which we believe may be from places such as Iran. We are 
starting to see them for the first time.
    As a result of our work, we are encountering these 
intruders on a daily basis and as we sit here Mandiant is 
responding to intrusions at dozens of companies, and our 
software and our services are helping dozens or even hundreds 
more deal with advance threats.
    So you might be wondering why is it that these groups, 
whether they are from Russia or China or Iran, or other places, 
why is it that they are able to succeed in compromising 
targets? I would like to quickly summarize six reasons that we 
think that is the case.
    The first reason is the attacks that were previously 
reserved for the Government have migrated to the private 
sector. In other words, what intruders used to use against 
highly-defended targets are now used against many targets, many 
of whom are just not positioned to defend themselves.
    Second, these attacks are targeting people less than 
computers or at least conceptually, they are targeting the 
people. In other words, the intruders are figuring out ways to 
get you to execute code, visit links, take actions that will 
result in their computers being compromised. Many times without 
even the user knowing it.
    Third, many of these attacks are coming from the inside and 
by that I mean it is common now to see attackers go after 
smaller companies or partner companies or other trusted 
entities as way to get in to the ultimate target which is 
another company.
    So the larger companies who can afford to defend themselves 
have become harder and harder topics, so now we are seeing the 
attacks migrate to the periphery and then they are working 
their way in.
    The fourth reason that these attacks are successful is that 
there is an imbalance between offense and defense. A single 
attacker or a group of attackers can keep hundreds or even 
thousands of defenders busy, there is such an asymmetry there.
    As I have noted in the testimony to other committees we do 
have issues with science, technology, education, and math such 
that we can have trouble producing the types of engineers, 
developers, defenders, to protect ourselves.
    The fifth reason that many of these attacks are successful 
is that the countries that harbor these intruders are unwilling 
to hold them accountable. In many cases, these attacks are 
government sanctions or directly government targeted and 
sponsored and this was defiantly the case as we saw of the 
Chinese military unit I mentioned.
    The final reason of these six is that one of the most 
valuable resources we have in defending ourselves, threat 
intelligence is unevenly distributed in the Western world 
honestly.
    Not enough defenders have it. The Government has a lot of 
the information that is required but there are challenges 
regarding protection of sources and methods, classification, so 
forth to getting that information at the hands of defenders. 
Even when that information is available, it is not in a format 
that you can just put into a tool, put into your processes. 
There is a lot of reading an e-mail, retyping, and so forth.
    So at Mandiant, we try to emphasize machine languages that 
can exchange information with each other. We have an open 
standard called OpenIOC that we recommend people take a look 
at. You put that together and you will have a little better 
results.
    So what to do about it? We do recommend that the Government 
encourage threat intelligence sharing. We like to stress the 
threat intelligence does not mean information about individual 
Americans. It is not personally identifiable information. If 
you take a look at the report we released, it does not include 
anyone's name or phone number or credit card or that sort of 
thing.
    Second, we encourage the notification by entities like the 
Federal Bureau of Investigation to tell companies that they 
have been compromised. This is a program that has been 
happening now for several years and it is very effective.
    Then finally, we believe that it is important for the 
Government to hold the most egregious offenders of cyber 
espionage and other attacks accountable. If it were simply 
possible to turn down the level of activity slightly to 
internationally recognized norms or at least historical norms, 
the private sector in particular would have an easier time 
defending itself.
    Thank you again for the opportunity. I look forward to 
answering your questions.
    [The prepared statement of Mr. Bejtlich follows:]
                 Prepared Statement of Richard Bejtlich
                             March 20, 2013
    Thank you, Chairman Meehan, Ranking Member Clarke, and Members of 
the subcommittee, for inviting me to discuss threats to our Nation's 
computer networks. My name is Richard Bejtlich and I am the chief 
security officer (CSO) at Mandiant. As CSO, part of my role is to 
understand the threats affecting Mandiant and our customers. I 
developed these skills as a military intelligence officer with the Air 
Force Computer Emergency Response Team and as director of the Computer 
Incident Response Team for General Electric, where I helped defend over 
300,000 employees and more than half a million computers.
    Mandiant protects the assets of the world's most respected 
organizations from digital intruders. In addition to responding to 
high-profile computer security incidents, such as the New York Times, 
we equip security organizations with the tools, intelligence, and 
expertise required to find and stop attackers who would otherwise roam 
freely on their networks. We serve more than 30% of the Fortune 100. As 
I sit here Mandiant is responding to dozens of computer security 
incidents while our products protect hundreds more organizations from 
targeted attackers.
    We have investigated millions of systems, and we receive calls 
almost every single day from companies that have suffered a 
cybersecurity breach. These intrusions affect many industries, 
including law firms, financial services, manufacturers, retailers, the 
defense industrial base, telecommunications, space and satellite and 
imagery, cryptography and communications, government, mining, software, 
and many others.
    It is reasonable to assume that, if an advanced attacker targets a 
particular company, a breach is inevitable. That surprises many people, 
but it is the result of the gap between our ability to defend ourselves 
and our adversaries' ability to circumvent those defenses. There are at 
least six reasons why attackers continue to successfully exploit this 
gap in security:
    First, the sophisticated, cutting-edge attacks that were previously 
reserved solely for Government targets have spread to the private 
sector. Many American corporations, even if they are compliant with 
appropriate cybersecurity regulations and best practices, are not 
prepared for these advanced threats.
    Second, the attackers are targeting people, not computers. While 
previous generations of attacks targeted technology and exploited 
vulnerabilities in software, attackers now target human weaknesses. 
These attacks focus on individuals and leverage personal information 
the victim made public via social media. These personalized attacks can 
be difficult to detect and prevent because they exploit human 
vulnerabilities and trust.
    Third, more attacks are coming from the ``inside.'' It is common to 
see attackers compromise smaller companies with fewer security 
resources, and then ``upgrade'' their access from the trusted, smaller 
companies to the main target. This problem also occurs when large 
businesses ``acquire'' infected networks through a corporate merger or 
acquisition of a smaller company.
    The fourth reason a security gap exists involves an imbalance 
between offense and defense. A single attacker can generate work for 
hundreds, if not thousands of defenders. A lone attacker need only 
breach his target's defenses once to accomplish his goals, but the 
victim must try to prevent 100% of the attacks. This imbalance is 
compounded by the critical shortage of skilled security professionals 
here in the United States.
    Fifth, many advanced attackers reside in nations that not only 
refuse to hold attackers accountable for their actions, but also 
provide resources and direction to the attackers. So long as state-
sponsored criminals can infiltrate American networks and steal American 
intellectual property without risks or repercussions, these attacks 
will continue unabated.
    Mandiant documented one example of this threat in our APT1 report, 
released on February 19, 2013. We identified the Chinese cyber 
espionage unit we call Advanced Persistent Threat 1. We assess APT1 to 
be Unit 61398, a military hacking unit inside the People's Liberation 
Army. Unit 61398 is one of approximately 20 groups targeting 
intellectual property from companies around the world that we assess as 
operating out of China. Unit 61398 is a single operation that has 
conducted a cyber espionage campaign against a broad range of victims 
since at least 2006. From our observations, it is one of the most 
prolific cyber espionage groups in terms of sheer quantity of 
information stolen. While it seems clear that Unit 61398 is 
headquartered in Shanghai, it should be stated that Mandiant tracks 
dozens of APT groups and not all of them originate in China.
    Finally, one of the most valuable resources in detecting and 
responding to cyber attacks--accurate and timely threat intelligence--
is often unavailable to many defenders. Even if defenders have threat 
intelligence, the means to share it are cumbersome and manual. The 
United States needs an effective framework for sharing information 
among commercial entities, and between corporate America and the 
Government.
    Because of these six factors, corporate America continues to be 
routinely compromised. However, there are steps we can take to 
significantly narrow the security gap and increase the costs and effort 
required to steal our intellectual capital.
    First, the Government should promote policies that encourage 
sharing threat intelligence between the private sector and Government, 
and among private-sector entities. Threat intelligence does not contain 
personal information of American citizens and privacy can be maintained 
while learning about threats.
    Intelligence should be published in an automated, machine-
consumable, standardized manner. Current systems rely on exchanging 
emails with documents that people must read and transcribe. Mandiant's 
free OpenIOC standard is one example of a way to codify and exchange 
threat intelligence.
    Second, the Government should support and expand programs whereby 
law enforcement agencies notify private-sector victims of compromise. 
Mandiant's recent 2013 M-Trends report shows that only a third of 
advanced intrusion victims discover breaches on their own. Two-thirds 
of the time, an external entity, such as the FBI, tells the victim that 
a foreign entity has stolen their data. External notification is a 
powerful tool to counter cyber thieves.
    Third, the Government should encourage governments hosting or 
sponsoring the most egregious cyber spies to reduce their activity to 
internationally acceptable norms. All governments spy to some degree, 
but they should not target and overwhelm private-sector companies, 
organizations, and individuals.
    Countering digital threats is challenging, but adopting these three 
recommendations will help reduce the security gap. I look forward to 
your questions.
    Thank you, Mr. Chairman.

    Mr. Meehan. Thank you, Mr. Bejtlich. Again, I want to 
express at least in my position as Chairman, the appreciation 
for what I believe is the courageous move by Mandiant.
    I know that there was a great deal of consideration given 
both with regard to whether you ought to make public what you 
know and as well as, you know, in effect, sources of methods 
and other kinds of things that--but at the same time, it 
created a firm record which I think helped to establish very 
importantly that activity and I think it was a great effort on 
behalf of our efforts to secure cyber space.
    I now turn to the testimony for Mr. Ilan Berman.
    Mr. Berman, the floor is yours.

  STATEMENT OF ILAN BERMAN, VICE PRESIDENT, AMERICAN FOREIGN 
                         POLICY COUNCIL

    Mr. Berman. Thank you, Mr. Chairman.
    Thank you and thank you, Ranking Member Clarke and the 
Members of the subcommittee, for the opportunity to appear 
before you again today.
    Let me also take the opportunity to thank you as my 
colleague did for your leadership on the issues specifically of 
Iran and cyber warfare. It is a topic that sadly has not yet 
percolated throughout the width and breath of the U.S. 
Government, but this committee has really blazed a trail in 
terms of rising awareness of the issue.
    I think it is particularly relevant to the topic today 
because what you have seen over the last year has been an 
evolution, a significant evolution, of Iran's capabilities in 
the exploitation of cyber space, both as a tool of internal 
repression and as a goal of offensive capability with regard to 
the asymmetric conflict that is now taking place over the 
Iranian regime's nuclear program
    Let me turn first to the domestic dimensions of what Iran 
is doing.
    A little over 3\1/2\ years ago, the fraudulent re-election 
of Mahmoud Ahmadinejad to the Iranian presidency galvanized the 
largest organized and sustained protest to the Iranian regime 
that had occurred since 1979 Islamic Revolution.
    That movement, which we have begun to colloquially refer to 
as ``The Green Movement'' relied extensively on the internet 
and on social media such as Facebook and Twitter to organize 
and to get its message out to the outside world.
    As a result, the Iranian regime also relied heavily upon 
the medium of the World Wide Web to both curtail and then 
subsequently to repress The Green Movement and opposition 
elements that have emerged afterwards since that time period.
    Today, you are seeing an escalation in terms of what Iran 
is doing domestically on several different fronts. This is, 
sort of, a little bit of a greatest hits, if you will. But I 
think it bears noting that the Iranian regime is building an 
ambitious project that it calls a ``second internet'' in which 
ordinary Iranians who access the internet will be shunted to 
regime-approved sites. They have also referred to this as the 
``Halal Internet.''
    As of October of last year there were about 10,000 
computers within the Islamic Republic that were connected to 
this integrated, they were both private user and public user; 
governmental user. The ultimate goal of the regime is to force 
all Iranians to eventually rely on this.
    Now, I understand there is a lot of skepticism on that 
score and it may not be possible to do that, but it bears 
noting that the Iranian regime has set this as a goal and is 
perusing that objective.
    Iran is also building new on-line and software capabilities 
to better track and control to social media outlets like 
Facebook. It has created a domestic homegrown alterative to 
YouTube, known as Mehr.
    It is even beginning the physical persecution and assault 
on Iran's netizens, on those Iranian citizens that are active 
in cyber space.
    All of this is, I think, driven by something that is 
approaching that the Iranian regime fears very much, which is 
the fact that the Iranian regime in a couple of months will 
face the first presidential election in which Mahmoud 
Ahmadinejad will not stand for the presidency; he is term-
limited.
    As a result, this is an election that, no matter how stage-
managed the regime will make it, will be a referendum of sorts 
on the stewardship of the clerical regime, particularly at a 
time when the western community of nations is bearing down 
increasingly effectively on Iran with its economic pressure.
    It is also augers the potential for a revival of this green 
wave of opposition elements. As a result, you are seeing Iran 
invest heavily in domestic repression in anticipation of 
potential unrest stemming from the elections.
    The second, and I think more relevant aspect of Iran's 
cyber warfare activities here, is what Iran has been doing 
externally. Iran has evolved a very significant and a maturing 
offensive cyber warfare capability. Iranian officials now 
believe cyber war to be, ``More dangerous than a physical 
war,'' in the words of one Iranian Revolutionary Guard 
official.
    As a result they have invested heavily, particularly at a 
time when their economy is constrained by Western sanctions in 
the development of both domestic and international 
capabilities.
    Iran has a, what it calls, a ``Cyber Army,'' which is made 
up of official, quasi-official, and non-official elements, 
including hacktivists, and patriotic hackers that pursue 
objectives that are consonant with regime objectives. They are 
increasingly carrying out hacking attacks on U.S. financial 
institutions. In August 2012 they also carried out a hacking 
attack on Saudi Aramco.
    All of this is intended by way of demonstration. What the 
Iranians are trying to do through these activities is to 
demonstrate both that they have the capability to reach out and 
touch the United States and its allies in the event of a 
conflict, and also that they are willing to do so.
    So what all this means is, I think, two major things. First 
that Iran is a maturing cyber threat. Iran still does not 
possess the capabilities that are as robust as you see coming 
out of China, coming out of Russia, but this is not--and I 
repeat--not an insurmountable problem.
    Iran can acquire very quickly and surreptitiously extensive 
cyber warfare capabilities from the grey and black markets. It 
can also acquire them from a strategic partner, partners like 
China and North Korea, where Iran is already collaborating on 
other strategic spheres such as ballistic missile development 
and nuclear development.
    The second big take-away is that Iran is a qualitatively 
different cyber actor than the other countries that we have 
mentioned here today. China and Russia are both focused 
primarily on cyber theft and cyber espionage. Iran is not. Iran 
boasts today little by way of a cyber espionage capability.
    Rather, what Iran is building is a cyber capability that is 
retaliatory in nature, and it is built largely around Iranian 
perceptions of the unfolding conflict that is now on-going 
between itself and the West over its acquisition of a nuclear 
capability.
    This makes the situation with Iran's cyber warfare 
capabilities particularly vulnerable--volatile because while 
these other countries are pursuing a degree of diplomatic 
normalcy with the United States, Iran is not. Iran is actually 
anticipating in erecting its cyber infrastructure a 
catastrophic breakdown of diplomatic relations with the West in 
which cyber will play a role in conjunction with kinetic 
effects in war fighting against the West.
    I will stop there.
    Thank you.
    [The prepared statement of Mr. Berman follows:]
                   Prepared Statement of Ilan Berman
                             March 20, 2013
                  the iranian cyber threat, revisited
    Chairman Meehan, distinguished Members of the subcommittee: Thank 
you for the invitation to appear before you again today. Let me begin 
by commending the House Homeland Security Committee for its continued 
leadership on the issue of Iran and cyber warfare. It is a topic that 
is of the utmost importance to the safety and security of the United 
States.
    A year ago, I had the privilege of testifying before this committee 
regarding the Islamic Republic's cyber warfare capabilities, and the 
threat that they could potentially pose to the American homeland. 
Today, the questions that were posed at that time are more relevant 
than ever.
    The past year has seen the Iranian regime evolve significantly in 
its exploitation of cyber space as a tool of internal repression, with 
significant consequences for country's overall political direction. 
During the same period, Iran also has demonstrated a growing ability to 
hold Western targets at risk in cyber space, amplifying a new dimension 
in the asymmetric conflict that is now taking place over the Iranian 
regime's nuclear program.
                     iran versus the world wide web
    A little over 3\1/2\ years ago, the fraudulent reelection of 
Mahmoud Ahmadinejad to the Iranian presidency galvanized the largest 
outpouring of opposition to the Iranian government since the 1979 
Islamic Revolution. That protest wave, colloquially known as the Green 
Movement, made extensive use of the internet and social media in its 
anti-regime activities. Iranian authorities responded with a similar 
focus--one that has both persisted and expanded in the wake of their 
successful suppression of the Green Movement during the 2009/2010 time 
frame.
    Most conspicuously, the Iranian government is moving ahead with the 
construction of a new national internet system. As of October 2012, 
some 10,000 computers--from both private users and government offices--
were found to be connected to this ``halal'' or ``second'' internet, 
which is aimed at isolating the Iranian population from the World Wide 
Web.\1\ The eventual goal of the Iranian regime is to force all Iranian 
citizens to use this system. Iranian officials thus have announced 
plans to reduce internet speeds within the Islamic Republic, as well as 
increase costs of subscriptions to Internet Service Providers (ISPs) 
within the country.\2\
---------------------------------------------------------------------------
    \1\ Sara Reardon, ``First Evidence for Iran's Parallel Halal 
Internet,'' New Scientist no. 2886, October 10, 2012, http://
www.newscientist.com/article/mg21628865.700-first-evidence-for-irans-
parallel-halal-internet.html.
    \2\ Reporters Without Borders, ``The Enemies of Internet: Iran,'' 
March 12, 2013, http://surveillance.rsf.org/en/iran/.
---------------------------------------------------------------------------
    Along the same lines, Iran in December 2012 launched Mehr, a home-
grown alternative to YouTube that features government-approved video 
content designed specifically for domestic audiences.\3\ Iranian 
authorities also reportedly are working on new software suites designed 
to better control social-networking sites (a hub of activity during the 
2009 protests and after).\4\
---------------------------------------------------------------------------
    \3\ David Murphy, ``Iran Launches `Mehr,' Its Own YouTube-Like 
Video Hub,'' PCMag, December 9, 2012, http://www.pcmag.com/article2/
0,2817,2413014,00.asp.
    \4\ Golnaz Esfandiari, ``Iran Developing `Smart Control' Software 
for Social-Networking Sites,'' Radio Free Europe/Radio Liberty, January 
5, 2013, http://www.rferl.org/content/iran-developing-smart-control-
software-for-social-networking-sites/24816054.html.
---------------------------------------------------------------------------
    The Iranian regime likewise has expanded control of domestic phone, 
mobile, and internet communications. In the months after the summer 
2009 protests, Iranian authorities installed a sophisticated Chinese-
origin surveillance system to track and monitor phone, mobile, and 
internet communications.\5\ They have since supplemented such tracking 
with methods intended to limit access to such media. Just this month, 
for example, Iranian authorities blocked most of the virtual private 
networks (VPNs) used by Iranians to circumvent the government's 
internet filters.\6\
---------------------------------------------------------------------------
    \5\ Steve Stecklow, ``Special Report: Chinese Firm Helps Iran Spy 
on Citizens,'' Reuters, March 22, 2012, http://www.reuters.com/article/
2012/03/22/us-iran-telecoms-idUSBRE82- L0B820120322.
    \6\ ``Iran Blocks Use of Tool to Get around Internet Filter,'' 
Reuters, March 10, 2013, http://www.reuters.com/article/2013/03/10/us-
iran-internet-idUSBRE9290CV20130310.
---------------------------------------------------------------------------
    The Iranian regime has stepped up its detention and intimidation of 
reporters and activists who utilize the world wide web as well. Its 
tool of choice to do so has been the Cyber Police, a dedicated division 
of the country's national police that was established in January 
2011.\7\ Earlier this year, the European Union added the Cyber Police 
to its sanctions list for the unit's role in the November 2012 torture 
and death of blogger Sattar Beheshti while in police custody.\8\ In 
all, some 58 journalists and ``netizens'' are currently imprisoned by 
Iranian authorities, according to the journalism watchdog group 
Reporters Without Borders.\9\
---------------------------------------------------------------------------
    \7\ University of Pennsylvania, Annenberg School of Communications, 
Iran Media Program, ``Internet Censorship in Iran,'' n.d., http://
iranmediaresearch.org/sites/default/files/research/pdf/1363180689/1385/
internet_censorship_in_iran.pdf.
    \8\ ``EU Sanctions Iran Judges, Cyber Police for Rights Abuse,'' 
Agence France-Presse, March 12, 2013, http://www.france24.com/en/
20130312-eu-sanctions-iran-judges-cyber-police-rights-abuse.
    \9\ Reporters Without Borders, ``Intelligence Ministry Admits 
Arresting News Providers, Blames Foreign Media,'' February 20, 2013, 
http://en.rsf.org/iran-intelligence-ministry-admits-20-02-
2013,44099.html.
---------------------------------------------------------------------------
    The Iranian regime also has established a new government agency to 
monitor cyber space. The Supreme Council on Cyberspace was formally 
inaugurated by Iranian Supreme Leader Ali Khamenei in April 2012, and 
serves as a coordinating body for the Islamic Republic's domestic and 
international cyber policies.\10\
---------------------------------------------------------------------------
    \10\ University of Pennsylvania Iran Media Program, ``Internet 
Censorship in Iran.''
---------------------------------------------------------------------------
    All of these activities have been propelled by a sense of urgency 
on the part of the Iranian leadership. This June, Iranians will go to 
the polls to elect a new president. That political contest, although 
sure to be stage-managed by clerical authorities, will nonetheless 
serve to some degree as a referendum on the Iranian regime's 
stewardship of the nation amid deepening Western sanctions. It could 
also see renewed activity by Iran's opposition forces, which have been 
politically sidelined in recent years. Iran consequently has made what 
the U.S. intelligence community terms ``cyber influence'' a major 
governmental focus, clamping down on internet activity ``that might 
contribute to political instability and regime change.''\11\
---------------------------------------------------------------------------
    \11\ James R. Clapper, ``Worldwide Threat Assessment of the US 
Intelligence Community,'' Statement for the Record before the Senate 
Select Committee on Intelligence, March 12, 2013, 2, http://
www.dni.gov/files/documents/Intelligence%20Reports/
2013%20ATA%20SFR%20for%- 20SSCI%2012%20Mar%202013.pdf.
---------------------------------------------------------------------------
                        from defense to offense
    Iran's offensive cyber capabilities likewise continue to evolve and 
mature. Over the past 3 years, repeated cyber attacks have targeted the 
Iranian nuclear program, with considerable effect. In response, Iranian 
officials have focused on cyber space as a primary flashpoint in their 
regime's unfolding confrontation with the West. Officials in Tehran now 
believe cyber war to be ``more dangerous than a physical war,'' in the 
words of one top leader of Iran's Revolutionary Guard Corps (IRGC).\12\
---------------------------------------------------------------------------
    \12\ ``Iran Sees Cyber Attacks as Greater Threat than Actual War,'' 
Reuters, September 25, 2012, http://www.reuters.com/article/2012/09/25/
net-us-iran-military-idUSBRE88O0MY20120925.
---------------------------------------------------------------------------
    As a result, the Iranian regime has made major investments in its 
offensive cyber capabilities. Since late 2011, the Iranian regime 
reportedly has invested more than $1 billion in the development of 
national cyber capabilities.\13\ As a result, Iranian officials now 
claim to possess the ``fourth largest'' cyber force in the world--a 
broad network of quasi-official elements, as well as regime-aligned 
``hacktivists,'' who engage in cyber activities broadly consistent with 
the Islamic Republic's interests and views.\14\ The activities of this 
``cyber army'' are believed to be overseen by the Intelligence Unit of 
the IRGC.\15\
---------------------------------------------------------------------------
    \13\ Yaakov Katz, ``Iran Embarks on $1b. Cyber-Warfare Program,'' 
Jerusalem Post, December 18, 2011, http://www.jpost.com/Defense/
Article.aspx?id=249864.
    \14\ ``Iran Enjoys 4th Biggest Cyber Army in World,'' FARS 
(Tehran), February 2, 2013, http://abna.ir/data.asp?lang=3&Id=387239.
    \15\ University of Pennsylvania Iran Media Program, ``Internet 
Censorship in Iran.''
---------------------------------------------------------------------------
    Increasingly, the Iranian regime has put those capabilities to use 
against Western and Western-aligned targets. Between September 2012 and 
January 2013, a group of hackers known as the Izz ad-Din al-Qassam 
Cyber Fighters carried out multiple distributed denial-of-service 
(DDoS) attacks against a number of U.S. financial institutions, 
including the Bank of America, JPMorgan Chase, and Citigroup. Due to 
the sophistication of the attacks, U.S. officials have linked them to 
the Iranian government.\16\
---------------------------------------------------------------------------
    \16\ Nicole Perlroth and Quentin Hardy, ``Bank Hacking was the Work 
of Iranians, Officials Say,'' New York Times, January 8, 2013, http://
www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-
of-iran-us-officials-say.html?pagewanted=1&_r=0.
---------------------------------------------------------------------------
    A similar attack attributed to the Iranian regime took place in 
August 2012, when three-quarters of the computers of Saudi Arabia's 
Aramco state oil corporation were targeted by a virus called 
``Shamoon.'' The malicious software triggered a program that replaced 
Aramco's corporate data with a picture of a burning American flag at a 
predetermined time.\17\
---------------------------------------------------------------------------
    \17\ Nicole Perlroth, ``In Cyberattack on Saudi Firm, U.S. Sees 
Iran Firing back,'' New York Times, October 23, 2012, http://
www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-
firm-disquiets-us.html?pagewanted=all.
---------------------------------------------------------------------------
    The Iranian regime has also begun to proliferate its cyber 
capabilities to its strategic partners. Iran reportedly has provided 
the regime of Syrian dictator Bashar al-Assad, now locked in a 
protracted civil war against his own people, with crucial equipment and 
technical assistance for carrying out internet surveillance.\18\ This, 
in turn, has helped the Assad regime to more effectively target and 
neutralize elements of the Syrian opposition.
---------------------------------------------------------------------------
    \18\ Ellen Nakashima, ``Iran aids Syria in Tracking Opposition via 
Electronic Surveillance, U.S. Officials Say,'' Washington Post, October 
9, 2012, http://articles.washingtonpost.com/2012-10-09/world/
35500619_1_surveillance-software-syrians-president-bashar.
---------------------------------------------------------------------------
                           a maturing threat
    Despite recent advances, Iran's cyber capabilities are still 
nascent when compared to those of China and Russia. There is broad 
agreement among technical experts that the cyber threat posed by the 
Iranian regime is more modest than that posed by either Moscow or 
Beijing, at least for the moment. Yet Iran's activities in, and 
exploitation of, cyber space should be of utmost concern to American 
policymakers, for several reasons.
    The first is opportunity. The capabilities ``gap'' that currently 
exists in Iran's ability to carry out sustained and significant cyber 
attacks against U.S. infrastructure could close rapidly. This is 
because all of the resources that the Islamic Republic requires, 
whether human or technological, can be acquired quickly and 
comparatively cheaply from gray and black market sources. Additionally, 
recent years have seen the Iranian regime receive significant inputs to 
its strategic programs from abroad, most prominently from China and 
North Korea. This assistance is known to have furthered Iran's nuclear 
and ballistic missile capabilities, perhaps significantly so. Given 
this history, there is every reason to conclude that cooperation 
between Iran and its strategic partners is on-going in the cyber domain 
as well.
    The second is intent. Over the past 2 years, no fewer than five 
distinct cyber assaults have targeted the Iranian regime's nuclear 
effort. (At least one, moreover, has been determined to be domestic in 
origin, suggesting the Iranian regime faces an internal cyber threat as 
well). As a result, Iranian officials have come to believe--with 
considerable justification--that conflict with the West has already 
begun. The cyber attacks that Iran has carried out in recent months 
provide a strong indicator that the Iranian regime is both willing and 
able to retaliate in kind.
    Finally, it is worth noting that Iran represents a qualitatively 
different cyber actor from either Russia or China. While both the PRC 
and the Russian Federation actively engage in cyber espionage against 
the United States, each has repeatedly avoided mounting a cyber attack 
so disruptive that it precipitates a breakdown of diplomatic relations 
with Washington. Iran, by contrast, could well countenance exactly such 
a course of action in the not-too-distant future.
    In his most recent testimony to the Senate Select Committee on 
Intelligence, Director of National Intelligence James Clapper noted 
that ``Iran prefers to avoid direct confrontation with the United 
States because regime preservation is its top priority.''\19\ This, 
however, has the potential to change rapidly in the event of a further 
deterioration of the current, tense standoff between the international 
community and Iran over its nuclear program. Iranian officials have 
made clear that they see cyber space as a distinct warfighting medium 
in their unfolding confrontation with the West.
---------------------------------------------------------------------------
    \19\ Clapper, Statement for the Record, 5.
---------------------------------------------------------------------------
    Government officials increasingly recognize this fact. A draft 
National Intelligence Estimate now circulating within the U.S. 
Government reportedly identifies Iran as one country which would 
benefit substantially from having the capability to target and disable 
sectors of the U.S. economy.\20\ What is not yet visible, however, is a 
comprehensive approach to understand, address and mitigate Iran's 
ability to hold American interests and infrastructure at risk via cyber 
space.
---------------------------------------------------------------------------
    \20\ Nicole Perlroth, David E. Sanger and Michael S. Schmidt, ``As 
Hacking against U.S. Rises, Experts Try to Pin Down Motive,'' New York 
Times, March 4, 2013, http://mobile.nytimes.com/2013/03/04/us/us-
weighs-risks-and-motives-of-hacking-by-china-or-
iran.xml;jsessionid=8304- B2493AF15262FDA4F217DDF0CAFE?f=19.
---------------------------------------------------------------------------
                    cyber space and the iranian bomb
    Back in October, then-Secretary of Defense Leon Panetta warned 
publicly that the United States could soon face a mass disruption event 
of catastrophic proportions, a ``cyber Pearl Harbor'' of sorts. ``An 
aggressor nation or extremist group could use these kinds of cyber 
tools to gain control of critical switches,'' cautioned the Defense 
secretary. ``They could derail passenger trains, or even more 
dangerous, derail trains loaded with lethal chemicals. They could 
contaminate the water supply in major cities, or shut down the power 
grid across large parts of the country.''\21\
---------------------------------------------------------------------------
    \21\ Elisabeth Bumiller and Thom Shanker, ``Panetta Warns of Dire 
Threat of Cyberattack on U.S.,'' New York Times, October 11, 2012, 
http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-
of-cyberattack.html?pagewanted=all&_r=0.
---------------------------------------------------------------------------
    Such a scenario is plausible, although the U.S. intelligence 
community currently judges its likelihood to be ``remote,'' at least in 
the near term.\22\ However, geopolitical events could dramatically 
alter this assessment, and incentivize threat actors in cyber space to 
target both American interests and infrastructure.
---------------------------------------------------------------------------
    \22\ Clapper, Statement for the Record, 5.
---------------------------------------------------------------------------
    In this regard, no scenario is more urgent or potentially dangerous 
than the unfolding crisis over Iran's nuclear program. Despite a 
massive expansion of Western economic pressure over the past year, the 
Iranian regime still shows no signs of slowing its drive toward atomic 
capability. To the contrary, Iranian officials have taken a defiant 
stance, laying out the need for an ``economy of resistance'' with which 
they will be able to weather economic pressure from the United States 
and Europe until such time as they cross the nuclear Rubicon.\23\ As 
such, the near future could see a further escalation of the crisis, 
perhaps including the use of force against Iran by one or more nations.
---------------------------------------------------------------------------
    \23\ ``Iran Leader Calls for `Economy of Resistance,' '' Agence 
France-Presse, August 23, 2012, http://news.yahoo.com/iran-leader-
calls-economy-resistance-134523014.html.
---------------------------------------------------------------------------
    Should that happen, cyber war with Iran could become a distinct 
possibility. So, too, could Iranian targeting of American forces, 
interests, and infrastructure, with potentially devastating effects on 
the security of the U.S. homeland.

    Mr. Meehan. Well on that note Mr. Berman--and I am sure we 
will follow up on that testimony.
    Now the panel will hear from our last distinguished 
panelist; Mr. Libicki the floor is yours.

 STATEMENT OF MARTIN C. LIBICKI, SENIOR MANAGEMENT SCIENTIST, 
                        RAND CORPORATION

    Mr. Libicki. Thank you and good afternoon Chairman Meehan, 
Ranking Member Clarke, and other distinguished Members of the 
subcommittee. Thank you for the opportunity to testify today on 
cyber threats and protecting American critical infrastructure.
    On September 11, 2001, 3,000 people died, and the physical 
damage was upwards of $200 billion. On September 12, the 
country responded. The next dozen years saw 6,000 dead, tens of 
thousands injured, and costs well over a trillion dollars.
    If cyber is similar, one might conclude that even though an 
attack on the United States may be damaging, the cycle of 
response and counter-response may be far more consequential.
    The issue of how the United States should manage crisis and 
escalation in cyber space is addressed in the recently-
published Rand Report of that name. I now want to take the 
opportunity to summarize seven salient points in that document.
    The first point is to understand that the answer to the 
question you all have been here asked, is this cyber attack an 
act of war, is not a conclusion, it is a decision.
    Cyber wars are wars of choice. A country struck from cyber 
space has the opportunity to ask, what would be the most cost-
effective way to minimize future suffering, and depending on 
the circumstances it might be war, alternatively it might not 
be.
    Second, is to take the time to think things through. 
Computers may work in nano-seconds, but the target of any 
response is not the computer, in large part because even if a 
computer is taken out a substitute may be close at hand. The 
true target of a response are those who command the cyber 
warriors, that is people. But people do not work in nano 
seconds. Persuasion and dissuasion of people work at roughly 
the same speed whether or not these people command cyber war or 
any other form of war.
    Third is to understand what is at stake, which is to say, 
what the United States hopes to gain by making the attackers 
cease their efforts. This goes for both responding to cyber 
attack and to responding to what might be deemed intolerable 
levels of cyber espionage.
    The fourth is to not take possession of a crisis 
unnecessarily, or at least if you are going to do so, do so on 
your own terms, which is to say, don't back yourself into a 
corner where you always have to respond whether doing so is 
wise or not.
    Fifth is in responding craft and narrative that helps take 
the crisis where you want to take it. In some cases in fact, 
the narrative might have to allow the attacker to cease its 
attacks without losing face by doing so.
    Sixth is to figure out what norms of conduct in cyber 
space, if any, work best for the United States. It may be 
encouraging that last week both the United States and China 
agreed to carry out high-level talks on cyber norms, but there 
are a lot of questions to work through.
    As an example, where does one draw the many lines among 
cyber war, cyber sabotage, cyber crime, cyber espionage, and 
violations of international trade law?
    The seventh is to manage cyber escalation wisely. That 
means remembering that the other side will probably react to 
what you yourself do, yet in cyber space, using tit-for-tat 
measures to modulate the other side's escalation can be a very 
uncertain and crude tool.
    Of course, one of the best ways of avoiding a 9/12 in cyber 
space is to avoid a 9/11 if you can. In that regard, I would 
like to toss out a few ideas. These are born of the notion that 
while there are many sources of cyber insecurity we wouldn't be 
worried about a catastrophic cyber attack or much of the 
advanced persistent system threat for that matter were it not 
for malware. Malware itself does not happen without systematic 
weaknesses in software architectures and implementations.
    In a world that spends $60 billion a year on security for 
instance, a much, much smaller total of that is spent 
eradicating vulnerabilities in widely-used software programs. 
Allocating Federal money from buildings to finding and thereby 
reducing the vulnerabilities in these programs, may be money 
well spent.
    The same logic, unfortunately, does not hold for machine 
control software such as SCADA Systems. Such software was 
designed for a relatively benign environment, not the internet. 
Vulnerabilities in such software are so common that they will 
take a long time to fix completely.
    In the mean time, leaving such systems connected to the 
rest of the internet may not necessarily be a particularly good 
idea. Isolation will reduce the odds of a catastrophic attack 
more than probably anything else will.
    Finally we need to rethink information sharing. There is 
nothing wrong say with two chemical companies sharing 
information with one another on cyber attacks, but we really 
need to hear not from the companies themselves but from the 
security firms that work for them, because they are the folks 
who actually understand what happens to the companies when they 
get attacked.
    The folks that they need to hear from are again not so much 
the companies themselves, although that is a good thing, but 
those who build software for such companies.
    Well, thank you very much. I am happy to answer any 
questions you might have.
    [The prepared statement of Mr. Libicki follows:]
              Prepared Statement of Martin C. Libicki \1\
---------------------------------------------------------------------------
    \1\ The opinions and conclusions expressed in this testimony are 
the author's alone and should not be interpreted as representing those 
of RAND or any of the sponsors of its research. This product is part of 
the RAND Corporation testimony series. RAND testimonies record 
testimony presented by RAND associates to Federal, State, or local 
legislative committees; Government-appointed commissions and panels; 
and private review and oversight bodies. The RAND Corporation is a 
nonprofit research organization providing objective analysis and 
effective solutions that address the challenges facing the public and 
private sectors around the world. RAND's publications do not 
necessarily reflect the opinions of its research clients and sponsors.
---------------------------------------------------------------------------
                             March 20, 2013
                managing september 12 in cyberspace \2\
---------------------------------------------------------------------------
    \2\ This testimony is available for free download at http://
www.rand.org/pubs/testimonies/CT383.html.
---------------------------------------------------------------------------
    On September 11, 2001, terrorists attacked the United States. Three 
thousand people died and the physical damage was upwards of two hundred 
billion dollars. On September 12, the country responded. The United 
States strengthened its homeland security. We went to war twice. Over 
the next dozen years, the United States lost six thousand in combat. 
Ten to twenty thousand were seriously injured. Total additional 
expenditures exceeded a trillion dollars. I point this out not to 
criticize the policies that followed--but to indicate that even though 
an attack on the United States may be damaging, the cycle of response 
and counter-response may be far more consequential.
    Accordingly, even though a cyber-9/11 may be costly, it would be 
shortsighted to evaluate the threat in terms of immediate damage 
without considering how the United States would manage such a crisis in 
order to yield an outcome that works best for the American people. That 
is, we are right to be worried about a ``9/11 in cyber space,'' but we 
also ought to worry about what a ``9/12 in cyber space'' would look 
like. Indeed, one of the best reasons for working hard to avoid a 9/11 
in cyber space is avoid having to deal with a 9/12 in cyber space. That 
noted, because a cyber 9/11 (or what looks like a 9/11) might happen, 
it is worthwhile to think about what we do the day after.
    The issue of how the United States should manage crisis and 
escalation in cyber space is addressed in the recently-published RAND 
document of that name.\3\ I now want to take the opportunity to touch 
on some of the salient points in that document, as well as follow-on 
thoughts.
---------------------------------------------------------------------------
    \3\ Martin Libicki, Crisis and Escalation in Cyberspace, Santa 
Monica CA (RAND), MG-1215-AF.
---------------------------------------------------------------------------
    The first point is to understand that the answer to the question--
is this cyber attack an act of war?--is not a conclusion, but a 
decision. In physical combat, such a question may be meaningful: If 
your neighbor's tanks are in your backyard heading for the capital, 
then war is on. But such a question is usually the wrong one to ask 
about cyber war. True, cyber war can disrupt life even on a mass scale. 
Cyber warfare can enhance conventional military power. But, it cannot 
be used to occupy another nation's capital. It cannot force regime 
change. No one has yet died from it. And, Stuxnet notwithstanding, 
breaking things with ones and zeroes requires very particular 
circumstances. A cyber attack, in and of itself, does not demand an 
immediate response to safeguard National security. Instead, a country 
struck from cyber space has the opportunity to ask: What would be its 
most cost-effective way to minimize such future suffering? If war fits 
the bill (and other nations understand as much), the victim of a cyber 
attack could declare that it was an act of war and then go forth and 
fight. Perhaps making war can persuade the attacker to stop. Yet, war 
also risks further disruption, great cost, as well as possible 
destruction and death--especially if matters escalate beyond cyber 
space. Or a country may look at policies that reduce the pain without 
so much risk--such as by fixing or forgoing software or network 
connections whose vulnerabilities permitted cyber attacks in the first 
place.
    Second is to take the time to think things through. Computers may 
work in nanoseconds, but the target of any response is not the 
computer--in large part because even if a computer is taken out a 
substitute can be close at hand. The true target of a response is those 
who command cyber warriors--that is, people. But, people do not work in 
nanoseconds. Persuasion and dissuasion of people work at roughly the 
same speed whether or not these people command cyber war or any other 
form of war. A corollary error is to assume that a confrontation in 
cyber space is inherently unstable--thereby necessitating being a 
quicker draw than the other guy. It is precisely, because unlike with 
nuclear war, a nation's cyber war capabilities cannot be disarmed by a 
first strike, there's not the same need to get the jump on the other 
guy, just as there is not the same need to match his offense with your 
offense, when it's your defense that dictates how much damage you are 
likely to receive.
    Third is to understand what is at stake--which is to say, what you 
hope to gain by making the attackers cease their efforts. This goes for 
both responding to cyber attack and responding to what might be deemed 
intolerable levels of cyber espionage. With cyber attack, what you are 
trying to prevent is not the initial attack, but the next attack--the 
effects of which might be larger than the initial attack but may also 
be smaller. (This is particularly true if the initial attack teaches 
the immediate victims, that, say, making industrial controls accessible 
to the internet may not have been the smartest idea.) As for espionage, 
we really have no handle on how to evaluate the damage that takes place 
to the country when other countries see what we don't want them to see.
    Fourth is not to take possession of the crisis unnecessarily--or at 
least do so only on your own terms. That is, do not back yourself into 
a corner where you always have to respond, whether doing so is wise or 
not. It is common, these days, to emphasize the cost and consequences 
of a cyber attack as a National calamity; last week the Director of 
National Intelligence proclaimed it as the primary short-term threat to 
the Nation. Making such arguments tends to compel the United States to 
respond vigorously should any such cyber attack occur, or even merely 
when the possible precursors to a potential cyber attack have been 
identified. Having created a demand among the public to do something, 
the government is then committed to doing something even when doing 
little or nothing is called for. In some cases, it may be wiser to 
point out that the victim had a feckless cyber security posture. In 
other cases, downplaying the damage may be called for. The more 
emphasis on the pain from a cyber attack, the greater the temptation to 
others to induce such pain--either to put fear into this country or 
goad it into a reaction that rebounds to their benefit. Conversely, 
fostering the impression that a great country can bear the pain of 
cyber attacks, keep calm, and carry on reduces such temptation. 
Correspondingly, despite good arguments in favor of drawing red lines 
for deterrence purposes--``if you do this, I will surely do that''--the 
cost of being credible is that if deterrence fails, such a declaration 
tends to constrain one into carrying out retaliation. To do nothing or 
nothing much, at that point, tends to hollow all deterrent postures, 
and not just in cyber space. Given the inevitable ambiguities 
associated with the consequences and causes associated with cyber 
attacks, inflexibility may also demand a response well before the facts 
are clear. There are careful trade-offs that have to be made.
    Fifth is to craft a narrative that facilitates taking the crisis 
where you want to take it. Narratives are, essentially, political 
morality plays, in which the United States has to select a role that 
puts it in a good light while retaining basic consistency between the 
facts of the matter, as well as with its previous narratives. Part of 
crafting a narrative requires finding the right role: Does the United 
States want to portray itself as a victim of cyber attack? As the 
righteous enforcer of international norms? As the superpower that 
demands respect? Narratives also have to find a role for the attacker, 
and the definition of such a role may, in some cases, have to encourage 
and accommodate the attacker's graceful and face-saving retreat from 
belligerence. After all, the odds that an attack in cyber space arises 
from, miscalculation, inadvertence, espionage with unintended 
consequences, or the actions of a rogue actor are nontrivial.
    Sixth is to figure out what norms of conduct in cyber space, if 
any, work best for the United States. Last week both the United States 
and China agreed to carry out high-level talks on cyber norms. Although 
nearly 4 years of Track II negotiations with the Chinese (in which I 
participated) have yielded meager results, there are still some grounds 
for optimism. But, first we have to address some salient questions. To 
what extent can the Laws of Armed Conflict apply in a domain where the 
patterns of collateral damage are poorly understood, where the 
distinction between civil and military is difficult to discern, where 
it's getting harder and harder to know where your information sits, and 
where the transparency required for neutrality simply does not exist? 
Where does one draw the many lines among cyber war, cyber crime, cyber 
espionage, and violations of international trade rule? Is it in the 
U.S. interest to make unconstrained espionage a casus belli? How well 
should states be able to monitor (let alone enforce) compliance before 
it can assure itself that the norms are worth having?
    Seventh is to manage cyber escalation wisely. This not only means 
remembering that the other side will react to what you do, but also 
understanding what a crude tool counter-escalation may be for 
influencing the other side. Consider that with Stuxnet, it took many 
tries to get the desired effect. The Iranians may not have known they 
were under attack until they read about it in the New York Times. It is 
also unclear whether we would have had much damage assessment had the 
centrifuge plant not been under independent inspection. To further 
illustrate what the fog of cyber war may mean to escalation control, 
assume a defender wants to place in an opponent's mind the thought that 
if he escalates and the defender will counter-escalate proportionally. 
But in cyber space what the attacker does, what he thinks he did, and 
what the defender thinks he did may all be different. The defender can 
only react to what he thinks the attacker did. That is because the 
defender's systems are usually different than the attacker's. 
Equivalence between perception of the attack and the intended response 
may be inexact. Then there's the similar difference between the 
defender's response and the attacker's perception of what was done in 
return. After all this, the attacker may think the retaliation was 
proportional, understated, or went overboard in crossing counter-
escalation red lines--red lines that were not originally crossed by 
himself. The effect is akin to playing tennis on a rock-strewn court.
    In sum, while I believe it is certainly worthwhile effort to 
prevent a future 9/11 in cyber space--and understanding the nature of 
the threat is an important component of that effort--similar levels of 
care and thought needs to be given to how to manage a potential 9/12 in 
cyber space. If not, we may find, as with the historical 9/11, that the 
consequences of the reaction and counter-reaction are more serious than 
the consequences of the original action itself.

    Mr. Meehan. Well, thank you, Mr. Libicki.
    Thank you for, all of the panel, for your opening 
statements. You have touched on collectively a number of 
critical areas for us in terms of framing the nature of the 
threat and commentary and more specific fashions as to where we 
see this thing going.
    I am grateful today to have the presence of the Chairman of 
the full Committee on Homeland Security and without objection I 
will go out of order and allow the Chairman to make some 
opening comments or if he has a few observations or questions 
for the panel, I would allow that to be entertained as well.
    Mr. McCaul. Well, I thank the Chairman for your generosity, 
and thank you to the witnesses for being here today.
    This is an issue of growing concern by the day. Today we 
just saw North Korea attack South Korea in a denial-of-service 
attack in an attempt to shut down its government. We have the 
representative from Mandiant here who reported recently that 
the Chinese military has hacked into our Federal Government to 
steal our military secrets. I think for me most disturbingly is 
what has happened not just with China, Russia, but as you Mitch 
and Mr. Berman, with Iran.
    I think the fear has always been that you know Russia is 
good at espionage and crime, so is China; they steal things, 
but it is the countries that disrupt and bring things down that 
is probably the thing that keeps us up at night the most.
    So I want to ask this question because the Iranian attack 
was particularly interesting in the sense that the attack 
against Aramco in the Persian Gulf was a very destructive 
attack that knocked out 20,000, 30,000 hard drives bringing 
them down in energy sector. The attack against our financial 
institutions in the United States on the other hand was a very 
disruptive denial-of-service attack crashing servers but not 
destroying. But the point remains that Iran has this capability 
to destroy.
    I asked the question, why the difference in attacks, and 
the answer was, well they are red-lining us. They are testing 
us. They want to know how far they can go with this before we 
actually ultimately respond.
    So my question, I guess I will start with Mr. Berman, 
anybody else on the panel is: At what point do we respond? At 
what point do these attacks--and we have debated what 
constitutes an act of warfare, but at what point do these 
attacks truly constitute an act of warfare to be met with an 
in-kind response?
    Mr. Berman. Well, thank you, sir, and I appreciate you 
asking such an easy question to get this ball rolling.
    This is actually, I think, the $64,000 question. It is not 
a question that can be answered by myself or by anybody here on 
this panel. It is a decision made by the National Command 
Authority with regard to framing a deterrence posture in cyber 
space and then also carrying out retaliatory attacks if it 
chooses to do so; if it perceives that a red line has been 
crossed.
    I would point out that you outlined very nicely sort of the 
Iranian motivation and the Iranian way of thinking about what 
it is doing; these cyber attacks that it has carried out 
against U.S. financial institutions. By the way, not only U.S. 
financial institutions, before it attacked Bank of America and 
JPMorgan Chase, it took aim at Israel's central bank, at Bank 
Hapoalim.
    So these are all demonstration attacks to a greater or 
lesser extent, to demonstrate that it has the ability to reach 
out and touch the United States and its coalition partners if 
the conflict over its nuclear program goes south in some 
substantial way.
    Iran is also doing something, which I think is more 
tangible and is of greater concern, which is the outlining how 
it would act definitively in the event of a breakdown in 
relations and coalition warfare against Iran over its nuclear 
program. The attack on Saudi Aramco can be seen as a signaling 
mechanism by which Iran is telegraphing to the international 
community that it plans to target C4I capabilities in the event 
of overt warfare with regard to Iran.
    This is--I think it is important to note that the Iranians 
are thinking about cyber warfare operationally in that context. 
Whether or not we choose to respond to these attacks is an 
entirely different question and it is one that stems from how 
we define the threat, and whether or not we actually do, as Mr. 
Libicki said, do draw definitive red lines that forces us to 
retaliate.
    Mr. Cilluffo. Mr. Chairman, to build on that point, and I 
agree very much with what Ilan has just expressed. But, I mean, 
one way to think about some of these cyber threats, 
especially--and I am reminded of how we used to discuss state-
sponsored terrorism in the 1980s and 1990s. You have state-
sponsored, state-sanctioned, and state-directed. What makes 
cyber so complex is the plausible deniability factor, 
obviously.
    Just like Iran has turned to its proxies to engage in 
kinetic attacks, obviously they will also look to proxies if 
they build-out the capacity to do so in the cyber domain. One 
thing that is worth noting, though, is whether it is IRGC or 
whether it is Quds Force, they are also home to one of the most 
sophisticated hacker underground communities that has been 
around for quite some time, noted as Ashiana. Some of these 
capabilities where they may provide what we would call in the 
military ``commanders intent,'' they are not necessarily even 
sure who is calling the shots where and when.
    There might be a good news story on the U.S. side. Maybe it 
was more difficult to get to some of our energy companies the 
way they were able to do so vis-a-vis Saudi Aramco. That said, 
if the balloon goes up, I am more concerned that they turn to 
their proxies in a kinetic kind of way where cyber becomes--it 
enhances the lethality. It is a force-multiplier effect.
    That is why I put it in the chart, why I put it at the 
blinking high-red in my prepared remarks. That is something 
that we shouldn't discount. U.S. interests overseas have long 
been lightning rods for terrorist activity. I think you would 
see a lot of similar sort of activity in the region. So, they 
are very good at electronic warfare. They have been doing this 
for a long time. So, here cyber is just another instrumentality 
to achieve those sorts of objectives and something we need to 
take seriously.
    Mr. McCaul. Let me just say thank you to the panel.
    I also want to again thank the Chairman and Ranking Member 
for your generosity in letting me sit here and ask questions. 
Also, the work you have done on this issue--I appreciate it and 
I look forward to the point where we end up marking up 
legislation on this committee.
    Thank you.
    Mr. Meehan. Thank you, Mr. Chairman. We are grateful for 
your support for the important work of this committee and look 
forward to working with you. As you can see, the testimony from 
this distinguished panel I think is helping to put in context 
the importance of what we are doing. That is a big part of what 
we are trying to approach today.
    Because I--Mr. Cilluffo, I thank you, as I recognize myself 
for 5 minutes of questioning. For your setting the table in the 
sense of us trying to put our arms around this, it is easy to 
get lost not only in the broad scope of the threat, but the 
failure to distinguish among different parts of the threat.
    You were articulate in explaining that there are various 
levels that actually get us to the places where we may be able 
to do a lot. Mr. Bejtlich and others discussed cyber high--we 
can do the deal with big parts of it that we probably are 
principally interested in this issue of state-sponsored 
activity.
    That even within the realm of state-sponsored activity, the 
question becomes: What becomes the kind of motivating factor 
that is tied with the capability that then becomes the creator 
of an intentional act?
    Now, we have seen actions as recently as this week that 
have been tied back, at least according to published reports, 
to Iran--once again, more sophisticated attacks against our 
banking system. I would be interested in your interpretation of 
those attacks, what you think they are, and how realistic they 
may be as whether they are precursors to something which is 
simply probing, or part of a pattern of activity that may 
indicate future vulnerability for the United States.
    Mr. Cilluffo. Mr. Chairman, thank you for that question. I 
think you do ask one of the most difficult questions. Because 
what I tried to do is parse out the computer network exploit 
from computer network attack. The one issue that is sort of in 
between both is the cyber equivalent of intelligence 
preparation on the battlefield.
    So, the fact is, is our critical infrastructure, the domain 
of this subcommittee and the committee generally speaking, are 
all identifiable and they have been probed and they have been 
mapped. At the end of the day, they have not necessarily been, 
at least with the actors we are most concerned about, looked at 
from a computer network attack perspective, but the fact that 
they have probed these systems, what other motive could they 
possibly have? They are not stealing secrets here. It is not 
espionage. It is to be able to come up with a potential battle 
plan in the future.
    Big concern. When you see the Iran clickety-clack of the 
keyboard behind that, then we have got some real significant 
lines, maybe not in the sand, but in the silicon that have 
clearly been crossed. Again, I think that Iran is going to look 
at it through a kinetic lens most directly.
    In terms of these DDOS attacks, the distributive denial-of-
service attacks, they are becoming more powerful. You can rent 
a botnet for very little that can cause major disruption. That 
is not the same as destruction, but it can get to the point 
where companies that live and breathe on just-in-time 
inventories, that live and breathe on the ability to connect 
with their customers immediately, it has a huge impact.
    I just came back from Estonia, where I brought a bunch of 
my students that are part of an executive MBA program there, 
and they don't have bank tellers anymore. It is all 
computerized.
    Mr. Meehan. So, this capacity, as we have identified it, we 
focused on Iran most recently, but we have also spoken about 
North Korea and the capacity to be able to go out into the 
marketplace and therefore even enhance their capability by 
participating with other kinds of nation-state actors or others 
who have the ability to generate this.
    Mr. Berman, you used a----
    Mr. Cilluffo. I am actually more concerned about North 
Korea in some ways.
    Mr. Meehan. North Korea.
    Mr. Cilluffo. It is about survival of the regime, wild 
cards, and traditionally crime tries to penetrate the state. In 
North Korea, it is the inverse. The state is penetrating 
organized crime and they are engaged in all----
    Mr. Meehan. Mr. Berman, you spoke a great deal about that. 
You used the word ``retaliatory'' as being a precursor to some 
activities, and we see what happened this week in South Korea. 
So, explain to me how you interpret those in the context of 
whether they are retaliatory actions, and then most--the 
greatest concern is the added word ``volatility.''
    Do they in combination create what you--this panel had 
testified before when we were asking questions about the 
willingness of the Quds Force to carry out an act of terrorism 
on United States soil. Then months later, we saw it. So, I 
respect your vision. What do you see happening now?
    Mr. Berman. Well, thank you, sir. I appreciate the kind 
words.
    I agree with my colleague. I think what we are looking at 
here is a mismatch between capability and intent. The Iranians 
are not nearly as sophisticated and persistent as the Chinese 
and even the Russians. But what you have is a set of actors--
and I say ``set'' because what we are talking about here is not 
just Iran, but also North Korea--that is hyper-politicized in 
the sense that both are engaging in active diplomatic warfare 
with the international community over their respective nuclear 
programs, over sanctions, over some deviant behavior, that may 
force them--or may cause them to lash out in ways that we would 
not predict.
    One of the saving graces of our China cyber problem and our 
Russia cyber problem is that while we may not be comfortable 
with the scope, we in general understand the direction. That is 
missing in our calculation with regard to Iran and increasingly 
with regard to North Korea. The shared geopolitical driver here 
is that both regimes are under growing international stress as 
a result of their rogue behavior. But it is also the type of 
international stress--economic, diplomatic, financial--that is 
forcing them to lash out in unpredictable ways.
    As a result, as Frank said, the cyber component of this 
behavior becomes very, very germane because if Iran seeks to 
retaliate and it is a perceived retaliation, because Iran 
already, if you look at the way it has written in speeches, the 
way it has spoken--its officials have spoken, they see 
themselves already at war with the West on some level. They see 
cyber as an adjunct to all the other things that they are doing 
in order to respond.
    Mr. Meehan. I look forward to following up, but at this 
point my time has expired. So I turn it to the Ranking Member, 
Ms. Clarke, for her questions.
    Ms. Clarke. Thank you very much, Mr. Chairman.
    I would like to start with Dr. Libicki. I am a bit 
concerned about how we classify the activities that are taking 
place. You know, this is a homeland security committee, and I 
want to just ask you, I understand that a lot of your work 
deals with questions of state-on-state cyber conflict and 
international issues. That is the domain of foreign-oriented 
departments, such as State and Defense. But I also appreciate 
your testimony on needing to be careful in our messaging of the 
cyber threat, and not calling everything cyber war.
    I, for one, believe that the vast majority of malicious 
cyber activity is directed against consumers in the private 
sector, and it is not appropriate for the military to play a 
role--the lead role in protecting against this type of 
activity. The threats are, indeed, great, but that doesn't mean 
it requires a military response.
    Do you agree, or do you have any thoughts on the right way 
to talk about cyber threats without doing it in a way that 
over-militarizes our response?
    Mr. Libicki. Well, if you going to respond with the 
military, I suppose your most important question is: Is it to 
your advantage to get into a war? If the answer is no, then you 
may think of other ways of responding.
    In many ways, however--and I mentioned--you mention 
narrative, if the United States goes around saying how 
vulnerable it is to cyber attack and how much it is afraid of 
cyber attack, then it sets up a situation in the minds of 
others that the United States is particularly sensitive if it 
gets attacked through this method.
    If we, however, adopt a posture, insofar as we can, that in 
fact these things happen to computers all the time, that 
computers can be occasionally volatile, but things happen to 
them, and that we are really talking about levels of annoyance, 
to a certain extent you can remove some of the disincentive for 
others to attack the United States, because the impact on what 
we do will not be very great.
    Ms. Clarke. So, let me dig a little bit deeper, because 
what we are trying to get a sense of is, you know, we have a 
domestic responsibility to private citizens whose identity may 
be stolen, the sort of garden-variety types of malicious cyber 
activity.
    We are trying to make a distinction here, because this 
whole hearing we have been talking about really an 
international connection. For the average American, it is like, 
you know, I just don't want my medical information sold in 
Russia, or, you know, I don't want my identity to be--how do we 
make that distinction and then how do we sort of create a 
flexible infrastructure that enables us to be sensitive enough 
to know where certain forces enter versus others?
    Mr. Libicki. Well, pretty much everything we are talking 
about, at least at the U.S. level, is considered a crime. 
Sometimes we can get our hands on these folks, sometimes we 
can't. Some of my colleagues pointed out because we don't have 
the cooperation of the Government.
    To a large extent, therefore, that means in these areas 
defense becomes a lot more important than it would other 
places. I think there is a great deal that the United States 
can do, that the United States Government can do to beef up 
defenses. I think there is a lot of good work being done by 
DHS. I think there are ways they can carry out more activities.
    I had mentioned reducing the vulnerabilities in a lot of 
software. I think a certain amount of progress is being made, 
but by no means fast enough. I think we can encourage a great 
deal of resilience. Standards of resilience may, at least, give 
you some guidelines as to what constitutes resilience in the 
first place.
    We have by no means exhausted the list of things we can do 
at the domestic level to reduce the level of threat to where, 
in fact, at a foreign policy level we can start ignoring it.
    Ms. Clarke. Let me ask Mr. Bejtlich, it seems that most 
consumers and corporations still look to anti-virus software as 
state-of-the-art. Recently, however, it seems that the market 
has been clamoring for new approaches, particularly focusing on 
resilience and mitigation strategies when companies are 
inevitably hacked.
    Over the years, have you noticed a real shift in companies' 
level of awareness of the cybersecurity threats to their 
business, and have companies been realizing that traditional 
anti-virus approaches just won't cut it and are they now 
looking for more sophisticated approaches to mitigating their 
risk?
    Mr. Betjlich. The best-performing companies that Mandiant 
interacts with have generally gone through a traumatic 
experience, where they have had a large intrusion, and they 
have realized that all of the approaches that they have adopted 
were not sufficient to stop the intruder, and they tend to 
adopt more of a fast-and-accurate detection model, followed by 
response and containment.
    You still need anti-virus. You still need these other 
technologies that will deal with a certain group of threats, 
but you have to realize there will be that gap a sophisticated 
or determined intruder will get through, and then you need to 
find them quickly and deal with them.
    So, while I will say that is becoming more accepted at the 
top tier, at the small- or medium-business level, they don't 
have the resources, the awareness. It is truly a big problem at 
those other levels.
    Mr. Meehan. Thank you, Ranking Member Clarke.
    The Chairman will now recognize Mr. Perry for his 
questions, if he has them.
    Mr. Perry. Thank you, Mr. Chairman.
    Thank you, gentlemen. It is a fascinating topic, and I am 
hopeful it is one that we can find some bipartisan cooperation 
on, although I think it is vexing every single one of us in the 
room how we work on that.
    With that, I would like to just get right to a whole host 
of questions.
    Regarding supply-chain cyber-threats, is that something 
that is legitimate? Should we be concerned? What countries 
would export such things so that users or purchasers would 
know, look, there is a potential danger in buying from X 
company, if that is appropriate to ask that kind of question.
    Anybody?
    Mr. Cilluffo. First crack at this. I think your colleagues 
at the House Permanent Select Committee on Intelligence, Mr. 
Rogers and Mr. Ruppersberger, did a fantastic service in 
identifying some of the potential concerns vis-a-vis Huawei and 
ZTE in particular.
    But I think it raises a bigger set of questions. We need to 
start baking security requirements into the design of our 
systems. Start with our weapons platforms and systems, and then 
we have got to start looking at critical infrastructure. To me, 
that is partially a Federal acquisition reform issue.
    We actually need to prioritize contracting acquisition 
opportunities for those that are baking security requirements. 
Yes, that is a big concern. I don't care how much security you 
have up here, if it is built on quicksand, who cares?
    Mr. Perry. So, with that, I mean, and with the Ranking 
Member's questions, I wonder, how much--first of all, is this 
information available to normal purchasers and users? Are 
products to thwart the threats that we are discussing 
commercially available on a wide scale right now?
    Mr. Betjlich. There is an emerging industry of companies, 
like Mandiant, who recognize that threats will get through, and 
you have to find them quickly and deal with it.
    However, there is still a large industry built around the 
legacy systems. To piggyback on Frank's comments, we have seen, 
through our own intrusion response, as the primary target gets 
harder, you move farther out into the ecosystem, and eventually 
you will get to the point where the ecosystem is hard enough 
that you have to start with the hardware, and then you work 
your way back in.
    So maybe that is why very hard targets, like the military, 
they have come to realize this is the No. 1 problem they have. 
It is not the No. 1 problem in private sector, but as the 
private sector gets its act together, you are gonna see the 
threat migrate to those supply chain problems.
    Mr. Perry. As a--I have spent over 30 years in the 
military, so I am really familiar with the IPB process and some 
other things that were discussed here, and I think that is kind 
of where most of us head.
    But I think in terms of selling this, for lack of a better 
phrase, to the public about the need for this and then how we 
address it, I think we are gonna have to discuss what is in it 
for them, and I think that it is hard to get your brain wrapped 
around that.
    So with that, let's say I have a firm that, like just about 
any other district, that makes some very critical components, 
whether it is defense or manufacturing, that they compete 
globally, who do they report it to? Like, what is the first 
phone call they make if they suspect? Where do people go?
    Mr. Betjlich. I would encourage anyone who believes that 
you are on the shopping list for an advanced threat, such as 
China or Russia, to have a relationship with your local FBI 
office.
    They will tell you whether or not the technology you 
produce or the business you are in is of interest to a foreign 
power. They will help you from that point forward.
    However, cyber still remains the one area where if there is 
a dead body on the ground, there is no police you call who will 
run to you and do the forensics and all that. For the most 
part, it is still a private-sector response.
    That is changing a little bit. I mean, in critical 
infrastructure, you can call the ICS-CERT and they will send a 
team. There is more of that going on.
    But my company was created 9 years ago because there was no 
one to call. So we are the ones that go out, and we answer the 
call on these intrusions.
    Mr. Cilluffo. Mr. Perry, could I----
    Mr. Perry. Absolutely. Please do.
    Mr. Cilluffo [continuing]. Very briefly. This is a little 
philosophical way to think about it. At the end of the day, we 
need to get to the 80 percent solution, which is not going to 
stop the APT threats. It is not gonna stop Russia. It is not 
going to stop China.
    Russia, by the way, is more in the HUMINT business, and 
they have integrated cyber to be part of the human intelligence 
business. That is why I would say from a tradecraft standpoint, 
they are actually higher than China, even.
    But the one thing I would suggest is you get to that 80 
percent solution so you can free up the limited resources that 
Uncle Sam has to focus on the real bad actors. Right now, they 
can't delineate between the kid in his mother's basement or the 
foreign intelligence service threat.
    We have got to get to the point where we can free up 
resources, limited as they are, to focus them on the higher 
end. That--you can't expect a company to defend themselves 
against the SVR. It is just--they are in the business of 
business.
    So we have got to build the business case. Any legislation 
should be comprehensive, but it should also incorporate 
incentives. It should also incorporate liability exemption. We 
do need to have--we don't want this to be a cigarette wrapped 
in asbestos, forgive the pun, but we really do need to build up 
our security capabilities, focus the limited resources on the 
high-end threat spectrum, and the private sector can handle the 
rest.
    But right now, there is an unfair playing field. They are 
defending against Chinese intelligence services. That is just 
not fair.
    Mr. Perry. Thank you.
    Mr. Meehan. Thank you, Mr. Perry.
    Now, we have not only been called to vote, but the time has 
expired on our vote. But we are trying to--Mr. Vela has 
participated with us, and I am very grateful for his presence.
    Mr. Vela, do you have a question for the panel that you 
would like to----
    Mr. Vela. Yes. I will make them quick.
    My question is: Given the significant energy production 
that we have in States like Texas, Pennsylvania, and the 
Dakotas, what is the real-life cyber threat to the energy 
sector in those places?
    Mr. Betjlich. So, Mandiant has responded to intrusions 
affecting the energy sector. We have not seen the intruders 
getting into the industrial control systems, but they have been 
in the corporate networks, and they have taken design 
documents, plans, other intellectual property.
    This has also been well-documented in the open press, in 
places like the Christian Science Monitor and elsewhere. So 
there is a real threat from espionage into the energy sector in 
the United States.
    Mr. Vela. So it is not just a matter of threat to the 
energy trading. It goes more to the intellectual property and 
the things that those companies work with.
    Mr. Betjlich. Yes, sir.
    Mr. Meehan. Let me thank this very, very distinguished 
panel.
    Once again, we have been called to votes, and I think 
rather than inconvenience you a second time, we are delighted 
and thankful that you have taken the time.
    I point all of those who are interested in this issue not 
just to the testimony you have given and the written testimony, 
but to the voluminous work each of you has done and the way you 
have helped us to frame this issue. I am hopeful that we can 
continue to work with you in this year ahead as we not only 
frame the issue, but work towards legislation to help us 
address the issues.
    I would like to ask unanimous consent that a statement from 
Mr. Dean Picciotti, president of Lexington Technology, a 
Philadelphia-based cybersecurity consulting firm, be included 
in the record.
    Without objection, so ordered.
    [The information follows:]
 Statement of Dean Picciotti, President, Lexington Technology Auditing
                             March 20, 2013
    Lexington Technology appreciates the opportunity to submit 
testimony for this important subcommittee hearing on protecting the 
Nation's critical infrastructure.
    It is important to explain the risks we face and how new 
legislation can strengthen our ability to protect this critical element 
of our country's civilian infrastructure. We need uniform minimum 
standards for cybersecurity defense and disaster recovery.
                       about lexington technology
    Founded in 2011 by long-time industry leaders, Lexington is a 
Philadelphia-based cybersecurity consulting firm that provides advice 
and services to mass transit systems, State court systems, school 
districts, and other government and quasi-government agencies. The 
firm's efforts are focused mainly on the systems relied upon for our 
region's data security. We spend most of our workdays in the 
cybersecurity ``trenches.'' It is from this view point that we offer 
this testimony.
                            what's at stake?
    The Earth is, crisscrossed by networks of wires, cables, waves, 
pulses, and signals. The computer systems that operate this world are 
all around us, yet just under the surface. Driven to design simplicity 
and ease of use into most systems, developers have learned to cleverly 
disguise the fact that you are even using a computer. But computers 
are, in every imaginable size, supporting every conceivable 
application--and it is all connected.
   Smartphones, laptops, mobiles, desktops
   ATMs, store barcode scanners, credit card swipe machines
   Telephone systems, television systems
   High-rise elevator and HVAC system controls
   Ordering systems, payment systems, money-moving systems
   Factory production systems, assembly lines
   Food processing and packaging systems
   City water systems, sewage systems, rail lines, traffic 
        signals
   Electric and gas utility processing/production and 
        distribution
    As the world becomes increasingly interconnected and reliant on 
computers to run everything from our coffeemakers, rail roads, 
elevators, court systems, and nuclear plants, cyber space has become 
the fifth domain of warfare, after land, sea, air, and space.
    It is important to keep in mind however, that the threats are not 
only from foreign shores but also from within our borders. 
Destabilizing a nation's cyber-infrastructure is not an exact science. 
The results are not necessarily foreseeable or controllable. However, 
forcing a nation-state into chaos without an identifiable adversary is 
a perfect tool for the asymmetric attacks of terrorists. There is 
little lead time. There is little chatter. Assembling the devices 
necessary rarely requires embargoed or highly-regulated materials.
         a flawed convergence strategy and aging infrastructure
    Two decades ago, in an attempt to save money in the growing 
software-based process control and automation industry, companies began 
to explore the logistics, implications, and benefits of converging the 
pathways that control desktops, servers, and industrial equipment. Many 
malicious attacks take advantage of the inherent flaws in this 
convergence strategy.
    One of the flaws in convergence is the introduction of USB Memory 
Sticks (the same ones you may have on your keychain) to the factory 
floor. Industrial equipment rarely has USB ports, but because of 
convergence these devices, which now share networks with office-grade 
equipment, are integrated (knowingly or unknowingly) with desktop 
computers. As a result of this convergence, power plants, pipeline 
networks, refineries, mass transit, high-rise HVAC, elevator systems, 
water and sewage plants, grain elevators, communications networks and 
other large-scale System Control and Data Acquisition (SCADA) 
applications are susceptible not only to internet-delivered attacks but 
also to USB stick-borne viruses, even when the network is completely 
isolated from the internet.
    Imagine these systems infiltrated by malware, crashing, rendered 
useless, at least temporarily. The data grid fails. The power grid 
fails. The communication grid fails. The transportation grid fails. 
Imagine the potential for panic--financial and otherwise--in the face 
of these cascading network failures.
    Our infrastructure presents a dangerous combination of known and 
unknown vulnerabilities in the cyber domain, strong and rapidly 
expanding adversary capabilities, and limited threat and vulnerability 
awareness. While we are more network-dependent than ever before, 
improved interconnectivity has drastically increased the threat of 
unauthorized entities from taking control of, or damaging our 
infrastructure. No longer is the threat limited to physical attacks or 
embedded personnel. Successful and attempted attacks may be initiated 
with complete anonymity from anywhere in the world.
    Our daily life, economic vitality, and National security rely upon 
our information technology infrastructure. As our complex economy 
demands more and more connectivity each year, we are simultaneously 
increasing the potential attack surface. The operation of our economy 
depends on a vast array of interconnected communications and power 
sources that, at present, stand vulnerable to attack.
                             recent attacks
    In January 2008 a 14-year-old boy derailed 4 trains in Poland using 
a modified television remote control.
    During the summer of 2011 several law enforcement agencies had 
their private emails leaked by Lulzsec, a small group of hackers that 
exploited weak SQL and PHP implementations on websites. This allowed 
them to deface websites and obtain username and password lists of 
authorized users. With that information, Lulzsec exploited the fact 
that many users use the same username and password combination on 
multiple sites: Disrupting our economy and reducing productivity.
    In 2012 a 24-year-old man gave a presentation at the DEF CON 
conference entitled ``How to Hack All the Transport Networks of a 
Country''. His presentation showed how a test to see whether free rides 
could be obtained allowed him to attach to internal processes, gain 
client data including financial information, and then how he was able 
to gain access to the System Control and Data Acquisition systems 
operating the entire transit system. He believes that the same, or 
similar, vulnerabilities exist in every transit system network in the 
world.
    Cyber incidents have increased dramatically since 2010 reports of 
nation-state, individual, and group attacks on infrastructure are 
occurring with regular frequency. In 2011, the DHS U.S. Computer 
Emergency Readiness Team (US-CERT) received more than 100,000 incident 
reports, and released more than 5,000 actionable cybersecurity alerts 
and information products. Preliminary reports have that number 
increasing dramatically in 2012 and beyond.
    The aftermath of Hurricane Sandy presented us with a brief glimpse 
of the dangers and hardship of a major transit system being shut down 
by a known natural occurrence. Imagine the devastation both in human 
lives, economic loss, and confidence should a coordinated attack bring 
down multiple transit systems or cause transit vehicles to be used as 
weapons of destruction.
    Recognizing the serious nature of this challenge, President Obama 
has made cybersecurity an administration priority and he reaffirmed the 
importance of securing our critical information systems by signing the 
Executive Order on Improving Critical Infrastructure Cybersecurity and 
Presidential Policy Directive (PPD) on Critical Infrastructure Security 
and Resilience on February 12, 2013.
    We need a concerted effort and substantial funding on the part of 
our Federal Government to create uniform minimum standards to protect, 
secure, and constantly monitor critical information and control 
systems. We also need uniform minimum standards for disaster recovery 
in the event of a successful attack. Organization and continued funding 
of these efforts has to be a top priority if we are to keep these 
systems operating safely.
                           minimum standards
    In order for the organizations that operate our critical 
infrastructure to be able to protect cyber systems from attack we need 
legislation that standardizes the minimum expectations for reasonable 
cybersecurity defenses and disaster recovery preparation.
    We need to make sure our critical infrastructure operators 
understand the expectations and have the information, tools, knowledge, 
and rights to continually update and harden systems against an ever-
evolving threat. We cannot depend solely on Government agencies to be 
able to detect attacks and then drop in and take over unfamiliar 
systems with the speed and knowledge necessary to circumvent or recover 
from an attack. That can only be accomplished by the individuals that 
work with those disparate and complex systems every day.
    The United States Government should work with non-Federal critical 
infrastructure organizations to provide the necessary resources to meet 
the highest standards and best practices available today and as set by 
the National Institute of Standards and Technology and the Pentagon as 
they're published and modified in the future.
    In conclusion, our critical infrastructure, our economy, and even 
our lives depend upon secure information technology systems and 
industrial control systems. The number and frequency of attacks are 
increasing and significant changes are needed now to protect our 
transportation systems to prevent a future disaster that could cripple 
our economy and/or result in large numbers of casualties.

    Mr. Meehan. I want to thank the witnesses for their 
valuable testimony and Members for their questions. The Members 
of the committee may have additional questions for the 
witnesses, and I will ask you to respond to those in writing if 
they are submitted with 10 days. We will hold the record open.
    Without objection, the subcommittee stands adjourned. Thank 
you.
    [Whereupon, at 4:01 p.m., the subcommittee was adjourned.]

                                 
