b"<html>\n<title> - STRIKING THE RIGHT BALANCE: PROTECTING OUR NATION'S CRITICAL INFRASTRUCTURE FROM CYBER ATTACK AND ENSURING PRIVACY AND CIVIL LIBERTIES</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n     STRIKING THE RIGHT BALANCE: PROTECTING OUR NATION'S CRITICAL \n    INFRASTRUCTURE FROM CYBER ATTACK AND ENSURING PRIVACY AND CIVIL \n                               LIBERTIES \n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n                       INFRASTRUCTURE PROTECTION,\n                       AND SECURITY TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             APRIL 25, 2013\n\n                               __________\n\n                           Serial No. 113-13\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n82-587 PDF                       WASHINGTON : 2013 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n   Office Internet: bookstore.gpo.gov Phone: toll free (800) 512-1800; \n          DC area (202) 512-1800 Fax: (202) 512-214 Mail: Stop IDCC, \n                      Washington, DC 20402-0001\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O'Rourke, Texas\nSteven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii\nLou Barletta, Pennsylvania           Filemon Vela, Texas\nChris Stewart, Utah                  Steven A. Horsford, Nevada\nRichard Hudson, North Carolina       Eric Swalwell, California\nSteve Daines, Montana\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\nVacancy\n                       Greg Hill, Chief of Staff\n          Michael Geffroy, Deputy Chief of Staff/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                 Patrick Meehan, Pennsylvania, Chairman\nMike Rogers, Alabama                 Yvette D. Clarke, New York\nJason Chaffetz, Utah                 William R. Keating, Massachusetts\nSteve Daines, Montana                Filemon Vela, Texas\nScott Perry, Pennsylvania            Steven A. Horsford, Nevada\nVacancy                              Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (ex             (ex officio)\n    officio)\n               Alex Manning, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Patrick Meehan, a Representative in Congress From \n  the State of Pennsylvania, and Chairman, Subcommittee on \n  Emergency Preparedness, Response, and Communications...........     1\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Emergency Preparedness, Response, and Communications:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     4\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Prepared Statement.............................................     5\n\n                               Witnesses\n\nMs. Mary Ellen Callahan, Partner, Jenner & Block, and Former \n  Chief Privacy Officer, U.S. Department of Homeland Security:\n  Oral Statement.................................................     6\n  Prepared Statement.............................................     8\nMs. Cheri F. McGuire, Vice President, Global Government Affairs & \n  Cybersecurity Policy, Symantec:\n  Oral Statement.................................................    14\n  Prepared Statement.............................................    15\nMs. Harriet P. Pearson, Partner, Hogan Lovells:\n  Oral Statement.................................................    19\n  Prepared Statement.............................................    21\n\n\n     STRIKING THE RIGHT BALANCE: PROTECTING OUR NATION'S CRITICAL \n    INFRASTRUCTURE FROM CYBER ATTACK AND ENSURING PRIVACY AND CIVIL \n                               LIBERTIES\n\n                              ----------                              \n\n\n                        Thursday, April 25, 2013\n\n             U.S. House of Representatives,\n     Subcommittee on Cybersecurity, Infrastructure \n             Protection, and Security Technologies,\n                            Committee on Homeland Security,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 2:19 p.m., in \nRoom 311, Cannon House Office Building, Hon. Patrick Meehan \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Meehan, Rogers, Daines, Perry, \nClarke, Keating, Vela, and Horsford.\n    Mr. Meehan. The Committee on Homeland Security Subcommittee \non Cybersecurity, Infrastructure Protection, and Security \nTechnologies will come to order.\n    The subcommittee is meeting today to examine the balance \nbetween preventing a cyber attack on our Nation's critical \ninfrastructure and ensuring privacy and civil liberties are \nprotected. I will recognize myself for an opening statement.\n    I would like to welcome everyone to today's hearing, which \nis titled, ``Striking the Right Balance: Protecting Our \nNation's Critical Infrastructure From Cyber Attack and Ensuring \nPrivacy and Civil Liberties.'' During this Congress, our \nsubcommittee has been examining the cybersecurity threat to \nindividuals and to our critical infrastructure. Our Nation has \nmade great strides, but the threat is multi-faceted and we are \nonly as strong as our weakest link.\n    Earlier this week, we saw the ramifications of a hacked \nTwitter account that nearly sent our financial markets into a \ntailspin. While the Dow Jones Industrial Average has to recoup \ntheir losses, the lesson is clear: We are in an interconnected \nworld. A successful attack on one network will certainly impact \nothers.\n    The Department of Homeland Security plays a crucial role in \npreventing cyber attacks on our Governmental and critical \ninfrastructure key resources. As Chairman McCaul and I and the \nRanking leadership work together, we have continued to use our \nefforts to craft legislation to bolster existing structures and \nimprove the capabilities of the Department of Homeland \nSecurity. One of the key challenges will be to strike the \nbalance of securing our networks and ensuring our protections \nfor our citizens.\n    Upon assuming the gavel of this subcommittee this year, I \nmade sure I immediately reached out to leading privacy \nadvocates. Groups like the American Civil Liberties Union and \nCenter for Democracy & Technology have been instrumental in \nshaping the thinking as we have moved forward with the \ncommittee's work. Indeed, we must make clear that the purpose \nof sharing information is to prevent a cyber attack and nothing \nelse. Any intelligence shared with the Government or with \npublic or private entities must include protections for \nconsumers and individuals.\n    In order to accomplish this, we must ensure that we have a \nfull understanding, first, what the threat is; next, what type \nof intelligence is necessary to share to prevent an attack; \nthen what type of information is inadvertently caught in the \nnet; and furthermore, what may be done once it is identified? \nThe answer to these questions, coupled with robust civilian \noversight, a clear set of rules of conduct and liability \nprotections for those acting in good faith will help shape the \nkey policy initiatives for our subcommittee.\n    I need to be clear and I think all of us share that right \nout front that the committee is not concerned with internet \nhabits of ordinary Americans. It is our duty as Members of this \ncommittee to make sure that the Department does not monitor, \ncollect, or store the on-line activity of law-abiding American \ncitizens. Therefore, information that permits the identity of \nan individual to be directly or indirectly inferred, which is \nalso referred to as personally identifiable information, must \nbe protected.\n    The Department of Homeland Security has significant \ninherent advantages that enable the Department to facilitate \ncommunication among 16 critical infrastructure sectors. The \nDepartment of Homeland Security Privacy Office is the first \nstatutorily required privacy office in any Federal agency. The \noffice is responsible for evaluating Department operations for \npotential privacy impacts and providing mitigation strategies \nto reduce the privacy impact.\n    By employing Fair Information Practice Principles, or \nFIPPs, as it is known, the DHS Privacy Office is charged with \nensuring that the Department's data collection methods are \ntransparent, have specified purposes, and include data \nminimization, use limitation, data quality and integrity, \nsecurity, accountability, and auditing. Those are FIPPs \nprinciples.\n    It is for these reasons that many intelligence and \ncybersecurity experts point to DHS as manning a significant \nrole in combating the threat. In fact, the Director of the \nNational Security Agency, General Keith Alexander, said that \ndue to the Department's transparency, he sees DHS as an entry \npoint for working with industry.\n    Building our Nation's capacity to prevent cyber attacks is \ncomplex as it is essential. As a former United States attorney, \nI can tell you that the Department of Justice has a very \nimportant role to play in enforcing our cyber crime laws. We \nalso must permit our military and foreign intelligence \ncapabilities and those resources to protect our Nation's \ndefense. Equally as important, the Department of Homeland \nSecurity has the mission of defending our Nation's key \nresources and the liberties guaranteed by our Constitution.\n    We have an excellent panel of witnesses today who will help \nus answer these questions and hopefully help us find the \nbalance. Moving forward, today's hearing aims to examine how \nDHS currently protects privacy and personally identifiable \ninformation. It addresses the legitimate privacy concerns that \nare inherent in sharing cybersecurity threat information and \nfinds ways to strike that proper balance between privacy and \nsecurity. No one should mistake the common cause of securing \nour homeland for authority to violate the civil liberties of \nAmericans.\n    The Chairman now recognizes the Ranking Minority Member, \nthe gentlelady from New York, Ms. Clarke, for any statement she \nmay have.\n    Ms. Clarke. Mr. Chairman, I thank you for holding today's \nhearing. I am pleased to be joined today by this very \ndistinguished panel of witnesses, and I would like to welcome \nMary Ellen Callahan back to the committee for her first time \nsince leaving the Department.\n    Here on the Homeland Security committee, we have understood \nthe need to balance security and privacy for quite some time. \nProtecting our Nation from 21st Century threats requires \nvigorous coordinated action from our Government and State, \nlocal, private sector, and international partners. But if we go \noverboard to identify and eliminate every conceivable threat at \nany cost, we risk trampling the very rights of citizens we aim \nto protect. The need to find that proper balance has been a \ncornerstone of our committee's work on counterterrorism, on \ntransportation security and certainly on today's topic, \ncybersecurity.\n    Most of the Government's efforts in cybersecurity do not \ndirectly touch upon privacy issues, and that is an important \ndistinction that is not made often enough. Many programs, such \nas the Department of Homeland Security's EINSTEIN program, do \nnot involve the collection or sharing of any kind of personally \nidentifiable information at all. The vast majority of all of \nthe information needed to thwart cyber attacks consists of \ntechnical data, such as IP addresses and malicious code, which \nhas little or nothing to do with someone's social security \nnumber or passwords.\n    But where the private sector needs to share information \nwith the Government to stop cyber attacks, every precaution \nmust be taken to ensure the privacy of our citizens is ensured.\n    Last month, we heard from the American Civil Liberties \nUnion on the importance of protecting privacy in cyberspace. I \nam pleased that we are joined today by three witnesses, who can \nreally speak to the nuts and bolts of challenges, protecting \nprivate data from both the Government and business \nperspectives. As we look toward crafting our own legislation to \nhelp protect critical infrastructure and improve our Nation's \ncybersecurity efforts, it is important to really nail down the \nspecifics of protecting privacy.\n    In order to get our approach to cybersecurity and privacy \nright, we must examine it from all the angles. We must assess \nthe current legal environment and identify challenges that \ncompanies must cope with in ensuring the privacy and security \nof their employees' and customers' data. We must determine the \ntypes of information needed by the Government to prevent the \nattacks and the intended uses of that information. We must \nexamine how commercial cybersecurity providers interact with \ntheir customers and the Government to share threat information.\n    Thankfully, our witnesses today cover the breadth of these \nissues with their testimony.\n    I am particularly pleased we are joined by Harriet Pearson, \nwho is one of the Fortune 1,000 first chief privacy officers \nand has been a trailblazer for developing information policies \nand practices for protecting the private data of employees--\nexcuse me, consumers.\n    Every American values their privacy and civil liberties as \nwell as their security in cyberspace. I am confident that in \nbuilding a lasting solution to our cybersecurity, we can adopt \nmeasures that will satisfy privacy advocates, the business \ncommunity, and our citizens.\n    That ends my statement, Mr. Chairman, and I yield back the \nbalance of my time.\n    [The statement of Ranking Member Clarke follows:]\n              Statement of Ranking Member Yvette D. Clarke\n                             April 25, 2013\n    Here on the Homeland Security Committee, we have understood the \nneed to balance security and privacy for a long time. Protecting our \nNation from 21st Century threats requires vigorous, coordinated action \nfrom our Government and State, local, private-sector, and international \npartners.\n    But if we go overboard to identify and eliminate every conceivable \nthreat at any cost, we risk trampling the very rights of the citizens \nwe aim to protect. The need to find that proper balance has been a \ncornerstone of our committee's work, on counterterrorism, on \ntransportation security, and certainly on today's topic, cybersecurity.\n    Most of the Government's efforts in cybersecurity do not directly \ntouch upon privacy issues, and that is an important distinction that is \nnot made often enough. Many programs, such as the Department of \nHomeland Security's EINSTEIN program, do not involve the collection or \nsharing of any kind of personally identifiable information at all.\n    And the vast majority of the information needed to thwart cyber \nattacks consists of technical data such as IP addresses and malicious \ncode, which has little or nothing to do with someone's social security \nnumber or passwords. But where the private sector needs to share \ninformation with the Government to stop cyber attacks, every precaution \nmust be taken to ensure that the privacy of our citizens is ensured.\n    Last month we heard from the American Civil Liberties Union on the \nimportance of protecting privacy in cyberspace, and I am pleased that \nwe are joined today by three witnesses who can really speak to the \nnuts-and-bolts challenges of protecting private data, both from the \nGovernmental and business perspectives.\n    As we look towards crafting our own legislation to help protect \ncritical infrastructure and improve our Nation's cybersecurity efforts, \nit is important to really nail down the specifics on protecting \nprivacy.\n    In order to get our approach to cybersecurity and privacy right, we \nmust examine it from all the angles:\n  <bullet> We must assess the current legal environment and identify \n        challenges that companies must cope with in ensuring the \n        privacy and security of their employees and customers' data;\n  <bullet> We must determine the types of information needed by the \n        Government to prevent attacks, and the intended uses for that \n        information;\n  <bullet> And we must examine how commercial cybersecurity providers \n        interact with their customers and the Government to share \n        threat information.\n    Thankfully, our witnesses today cover the breadth of these issues \nwith their testimony. I am particularly pleased that we are joined by \nHarriet Pearson, who was one of the Fortune 1000's first chief privacy \nofficers, and has been a trailblazer for developing information \npolicies and practices for protecting the private data of employees and \nconsumers.\n    Every American values their privacy and civil liberties as well as \ntheir security in cyberspace, and I am confident that in building a \nlasting solution to our cyber insecurity, we can adopt measures that \nwill satisfy privacy advocates, the business community, and our \ncitizens.\n\n    Mr. Meehan. I thank you, Ranking Member.\n    The other Members of the committee are reminded that \nopening statements may be submitted for the record.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                             April 24, 2013\n    We are here to discuss ways to secure cyberspace and critical \ninfrastructure from hackers while assuring that Constitutionally-\nguaranteed privacy and civil liberties are safeguarded.\n    In the last 10 years, our society has become increasingly connected \nby computer networks. Networking technologies have changed our \ntraditional notions of time and space. Our ability to reach the \nfarthest corner of the earth has grown while the distance between us \nhas shrunk. The world and all it has to offer is a click away and can \nbe viewed on a screen in front of us.\n    But this unprecedented connectivity and convenience has not come \nwithout a price. We face new kinds of dangers that may come for us at \nany time from any corner of the globe. Destruction can be delivered \nwith a keystroke.\n    Unfortunately, cyber attacks are increasing. This Nation cannot \nunnecessarily delay implementation of cybersecurity programs to combat \nthese threats. Those efforts must include responsible collaboration \nbetween private industry and the Government to ensure the greatest care \nis given to our citizens' private data. The protections we put in place \nand the information we share to combat the threats must not undermine \nthe privacy that each American rightfully regards as a fundamental \nfreedom.\n    Working together, we can create a legal framework which encourages \nbusinesses to share enough information to reduce the likelihood of \nintrusions and prevent future harm without compromising privacy.\n    But, Mr. Chairman, perhaps the most important weapon in our arsenal \nto protect privacy is ensuring that the Government's efforts are led by \na civilian agency. Information sharing with Federal civilian agencies \nwill provide the public with a sense of increased transparency and \naccountability because Congressional oversight and public information \nrequests will enable Members of this body and members of the public to \npeek behind the curtain, ask questions, and find out what is happening.\n    That is why I was proud to sponsor, with Chairman McCaul, an \namendment to the Cyber Intelligence Sharing and Protection Act, which \nfirmly established a center at the Department of Homeland Security to \nserve as the hub for cyber threat information sharing. As you know, \nthis amendment was approved.\n    Mr. Chairman, I thank you for holding today's hearing to bring the \nprivacy question into sharp focus. In the coming months, I look forward \nto introducing legislation to further improve our Nation's \ncybersecurity posture, with a special emphasis on privacy implications. \nI would like to thank our witnesses for joining us today. I look \nforward to hearing the testimony.\n\n    Mr. Meehan. We really are pleased to have a very \ndistinguished panel of witnesses before us today on this \nimportant topic. I don't think that there could have been a \nbetter group assigned, but this is a remarkably important \nissue, and I think you have the ability to help the American \ncitizens understand where this area is in which important work \nis done to allow us to protect our homeland, but simultaneously \nsignificant and important work is being done and can be done to \nhelp us ensure that we protect the privacy interests of \nAmericans. So I am hoping that we can educate those who don't \nreally understand in this complex area what the parameters are.\n    We have in this panel Ms. Mary Ellen Callahan, who we have \nhad the privilege of having before this committee before, a \nNationally recognized privacy attorney with an extensive \nbackground in consumer protection law. As the longest-serving \nformer chief privacy officer of the United States Department of \nHomeland Security, the first statutorily-mandated privacy \nofficer in any Federal agency, Ms. Callahan has a unique and \nbroad knowledge of experience with the interface of protection \nof privacy, civil rights, and civil liberties with \ncybersecurity and National security issues.\n    During her tenure at the Department of Homeland Security, \nMs. Callahan also served as the chief Freedom of Information \nOfficer, responsible for centralizing both FOIA and Privacy Act \noperations to provide policy and programmatic oversight and \nsupport implementation across the Department.\n    Ms. Callahan is a founder and chair of Jenner & Block's \nprivacy information governance practice.\n    We have Ms. Cheri McGuire, who serves as vice president for \nglobal government affairs and cybersecurity policy at Symantec, \nwhere she is responsible for managing a global team focused on \ncybersecurity, data integrity, and privacy issues. Prior to \njoining Symantec, Ms. McGuire served as the director of \ncritical infrastructure in cybersecurity in Microsoft's \nTrustworthy Computing Group and also as Microsoft's \nrepresentative to the Industry Executive Subcommittee on the \nPresident's National Security Telecommunications Advisory \nCommittee. Prior to joining Microsoft Ms. McGuire served in \nnumerous capacities at DHS including as acting director and \ndeputy director of the National Cybersecurity Division and US-\nCERT.\n    We are very pleased to be joined as well by Ms. Harriet \nPearson, a partner at Hogan Lovells, where she focuses on \ncounseling clients on privacy and information security policy \nin compliance matters, data security incident response and \nremediation and information in cybersecurity risk management \nand governance. Ms. Pearson joined Hogan from IBM Corporation \nwhere she served as vice president, security counsel, and chief \nprivacy officer. At IBM, she was responsible for information \npolicy and practices affecting over 400,000 employees and \nthousands of clients. She also lead IBM's global engagement \npublic policy and industry initiatives relative to \ncybersecurity and data privacy. I think that outlines the \ntremendous qualifications and experience of this very, very \ndistinguished panel.\n    So the witnesses' full statements will appear in the \nrecord.\n    The Chairman now recognizes Ms. Callahan for her testimony.\n\nSTATEMENT OF MARY ELLEN CALLAHAN, PARTNER, JENNER & BLOCK, AND \n   FORMER CHIEF PRIVACY OFFICER, U.S. DEPARTMENT OF HOMELAND \n                            SECURITY\n\n    Ms. Callahan. Thank you very much, sir.\n    Chairman Meehan, Ranking Member Clarke, distinguished \nMembers of the subcommittee, thank you for the opportunity to \nappear before you again today.\n    My name is Mary Ellen Callahan, and I am a partner at the \nlaw firm of Jenner & Block, where I chair the privacy and \ninformation governance practice and counsel private-sector \nclients on integrating privacy and cybersecurity.\n    As the Chairman noted, from March 2009 to August 2012, I \nserved as the chief privacy officer at the U.S. Department of \nHomeland Security. I have worked as a privacy professional for \n15 years and have National and international experience in \nintegrating privacy into business and Government operations. I \nam appearing before this subcommittee in my personal capacity.\n    As the subcommittee knows and as Ms. McGuire will detail \nmore thoroughly, the United States critical infrastructure \nfaces significant cybersecurity threats. However, cybersecurity \nand privacy must be integrated in order to effectively--most \neffectively protect those valuable assets.\n    The Department of Homeland Security has taken multiple \nsteps, including several during my 3\\1/2\\-year tenure to \nintegrate privacy into the DHS cybersecurity programs. First, \nas the Chairman noticed, DHS has thoroughly integrated the Fair \nInformation Practice Principles into all of its programs, \nincluding cybersecurity. The FIPPs are eight interdependent \nprinciples that create a framework for how information may be \nused and shared in a manner that protects privacy: \nTransparency; individual participation; purpose specification; \ndata minimalization; use limitation; data quality and \nintegrity; security; and accountability and auditing.\n    DHS has furthermore been very transparent about its \ncybersecurity capabilities. For example, DHS published several \nprivacy impact assessments, or PIAs, detailing pilot programs \nand information sharing among and between different entities, \nincluding a pilot program with the National Security Agency and \nan information-sharing program with the defense industrial \nbase.\n    The Department engaged privacy advocates and private-sector \nrepresentatives on its cybersecurity activities through a \nFederal advisory committee subcommittee, multiple meetings with \nadvocates, and with Congressional testimony such as before this \ncommittee.\n    The Department has already hired multiple cybersecurity \nprivacy professionals in order to embed them into the \ninfrastructure at DHS. These privacy professionals review and \nprovide comments and insight into cybersecurity standard \noperating procedures, statements of work, contracts, and \ninternational cyber information-sharing agreements. These \nprivacy professionals also provide cyber-specific privacy \ntraining to the cybersecurity analysts to supplement the \nprivacy training required for DHS employees and contractors.\n    Furthermore, an important tenet of the FIPPs is the concept \nof accountability. Given the importance of the DHS mission in \ncybersecurity, the DHS Privacy Office conducted a privacy \ncompliance review in late 2011. My office found that the \ncybersecurity program was generally compliant with the \nrequirements outlined with cybersecurity privacy impact \nassessments. This compliance review is available in the DHS \nPrivacy Office website, as are all the privacy documents \nreferenced in my written testimony.\n    Since I left DHS, I know through public knowledge that the \nDepartment continues to work to embed privacy protections into \nits cybersecurity activities. For example, its advisory \ncommittee, the Data Privacy and Integrity Advisory Committee, \nissued a robust paper for DHS to consider when implementing \ninformation-sharing pilots and programs with other entities, \nincluding the private sector. Furthermore, in January 2013, DHS \npublished a thoughtful and comprehensive privacy impact \nassessment covering the enhanced cybersecurity surfaces, also \nknown as ECS--we have a lot of acronyms, and I am sorry about \nthat--ECS is voluntary program based on the sharing of \nindicators of malicious cyber activity between DHS and \nparticipating commercial service providers.\n    The information-sharing implementation standards described \nin the ECS PIA are concrete examples of privacy by design and \nshould well position DHS to effectively implement the increased \ninformation sharing mandated in the 2013 Executive Order. In \naddition, just this week, the Department announced that it will \ndeploy EINSTEIN 3 accelerated, known as E3A, network intrusion \nprevention capabilities on Federal Government networks as a \nmanaged security service provided by ISPs, rather than placing \nthe entire response on the Federal Government.\n    DHS will share threat information it receives through E3A \nconsistent with its existing policies and procedures. The way \nE3A is structured should enhance privacy, protect the Federal \ncivilian Executive branch departments and agencies, and provide \na nimble response to the evolving cyber threat.\n    The continued integration of privacy and cybersecurity is \ncrucial for effective cybersecurity protections. In my 15 \nyears, it is clear that privacy integration into the \noperational aspects of any activity makes the program both more \neffective and more likely to protect privacy. I believe DHS has \nappropriately and effectively integrated privacy and \ncybersecurity, both in its Federal Executive responsibilities \nand as an information-sharing responsibility.\n    Thank you for the opportunity to appear before you this \nafternoon. I am happy to take any questions.\n    [The prepared statement of Ms. Callahan follows:]\n               Prepared Statement of Mary Ellen Callahan\n                             April 25, 2013\n    Chairman Meehan, Ranking Member Clarke, distinguished Members of \nthe subcommittee, thank you for the opportunity to appear before you \ntoday. My name is Mary Ellen Callahan. I am a partner at the law firm \nof Jenner & Block, where I chair the Privacy and Information Governance \npractice and counsel private-sector clients on integrating privacy and \ncybersecurity. From March 2009 to August 2012, I served as the chief \nprivacy officer at the U.S. Department of Homeland Security (DHS or \nDepartment). I have worked as a privacy professional for 15 years, and \nhave National and international experience in integrating privacy into \nbusiness and Government operations. I am appearing before this \nsubcommittee in my personal capacity, and not on behalf of any other \nentity.\n    As this subcommittee knows, the United States' critical \ninfrastructure, including Government assets, face significant \ncybersecurity threats. Cybersecurity and privacy must be integrated in \norder to most effectively protecting valuable assets. Furthermore, if \ndone right, increased cybersecurity (with appropriate standards and \nprocedures) also means increased privacy.\n    The Department of Homeland Security has taken multiple steps to \nintegrate cybersecurity and privacy as part of the Department's \ncybersecurity mission. In fact, DHS has integrated privacy into its \ncybersecurity program since the EINSTEIN program was launched in late \n2003. Shortly thereafter, the Department published one of the its first \nPrivacy Impact Assessments (PIA) on EINSTEIN 1 (a network flow system), \ndetailing the privacy protections that DHS embedded into its \ncybersecurity program from the beginning, and being transparent about \nthose protections.\\1\\ In 2008, DHS conducted a PIA on the second \niteration of the DHS cybersecurity program, EINSTEIN 2 (adding an \nintrusion detection capability).\\2\\ These PIAs exemplify the concept of \n``privacy by design'' and are important foundational considerations for \na large operational department like DHS.\n---------------------------------------------------------------------------\n    \\1\\ EINSTEIN 1, developed in 2003, provides an automated process \nfor collecting computer network security information from voluntary \nparticipating Federal executive agencies. It works by analyzing network \nflow records. Even though DHS was not required to do a PIA given no \npersonally identifiable information (PII) was being collected, DHS \nconducted a PIA (DHS/NPPD/PIA/001) on EINSTEIN 1 in September 2004 for \ntransparency, available at: http://www.dhs.gov/xlibrary/assets/privacy/\nprivacy_pia_einstein.pdf.\n    \\2\\ As with EINSTEIN 1, EINSTEIN 2 passively observes network \ntraffic to and from participating Federal Executive Branch departments \nand agencies' networks. In addition, EINSTEIN 2 adds an intrusion \ndetection system capability that alerts when a pre-defined specific \ncyber threat is detected and provides the US-CERT with increased \ninsight into the nature of that activity. The May 2008 PIA (DHS/NPPD/\nPIA-008) is available at: http://www.dhs.gov/xlibrary/assets/privacy/\nprivacy_pia_einstein2.pdf.\n---------------------------------------------------------------------------\n   i. dhs integration of privacy protections into its cybersecurity \n                                programs\n    During my 3\\1/2\\-year tenure at DHS, we further integrated privacy \ninto the DHS cybersecurity programs in several ways.\n    1. Integration of the Fair Information Practice Principles into DHS \n        Cybersecurity Programs.--As noted below, DHS has thoroughly \n        integrated the Fair Information Practice Principles (FIPPs) \n        into its cybersecurity programs. The FIPPS are the ``widely-\n        accepted framework of defining principles to be used in the \n        evaluation and consideration of systems, processes, or programs \n        that affect individual privacy.''\\3\\\n---------------------------------------------------------------------------\n    \\3\\ National Strategy for Trusted Identities in Cyberspace, April \n2011, available at: http://www.whitehouse.gov/sites/default/files/\nrss_viewer/NSTICstrategy_041511.pdf.\n---------------------------------------------------------------------------\n    The FIPPs are eight interdependent principles that create a \n        framework for how information may be used and shared in a \n        manner that protects privacy: Transparency; individual \n        participation; purpose specification; data minimization; use \n        limitation; data quality and integrity; security; and \n        accountability and auditing.\\4\\ During my tenure, my office \n        worked tirelessly to integrate the FIPPs into all DHS programs, \n        including cybersecurity.\n---------------------------------------------------------------------------\n    \\4\\ DHS adopted the eight FIPPs as a framework for Privacy Policy \non December 29, 2008; see DHS Privacy Policy Guidance Memorandum 2008-\n01, available at: http://www.dhs.gov/xlibrary/assets/privacy/\nprivacy_policyguide_2008-01.pdf.\n---------------------------------------------------------------------------\n    2. Transparency.--DHS has been very transparent about its \n        cybersecurity capabilities. During my tenure, DHS published \n        several PIAs detailing pilot programs and information sharing \n        among and between different Government entities. First, DHS \n        discussed via PIA a 12-month proof of concept to determine the \n        benefits and issues presented by deploying the EINSTEIN 1 \n        capability to Michigan State government networks managed by the \n        Michigan Department of Information Technology.\\5\\ Shortly \n        thereafter, DHS completed both a classified and unclassified \n        PIA for the ``Initiative Three Exercise''\\6\\ of the \n        Comprehensive National Cybersecurity Initiative.''\\7\\ In the \n        Initiative Three Exercise, DHS engaged in an exercise to \n        demonstrate a suite of technologies that could be included in \n        the next generation of the Department's EINSTEIN network \n        security program, such as an intrusion prevention capability. \n        This demonstration used a modified complement of system \n        components then being provided by the EINSTEIN 1 and EINSTEIN 2 \n        capabilities, as well as a DHS test deployment of technology \n        developed by the National Security Agency (NSA) that included \n        an intrusion prevention capability. The DHS Privacy Office \n        worked with DHS and the NSA to be as transparent as possible \n        with the Exercise, including naming NSA (and its role in the \n        Exercise) expressly in the PIA.\n---------------------------------------------------------------------------\n    \\5\\ Privacy Impact Assessment Update for the EINSTEIN 1: Michigan \nProof of Concept, February 19, 2010, (DHS/NPPD/PIA-013) available at: \nhttp://www.dhs.gov/xlibrary/assets/privacy/\nprivacy_pia_nppd_einstein1michigan.pdf.\n    \\6\\ US-CERT: Initiative Three Exercise Privacy Impact Assessment \n(unclassified), March 18, 2010, (DHS/NPPD/PIA-014) available at: http:/\n/www.dhs.gov/xlibrary/assets/privacy/privacy_pia_nppd_initiative3.pdf.\n    \\7\\ See http://www.whitehouse.gov/cybersecurity/comprehensive-\nnational-cybersecurity-initiative for a description of all 12 \ncybersecurity initiatives.\n---------------------------------------------------------------------------\n    In early 2012, DHS published a PIA on its information-sharing pilot \n        with the Defense Industrial Base;\\8\\ after 180 days and a \n        series of evaluations of its effectiveness, the PIA was updated \n        to reflect the establishment of a permanent program to enhance \n        cybersecurity of participating Defense Industrial Base entities \n        through information-sharing partnerships. The permanent program \n        was announced via PIA shortly before my departure.\\9\\\n---------------------------------------------------------------------------\n    \\8\\ Privacy Impact Assessment for the National Cyber Security \nDivision Joint Cybersecurity Services Pilot (JCSP), January 16, 2012, \n(DHS/NPPD/PIA-021) available at: http://www.dhs.gov/xlibrary/assets/\nprivacy/privacy_nppd_jcsp_pia.pdf. (N.B., this PIA has been retired \nwith the release of the ECS PIA in January 2013, referenced below).\n    \\9\\ Privacy Impact Assessment Update for the Joint Cybersecurity \nServices Program (JCSP), Defense Industrial Base (DIB)--Enhanced \nCybersecurity Services (DECS), July 18, 2012, (DHS/NPPD/PIA-021(a)) \navailable at: http://www.dhs.gov/xlibrary/assets/privacy/privacy-pia-\nupdate-nppd-jcps.pdf. (N.B., this PIA update has been retired with the \nrelease of the ECS PIA in January 2013, referenced below).\n---------------------------------------------------------------------------\n    Furthermore, one of my last acts as Chief Privacy Officer was to \n        approve a comprehensive PIA that described the entire National \n        Cybersecurity Protection System (NCPS), a programmatic PIA that \n        explains and integrates all the NPPD/Cybersecurity and \n        Communication (CS&C) cyber programs in a holistic document, \n        rather than the previous patchwork PIAs that were snapshots in \n        time of CS&C capabilities.\\10\\ This NCPS PIA helps provide a \n        comprehensive understanding of the CS&C cybersecurity program, \n        further increasing transparency.\n---------------------------------------------------------------------------\n    \\10\\ National Cybersecurity Protection Program Privacy Impact \nAssessment, July 30, 2012, (DHS/NPPD/PIA-026) available at: http://\nwww.dhs.gov/sites/default/files/publications/privacy/privacy-pia-nppd-\nncps.pdf.\n---------------------------------------------------------------------------\n    3. Outreach and engagement with advocates and private-sector \n        representatives.--The Department engaged privacy and civil \n        liberties advocates and private-sector representatives about \n        its cybersecurity activities in several ways. First, as part of \n        the Cyberspace Policy Review conducted by the administration in \n        2009,\\11\\ the Department met with privacy and civil liberties \n        advocates and academicians (at a Top Secret/SCI level) to \n        discuss the Advanced Persistent Threat landscape, and \n        Government response. That ad hoc meeting led to the creation of \n        a subcommittee of DHS' Federal Advisory Committee Act-\n        authorized committee, the Data Privacy and Integrity Advisory \n        Committee (DPIAC).\\12\\ The members and the experts on the DPIAC \n        subcommittee (including privacy and civil liberties advocates, \n        academicians, and private-sector representatives) were briefed \n        frequently at the Top Secret/SCI level. After my departure, the \n        DPIAC subcommittee produced an excellent report on integrating \n        privacy into the DHS information-sharing pilots and programs, \n        discussed below.\n---------------------------------------------------------------------------\n    \\11\\ Cyberspace Policy Review: Assuring a Trusted and Resilient \nInformation and Communications Infrastructure, 2009, available at: \nhttp://www.whitehouse.gov/assets/documents/\nCyberspace_Policy_Review_final.pdf.\n    \\12\\ The DHS Data Privacy and Integrity Advisory Committee provides \nadvice at the request of the Secretary of Homeland Security and the DHS \nChief Privacy Officer on programmatic, policy, operational, \nadministrative, and technological issues within the DHS that relate to \nPII, as well as data integrity and other privacy-related matters. The \ncommittee was established by the Secretary of Homeland Security under \nthe authority of 6 U.S.C. \x06 451 and operates in accordance with the \nprovisions of the Federal Advisory Committee Act (FACA) (5 U.S.C. App).\n---------------------------------------------------------------------------\n    In addition to the systematic engagement of advocates, \n        academicians, and private-sector representatives through the \n        DPIAC subcommittee, DHS also discussed its embedded privacy and \n        cybersecurity protections in several public fora, including \n        Congressional testimony,\\13\\ public articles,\\14\\ and multiple \n        public presentations before the DPIAC on DHS cyber \n        activities.\\15\\\n---------------------------------------------------------------------------\n    \\13\\ See, e.g., The Cybersecurity Partnership Between the Private \nSector and Our Government: Protecting Our National and Economic \nSecurity, Joint Committee Hearing before Senate Committee on Homeland \nSecurity and Governmental Affairs and Senate Committee on Commerce, \nScience, and Transportation, March 7, 2013 (testimony of Secretary \nJanet Napolitano); DHS Cybersecurity: Roles and Responsibilities to \nProtect the Nation's Critical Infrastructure, Hearing before House \nCommittee on Homeland Security, March 13, 2013 (testimony of Deputy \nSecretary Jane Holl Lute); Examining the Cyber Threat to Critical \nInfrastructure and the American Economy, Hearing before House Committee \non Homeland Security, March 16, 2011 (testimony of NPPD Deputy Under \nSecretary Philip Reitinger).\n    \\14\\ See, e.g., Securing Cyberspace While Protecting Privacy and \nCivil Liberties, Homeland Security Blog (by Secretary Janet \nNapolitano), April 2, 2013, available at: http://www.dhs.gov/blog/2013/\n04/02/securing-cyberspace-while-protecting-privacy-and-civil-liberties; \nOp-Ed: A Civil Perspective on Cybersecurity, (Jane Holl Lute and Bruce \nMcConnell), WIRED, February 14, 2011, available at: http://\nwww.wired.com/threatlevel/2011/02/dhs-oped/all/.\n    \\15\\ See, e.g., on March 18, 2010, Deputy Assistant Secretary for \nCybersecurity and Communications Michael A. Brown presented to DPIAC on \ncomputer network security and related privacy protections in DHS, \nincluding the Department's role in the CNCI (focusing on the DHS \nPrivacy Office's work on PIAs for EINSTEIN 1, EINSTEIN 2, and the \nproof-of-concept pilot project of the EINSTEIN 1 capabilities with the \nU.S. Computer Readiness Team and the State of Michigan), the National \nCyber Incident Response Plan (NCIRP), and the National Cybersecurity \nand Communications Integration Center, US-CERT, DHS I&A, and the \nNational Cybersecurity Center; on July 11, 2011, the Senior Privacy \nOfficer for NPPD Emily Andrew described how her office was integrated \ninto the NPPD structure.\n---------------------------------------------------------------------------\n    The DHS Privacy Office (and NPPD) also frequently met with privacy \n        advocates to discuss cybersecurity considerations, either when \n        a new program or initiative was announced, or during the \n        quarterly Privacy Information for Advocates meetings instituted \n        in 2009.\\16\\\n---------------------------------------------------------------------------\n    \\16\\ See DHS Privacy Office Annual Report, July 2009 to June 2010 \nat 66 for a discussion of the Privacy Information for Advocates \nquarterly meetings, available at: http://www.dhs.gov/xlibrary/assets/\nprivacy/privacy_rpt_annual_2010.pdf.\n---------------------------------------------------------------------------\n    4. Dedicated Cyber Privacy Personnel.--To be engaged and be able to \n        effectively integrate privacy protections, the Department has \n        hired multiple cyber privacy professionals. These cyber privacy \n        professionals focus on integrating the FIPPs of purpose \n        specification, data minimization, use limitation, data quality \n        and integrity, and security systematically into NCSD \n        activities. For example, the Senior Privacy Officer for the \n        National Protection and Program Directorate (reporting to the \n        Directorate leadership) was hired in August 2010; she has a \n        dedicated privacy analyst on-site with CS&C and both are \n        integrated into planning and implementation processes. In the \n        DHS Privacy Office, there has been a liaison with NPPD \n        cybersecurity organizations since the first EINSTEIN PIA was \n        written; currently that position is Director, Privacy and \n        Technology. This Director of Privacy and Technology was, for a \n        period of time, embedded at the NSA as part of the development \n        of the enhanced relationship between the NSA and DHS.\\17\\\n---------------------------------------------------------------------------\n    \\17\\ Memorandum of Agreement Between The Department of Homeland \nSecurity and The Department of Defense Regarding Cybersecurity, \nSeptember 2010, available at: http://www.dhs.gov/xlibrary/assets/\n20101013-dod-dhscyber-moa.pdf.\n---------------------------------------------------------------------------\n    When I was Chief Privacy Officer, I actively participated in \n        numerous cybersecurity policy planning organizations within the \n        Department.\n    5. Involvement and Coordination on Standard Operating Procedures, \n        and Operational Aspects of DHS Cybersecurity Activities.--As \n        part of its mission to implement the FIPPs and to integrate \n        privacy protections into DHS cybersecurity activities, DHS \n        privacy professionals review and provide comments and insight \n        into cybersecurity Standard Operating Procedures (SOPs) \n        (including protocols for human analysis and retention of cyber \n        alerts, signatures, and indicators for minimization of \n        information that could be PII), statements of work, contracts, \n        and international cyber-information sharing agreements.\n    6. Cyber-specific Privacy Training for Cybersecurity Analysts and \n        Federal Privacy Professionals.--These cyber privacy \n        professionals provide cyber-specific privacy training to \n        cybersecurity analysts to supplement the privacy training \n        required for DHS employees and contractors. In my opinion as a \n        privacy professional, the more relevant and concrete you can \n        make privacy training, the more likely the audience will \n        understand and incorporate privacy protections into their daily \n        activities, thus increasing personal accountability.\n    During my tenure, the Department also engaged in a year-long \n        Speakers Series for members of the Federal Government community \n        to discuss privacy and cybersecurity issues, and their impact \n        on Federal operations.\\18\\ The Federal Government-wide access \n        to the Speakers Series helped enhance awareness of the \n        cybersecurity and privacy issues, along with providing an \n        interagency communications channel on privacy and cybersecurity \n        questions.\n---------------------------------------------------------------------------\n    \\18\\ See DHS Privacy Office Annual Report, July 2011-June 2012 at \n27 for a discussion of the four-part Speakers Series, available at: \nhttp://www.dhs.gov/sites/default/files/publications/privacy/Reports/\ndhs_privacyoffice_2012annualreport_September 2012.pdf.\n---------------------------------------------------------------------------\n    7. Accountability of the Cybersecurity Program Through Privacy \n        Compliance Review.--An important tenet of the FIPPs is the \n        concept of accountability--periodically reviewing and \n        confirming that the privacy protections initially embedded into \n        any program remain relevant, and that those protections are \n        implemented.\n    While I was DHS Chief Privacy Officer, I instituted ``Privacy \n        Compliance Reviews'' (PCRs) to confirm the accountability of \n        several of DHS's programs.\\19\\ We designed the PCR to improve a \n        program's ability to comply with assurances made in PIAs, \n        System of Records Notices, and formal information-sharing \n        agreements. The Office conducts PCRs of on-going DHS programs \n        with program staff to ascertain how required privacy \n        protections are being implemented, and to identify areas for \n        improvement.\n---------------------------------------------------------------------------\n    \\19\\ See id., DHS Privacy Office Annual Report, July 2011-June 2012 \nat 39-40 for a detailed discussion of Privacy Compliance Reviews.\n---------------------------------------------------------------------------\n    Given the importance of the DHS mission in cybersecurity, the DHS \n        Privacy Office conducted a Privacy Compliance Review in late \n        2011, publishing it in early 2012.\\20\\ The DHS Privacy Office \n        found NPPD/CS&C generally compliant with the requirements \n        outlined in the EINSTEIN 2 PIA and Initiative 3 Exercise PIA. \n        Specifically, NPPD/CS&C was fully compliant on collection of \n        information, use of information, internal sharing and external \n        sharing with Federal agencies, and accountability requirements.\n---------------------------------------------------------------------------\n    \\20\\ Privacy Compliance Review of the EINSTEIN Program, January 3, \n2012, available at: http://www.dhs.gov/xlibrary/assets/privacy/\nprivacy_privcomrev_nppd_ein.pdf.\n---------------------------------------------------------------------------\n    My office made five recommendations to strengthen program \n        oversight, external sharing, and bring NPPD/CS&C into full \n        compliance with data retention and training requirements. NPPD \n        agreed with our findings and, as I understand it, has taken \n        multiple steps to address our recommendations. For example, in \n        response to one of the recommendations, the NPPD Office of \n        Privacy now conducts quarterly reviews of signatures and \n        handling of personally identifiable information. These reviews \n        have provided increased awareness to US-CERT Staff and has \n        helped to build positive working relationships with cyber \n        analysts and leadership. This is important in continuing to \n        integrate cybersecurity and privacy, by understanding the \n        impact of each.\n    In addition, as this subcommittee knows, the DHS Chief Privacy \n        Officer has unique investigatory authorities, therefore in the \n        unlikely event that something went awry in the future, the \n        Chief Privacy Officer can investigate those activities.\\21\\\n---------------------------------------------------------------------------\n    \\21\\ 6 U.S.C. \x06 142(b). See ibid., DHS Privacy Office Annual \nReport, July 2011-June 2012 at 40 for a discussion of the DHS Chief \nPrivacy Officer investigatory authorities.\n---------------------------------------------------------------------------\n      ii. dhs continues to integrate privacy protections into its \n                         cybersecurity programs\n    Since I left DHS, I know through public information that the \nDepartment continues to work to embed privacy protections in its \ncybersecurity activities.\nA. DPIAC Cybersecurity Report\n    The DPIAC issued a robust advisory paper for DHS to consider when \nimplementing information-sharing pilots and programs with other \nentities, including the private sector.\\22\\ The report addresses two \nimportant questions in privacy and cybersecurity--``what specific \nprivacy protections should DHS consider when sharing information from a \ncybersecurity pilot project with other agencies?'' and ``what privacy \nconsiderations should DHS include in evaluating the effectiveness of \ncybersecurity pilots?''\n---------------------------------------------------------------------------\n    \\22\\ Report from the Cyber Subcommittee to the Data Privacy and \nIntegrity Advisory Committee (DPIAC) on Privacy and Cybersecurity \nPilots, Submitted by the DPIAC Cybersecurity Subcommittee, November \n2012, available at: http://www.dhs.gov/sites/default/files/\npublications/privacy/DPIAC/dpiac_cyberpilots_10_29_2012.pdf.\n---------------------------------------------------------------------------\n    The DPIAC report supported in large part what DHS had been doing \nwith regard to privacy protections incorporated in its cybersecurity \npilots and programs. DPIAC recommended the following best practices \nwhen sharing information from a cybersecurity pilot project with other \nagencies: Incorporate the FIPPs into cybersecurity activities; develop \nand implement clear data minimization rules and policies; provide \nemployees and public users of Federal systems notice and transparency \nof the collection, use, and sharing of information for cybersecurity \npurposes; when engaging in information sharing that includes PII or \ncontent of private communications, information sharing should be \nlimited to what is necessary to serve the pilot's purposes (with \ndefined limits on law enforcement, National security, and civilian \nagency sharing); have more robust safeguards for information from \nprivate networks; define data retention policies to keep records no \nlonger than needed to fulfill the purpose of the pilot; and integrate \nprivacy by design and privacy-enhancing technologies whenever possible.\n    This type of insight from privacy advocates, academicians, and \nprivate-sector representatives will enhance DHS' considerations of \nprivacy-protective options when sharing cybersecurity information.\nB. Enhanced Cybersecurity Services PIA\n    Furthermore, in January 2013, DHS published a thoughtful and \ncomprehensive PIA covering the Enhanced Cybersecurity Services (ECS), a \nvoluntary program based on the sharing of indicators of malicious cyber \nactivity between DHS and participating Commercial Service \nProviders.\\23\\ The purpose of the program is to assist the owners and \noperators of critical infrastructure to enhance the protection of their \nsystems from unauthorized access, exploitation, or data exfiltration \nthrough a voluntary information-sharing program. ECS is intended to \nsupport U.S. critical infrastructure, however, pending deployment of \nEINSTEIN intrusion prevention capabilities, ECS may also be used to \nprovide equivalent protection to participating Federal civilian \nExecutive branch agencies.\\24\\\n---------------------------------------------------------------------------\n    \\23\\ Privacy Impact Assessment for the Enhanced Cybersecurity \nServices (ECS), January 16, 2013, DHS/NPPD/PIA028, available at: http:/\n/www.dhs.gov/sites/default/files/publications/privacy/\nprivacy_pia_nppd_ecs_jan2013.pdf.\n    \\24\\ This PIA consolidates and serves as a replacement to the two \nPIAs I mentioned earlier: DHS/NPPD/PIA-021 National Cyber Security \nDivision Joint Cybersecurity Services Pilot PIA, published on January \n13, 2012, and the DHS/NPPD/PIA-021(a) National Cyber Security Division \nJoint Cybersecurity Services Program (JCSP), Defense Industrial Base \n(DIB)--Enhanced Cybersecurity Services (DECS) PIA Update, published on \nJuly 18, 2012.\n---------------------------------------------------------------------------\n    The ECS PIA is exemplary of how to integrate privacy protections \ninto cybersecurity programs, particularly when engaging in information \nsharing with the private sector. This ECS PIA is the culmination of all \nof the hard work that I summarized above, including the DPIAC \ncybersecurity report.\n    It is clear DHS continues to embed privacy protections into \ncybersecurity activities. The information sharing and implementation \nstandards described in the ECS PIA are concrete examples of privacy by \ndesign, and should well position DHS to effectively implement the \nincreased information sharing mandated by the February 12, 2013 \nExecutive Order on Improving Critical Infrastructure Cybersecurity.\\25\\\n---------------------------------------------------------------------------\n    \\25\\ Executive Order on Improving Critical Infrastructure \nCybersecurity, available at: http://www.whitehouse.gov/the-press-\noffice/2013/02/12/executive-order-improving-critical-infrastructure-\ncybersecurity.\n---------------------------------------------------------------------------\nC. EINSTEIN 3 Accelerated (E\\3\\A) PIA\n    In addition, just this week, the Department announced that it will \ndeploy EINSTEIN 3 Accelerated (E\\3\\A) network intrusion prevention \ncapabilities on Federal Government networks as a Managed Security \nService provided by Internet Service Providers (ISPs), rather than \nplacing the entire response on the Federal Government.\\26\\\n---------------------------------------------------------------------------\n    \\26\\ Privacy Impact Assessment for EINSTEIN 3--Accelerated (E\\3\\A), \nApril 19, 2013 (DHS/PIA/NPPD-027), available at: http://www.dhs.gov/\nsites/default/files/publications/privacy/PIAs/\nPIA%20NPPD%20E3A%2020130419%20FINAL %20signed.pdf.\n---------------------------------------------------------------------------\n    The use of ISPs as a Managed Security Service is noteworthy from a \nprivacy perspective for several reasons. First, the coordination and \ncollaboration of the ``best of breed'' Federal classified and \nunclassified capabilities combined with the nimbleness (and proprietary \ncapabilities) of the private-sector ISPs will allow a more robust \nresponse to evolving cybersecurity threats. It is an important \nrecognition by DHS that Federal cybersecurity programs did not need to \nre-invent cybersecurity protections when defending Federal Government \nnetworks, but could supplement existing commercial intrusion prevention \nsecurity systems to provide a more robust prevention and detection \nregime for the Federal civilian Executive branch.\n    Second, integrating cybersecurity threat detection and intrusion \nprevention will allow DHS to better detect, respond to, or \nappropriately counter, known or suspected cyber threats within the \nFederal network traffic it monitors, which helps protect the target \nsystems from unauthorized intrusions (and therefore implements the \nsecurity FIPP). It is important to emphasize--E\\3\\A monitors only \nselect internet traffic either destined to, or originating from, \nFederal civilian Executive branch departments and agencies (commonly \nknown as .gov traffic). This data minimization and segregation is also \nprivacy-protective; the ISP Managed Security Service can be \ncompartmentalized to affect only .gov traffic. The participating \nagencies will identify a list of IP addresses for their networks and \nboth CS&C cybersecurity analysts and the ISPs verify the accuracy of \nthe list of IP addresses provided by the agency. CS&C SOPs are followed \nin the event of any out-of-range network traffic is identified and the \nISP removes any collected data to prevent any further collection of \nthis network traffic. This too is a privacy-protective approach, \nfurther confirming that the only impacted traffic is Federal civilian \nExecutive branch departments and agencies.\n    DHS will share cyber threat information it receives through E\\3\\A \nconsistent with its existing policies and procedures (which have been \nthoroughly reviewed by the Department's cyber privacy professionals). \nIn accordance with the SOPs and information-handling guidelines, all \ninformation that could be considered PII is reviewed prior to inclusion \nin any analytical product or other form of dissemination, and replaced \nwith a generic label when possible, again protecting privacy. The way \nE\\3\\A is structured should enhance privacy, protect the Federal \ncivilian Executive branch departments and agencies, and provide a \nnimble response to the evolving cybersecurity threat.\n iii. integration of privacy principles into cybersecurity is crucial \n                  for effective cybersecurity programs\n    The continued integration of privacy and cybersecurity is crucial \nfor effective cybersecurity protections. In my experience based on 15 \nyears as a privacy professional as both outside counsel and chief \nprivacy officer at DHS, it is clear that integrating privacy into the \noperational aspects of any activity makes the program both more \neffective and more likely to protect privacy. For example, providing \ntailored training, and engaging the analysts or employees in the field \nfacilitates the integration of privacy into daily operations. Ex ante \nreview of programs and anticipating issues such as unintended uses, \ndata minimization, and defined standards for information sharing are \nalso important to confirm privacy protections are working throughout \nthe life cycle of information collection. Embedding privacy protections \ninto SOPs and information-handling guidelines help to further the goal \nof the project while assuring that privacy protections are \nsystematically integrated into a program or service. Finally, \ntransparency is the cornerstone for any privacy program to succeed.\n    These privacy-by-design factors are important any time an \norganization incorporates privacy into a new program, but they are \nparticularly important with an operational cybersecurity program such \nthe DHS National Cybersecurity Protection System which continuously \ncounters emerging cybersecurity threats and applies effective risk \nmitigation strategies to detect and deter these threats. Integrating \nprivacy from the beginning--and periodically testing to confirm that \nthe integration continues--is the only way to effectively protect \ncybersecurity and privacy. In fact, if done right, increased \ncybersecurity also means increased privacy.\n    To address threats and minimize the impact on Federal facilities \nand critical infrastructure, key agencies and critical infrastructure \ncompanies must share information about cybersecurity threats. That \nsaid, such information sharing must occur in a thoughtful, clearly-\ndesigned process that also minimizes the impact on individual privacy. \nI believe that DHS has appropriately and effectively integrated privacy \nand cybersecurity both in its Federal Executive branch responsibilities \nand in its information-sharing responsibilities as articulated in the \nECS and related cybersecurity PIAs. Currently, I advise private-sector \nclients that this privacy-by-design approach should be taken to most \neffectively combat cybersecurity threats by both increasing \ncybersecurity protections and protecting privacy.\n    Thank you for the opportunity to appear before you this afternoon. \nI would be happy to take any questions you may have.\n\n    Mr. Meehan. Thank you, Ms. Callahan.\n    The Chairman now recognizes Ms. McGuire for your testimony.\n\n     STATEMENT OF CHERI F. MCGUIRE, VICE PRESIDENT, GLOBAL \n      GOVERNMENT AFFAIRS & CYBERSECURITY POLICY, SYMANTEC\n\n    Ms. McGuire. Chairman Meehan, Ranking Member Clarke, and \ndistinguished Members of the subcommittee, thank you for the \nopportunity also to testify today on behalf of Symantec \ncorporation. We are the largest security software company in \nthe world, with over 31 years of experience in providing \nsecurity, storage, and systems management solutions. With more \nthan 21,000 employees and operations in more than 50 countries, \nprotecting critical infrastructure, Government, and citizens' \ndata is core to our mission and our business.\n    My name is Cheri McGuire. I am the vice president for \nglobal government affairs in cybersecurity policy, where I lead \na team that addresses the global public policy agenda for the \ncompany, including data integrity, critical infrastructure \nprotection, cybersecurity, and privacy issues.\n    At Symantec, we are committed to assuring the privacy, \nsecurity, availability, and integrity of our customers' \ninformation. Too often, security is portrayed as being in \nconflict with or somehow undermining privacy. However, in the \ndigital world, nothing could be further from the truth, because \nyour privacy is only as secure as your data. Criminals and \nhackers, many of whom are well-funded and highly skilled, have \nbuilt a business model based on their ability to steal and \nmonetize personal information.\n    Recent efforts to improve the Nation's cybersecurity \nposture have recognized that privacy and security must be \naddressed in tandem. Symantec supports an approach that allows \nto us share threat indicators and related non-PII within \nindustry and within Government.\n    Now, I would like to talk briefly about today's threat \nlandscape. As we briefed the committee last week, our latest \ninternet security threat report noted that, in 2012, \napproximately 93 million identities were exposed through \nhacking, theft, and simple user error. We also found that there \nwas a 42 percent rise in targeted attacks, an increasing number \nwhich are directed at small businesses.\n    Finally, we saw a 58 percent rise in attacks designed to go \nafter mobile devices. Simply put, every year, threats are \nincreasing and becoming more sophisticated. Sharing actionable \nthreat and vulnerability information is an essential element to \ncombating threats like these. As a general rule, we believe \nthat voluntary information-sharing programs are the best way to \ndevelop trusted partnerships to achieve the best results. That \ntrust is weakened when Government information-sharing mandates \nare imposed on industry.\n    In order for information sharing to be effective it must be \nshared in a timely manner with the right people or organization \nand with the understanding that, as long as an entity shares \ninformation in good faith, it will not face legal liability.\n    In addition, the Government must have the proper tools and \nauthorities to disseminate information effectively. We were \npleased that the Executive Order the President signed in \nFebruary and legislation passed in the House last week sent a \nclear message to the Government that sharing actionable \ninformation for cybersecurity purposes with the private sector \nis both a priority and a necessity.\n    Information sharing on cyber threats happens in a number of \nways designed to protect our customers and their data. We get \ninformation from a myriad of sources, from our customers, our \npartners, the Government and our network--and through our \nnetwork, called the global intelligence network of 69 millions \nattack sensors.\n    The information itself can be high-level threat data, \ndetails about a particular incident or attack, data signatures \nor other types of metadata. All of this data is then aggregated \nand analyzed, and during that process, we remove PII. Using \nthis data, we develop machine-level signatures and other \nidentifying information about specific pieces of malware and \nother threats. We also regularly publish analyses of attacks as \nwell as white papers on current and future threat factors.\n    In closing, Symantec is deeply committed to securing the \nprivacy and security of our customers' information. I hope that \nmy testimony today has provided some insight into how we \nprotect our customers' privacy and share threat information \nwith our various partners while also balancing that with the \nneed for robust cybersecurity. Thank you, again, for the \nopportunity to testify today, and I am happy to answer any \nquestions you may have.\n    [The prepared statement of Ms. McGuire follows:]\n                 Prepared Statement of Cheri F. McGuire\n    Chairman Meehan, Ranking Member Clarke, and distinguished Members \nof the subcommittee, thank you for the opportunity to testify today on \nbehalf of Symantec Corporation.\n    My name is Cheri McGuire and I am the vice president for global \ngovernment affairs and cybersecurity policy at Symantec. I am \nresponsible for Symantec's global public policy agenda, including \ncybersecurity, data integrity, critical infrastructure protection \n(CIP), and privacy. In this capacity, I work extensively with industry \nand Government organizations, including serving from 2010 to 2012 as \nchair of the Information Technology Sector Coordinating Council (IT \nSCC)--one of 16 critical sectors identified by the President and the \nU.S. Department of Homeland Security (DHS) to partner with the \nGovernment on CIP and cybersecurity. I also serve as a board member of \nthe Information Technology Industry Council, the TechAmerica Commercial \nPolicy Board, and the U.S. Information Technology Office (USITO) in \nChina, and am a past board member of the IT Information Sharing and \nAnalysis Center (IT-ISAC). Prior to joining Symantec in August 2010, I \nwas director for critical infrastructure and cybersecurity in \nMicrosoft's Trustworthy Computing Group. Before joining Microsoft in \n2008, I served in numerous positions at DHS, including as acting \ndirector and deputy director of the National Cyber Security Division \nand U.S. Computer Emergency Readiness Team (US-CERT).\n    Symantec is the largest security software company in the world, \nwith over 31 years of experience in developing internet security \ntechnology. We are the global leader in providing security, storage, \nand systems management solutions to help consumers and organizations \nsecure and manage their information and identities. We protect more \npeople and businesses from more on-line threats than anyone in the \nworld. Symantec has developed some of the most comprehensive sources of \ninternet threat data through our Global Intelligence Network (GIN). \nComprised of approximately 69 million attack sensors, the GIN records \nthousands of events per second and covers over 200 countries and \nterritories 24 hours a day, 7 days a week. It allows us to capture \nworld-wide security intelligence data that gives our analysts an \nunparalleled view of the entire internet threat landscape, including \nemerging cyber attack trends, malicious code activity, phishing, and \nspam.\n    Symantec also maintains one of the world's most comprehensive \nvulnerability databases, currently consisting of more than 51,000 \nrecorded vulnerabilities (spanning more than 2 decades) from over \n16,000 vendors representing over 43,000 products. Every day we process \nmore than 3 billion e-mail messages and more than 1.4 billion web \nrequests across our 14 global data centers. In short, if there is a \nclass of threat on the internet, Symantec knows about it.\n    At Symantec, we are committed to assuring the privacy, security, \navailability, and integrity of our customers' information. Too often \nsecurity is portrayed as being in conflict with or somehow undermining \nprivacy. In the digital world, nothing could be further from the truth, \nbecause your privacy is only as secure as your data.\n    We welcome the opportunity to provide comments as the committee \ncontinues its important efforts to bolster the state of cybersecurity \nwhile protecting privacy in the United States and abroad. In my \ntestimony today, I will provide the subcommittee with:\n  <bullet> our latest analysis of the threat landscape as detailed in \n        the just-released Symantec Internet Security Threat Report \n        (ISTR), Volume 18;\n  <bullet> our core privacy principles;\n  <bullet> an overview of the current information-sharing environment; \n        and\n  <bullet> a summary of how we ensure privacy when we share threat \n        information.\n                        today's threat landscape\n    We rely on technology for virtually every aspect of our lives, from \ndriving to and from work, to mobile banking, to securing our most \ncritical systems. As the use of technology increases so do the volume \nand sophistication of the threats. At Symantec, it is our goal to \nensure that we are thinking ahead of the attackers. Looking at the \ncurrent threat landscape is not enough--we must also keep our eyes on \nthe horizon for evolving trends.\n    In the latest Symantec Internet Security Threat Report (ISTR), we \ndetail that in 2012, approximately 93 million identities were exposed \nthrough hacking, theft, and simple error. That is 93 million \nindividuals whose personal information is now potentially for sale in \nthe black market--93 million people who are at risk for credit card \nfraud, identity theft, and other illegal schemes.\n    We also found that there was a 42 percent rise in targeted attacks \nlast year.\\1\\ It is almost certain that this trend will continue in the \ncoming years. Conducting successful targeted attacks requires attackers \nto do research about the organizations they are seeking to penetrate, \nand often about specific people who work there. Attackers will mine the \ninternet for information about how a company does business and use what \nthey learn to craft personalized attacks designed to gain access to its \nsystems. Once they gain access, they will move within a system, \ncollecting information and staging data for exfiltration--the \nunauthorized transfer or release of data from a computer or server--to \ntheir own computers. Attackers can spend weeks and months covertly \nmoving around a victim's system, collecting e-mail, personal data, \ndocuments, intellectual property, and even trade secrets.\n---------------------------------------------------------------------------\n    \\1\\ Symantec Internet Security Threat Report XVIII, April 2013. \nhttp://www.symantec.com/security_response/publications/\nthreatreport.jsp.\n---------------------------------------------------------------------------\n    We also saw a sharp rise in the exploitation of mobile malware. \nLast year, mobile malware increased by 58 percent, and 32 percent of \nall mobile threats attempted to steal personal information, such as e-\nmail addresses and phone numbers. Attacks on mobile devices will almost \ncertainly continue to rise as we become ever more reliant on these \ndevices to perform our daily activities, such as working, banking, \nshopping, and social networking.\n    Another alarming finding was the rise of attacks on small and \nmedium-size businesses. In 2012, 50 percent of all targeted attacks \nwere aimed at businesses with fewer than 2,500 employees, and the \nlargest growth area for targeted attacks was aimed at businesses with \nfewer than 250 employees. Thirty-one percent of all attacks targeted \nthem, up from 18 percent the year before. This likely stems from the \nfact that unlike large enterprises, smaller businesses often do not \nhave the resources to install adequate security protocols, making them \nan easier target for attackers. Yet many of these small companies \nsubcontract or work for larger companies--and thus hold intellectual \nproperty and trade secrets coveted by attackers. As one of our security \nengineers likes to say, while every subcontractor may sign a strict \nnon-disclosure agreement, the attacker who is sitting on that small \ncompany's system is not bound by it.\n    In sum, whether they are attacking our computers, mobile phones, or \nsocial networks, cyber-criminals are looking to profit by spying on us \nor stealing our information. Our best defense is strong security, \neducation, and good computer hygiene.\n                  privacy and security go hand-in-hand\n    At Symantec, we are guided by the following privacy principles: \nFirst, customers should be empowered to decide how their personal \ninformation is used, and informed what--if anything--will be done with \nit. Second, privacy protections must be integrated into the development \nof products or services and not added as an afterthought. Finally, we \nall need to be proactive in protecting privacy--absent strong security, \ninformation is vulnerable.\n    Criminals and hackers--many of whom are well-funded and highly \nskilled--have built a business model based on their ability to steal \nand monetize personal information. There is an entire criminal eco-\nsystem that trades in stolen personal information, as well as the tools \nand technology that allow them to steal more. Some of these criminal \nenterprises are so sophisticated that they provide 24/7 customer \nsupport, and offer guarantees that the stolen information they provide \nis valid.\n    In the face of this criminal threat, it should go without saying \nthat strong security is essential to securing our personal data and \nprivate information. Simply put, if your data is not secure, then \nneither is your privacy. And, if you do not take steps to secure your \nown personal information, or the companies to which you entrust it do \nnot do so, you are gambling with your privacy. When it comes to \npersonal data, security measures and data protection are not an \ninfringement on privacy but instead are the foundations of protecting \nit.\n    Recent efforts to improve the Nation's cybersecurity posture--\nwhether legislative initiatives or Executive branch actions--have \nrecognized that privacy and security must be addressed in tandem. The \nvarious bills in the House and the Senate have taken different \napproaches, but in the information-sharing area there is broad \nagreement that both the Government and the private sector need to be \nable to share cybersecurity information for cybersecurity purposes. \nThis view also is shared by many prominent civil society organizations. \nReaching consensus on the precise parameters of those terms is where \ncomplications have arisen. Symantec supports an approach that allows us \nto share threat indicators and related non-Personally Identifiable \nInformation (PII) within industry and with the Government. In our view, \ncompanies should receive legal protection for sharing appropriate \ninformation with other companies or civilian agencies, and we believe \nthat data minimization standards are a reasonable approach.\n              the current information-sharing environment\n    Globally, there are many different information-sharing models, \nranging from voluntary programs to regulatory mandates to ad hoc \narrangements to contractual agreements. Sharing can be Government-to-\nGovernment, business-to-business, and between Government and business. \nAs a general rule, we believe that voluntary programs--which of course \nleave space for contractual and ad hoc arrangements--are the best way \nto develop trusted partnerships to achieve the best results. In the \nUnited States, we have a voluntary framework based on the National \nInfrastructure Protection Plan (NIPP).\\2\\ The NIPP, as refined by the \nrecent Presidential Decision Directive 21, establishes 16 critical \ninfrastructure sectors and identifies a sector-specific Federal agency \nfor each.\\3\\\n---------------------------------------------------------------------------\n    \\2\\ National Infrastructure Protection Plan (2009), http://\nwww.dhs.gov/xlibrary/assets/NIPP_Plan.pdf.\n    \\3\\ The 2009 National Infrastructure Protection Plan (http://\nwww.dhs.gov/xlibrary/assets/NIPP_Plan.pdf) identified 18 critical \ninfrastructure sectors. Presidential Decision Directive 21 (Critical \nInfrastructure Security and Resilience, signed February 12, 2013) \nrevised that to 16. See http://www.whitehouse.gov/the-press-office/\n2013/02/12/presidential-policy-directive-critical-infrastructure-\nsecurity-and-resil.\n---------------------------------------------------------------------------\n    Within each sector, there are Government Coordinating Councils \n(GCC) and Sector Coordinating Councils (SCC). Nearly all sectors also \nhave chartered Information Sharing and Analysis Centers (ISAC), \noperational entities that are tied to industry and serve as a focal \npoint for voluntary information sharing. The level of trusted \npartnership and engagement among the GCCs, SCCs, and ISACs varies from \nsector to sector. Symantec has a long and successful history of \nparticipation and leadership in various multi-industry organizations as \nwell as public-private partnerships in the United States and globally, \nincluding the National Cyber-Forensics & Training Alliance (NCFTA), the \nIT-ISAC, the Industry Botnet Group Mitigation Initiative, and many \nothers.\n    Effective sharing of actionable information among the public and \nprivate sectors on cyber threats, vulnerabilities, and incidents is an \nessential component of improving cybersecurity. It is important to \nrecognize that information sharing is not an end goal, but rather is \none of a number of tools to enhance the security of IT systems. Good \ninformation sharing provides situational awareness so that appropriate \nprotective and risk mitigation actions can be put into place. In order \nfor information sharing to be effective, information must be shared in \na timely manner, must be shared with the right people or civilian \norganizations, and must be shared with the understanding that so long \nas an entity shares information in good faith, it will not face legal \nliability.\n    The NCFTA provides a good example of how private industry and law \nenforcement partnerships can yield real-world success. NCTFA is a \nPittsburgh-based organization that includes more than 80 industry \npartners--from financial services and telecommunications to \nmanufacturing and others--working with Federal and international \npartners to provide real-time cyber threat intelligence.\n    The IT-ISAC is another example of a successful public-private \npartnership. The group's primary purpose is to allow organizations to \nexchange information about security threats and vulnerabilities. Member \ncompanies report information concerning security problems that they \nhave or solutions to such problems that they have found. Members also \nparticipate in National and homeland security efforts to strengthen IT \ninfrastructure through cyber threat information sharing and analysis. \nThe IT-ISAC also has an industry-funded representative that works at \nthe National Cybersecurity & Communications Integration Center (NCCIC) \nto facilitate real-time information sharing and response.\n    One of the most successful U.S. public-private partnerships has \nbeen cybersecurity exercises. The level of engagement and resources \nbrought to bear from the Government and industry to jointly plan and \ndevelop scenarios, define information-sharing processes, and execute \nthe exercises has been unprecedented. When done right, the lessons \nlearned from these exercises have been invaluable to both industry and \nGovernment to help improve response plans and improve preparedness for \nfuture incidents.\n    In addition, the Government must have the proper tools and \nauthorities to disseminate information effectively. I have seen too \nmany instances of the Government releasing information on cyber threats \ndays and sometimes weeks after a threat has been identified. In many of \nthese cases, by the time the Government releases the information it \noften has little use because the private sector has already identified \nand taken actions to mitigate the threat. There is no single solution \nthat will eliminate these delays, but various legislative proposals \nmove us one step closer to eliminating some of the legal barriers that \ncurrently impede sharing. Moreover, the Executive Order (EO) the \nPresident signed in February 2013 sent a clear message to the \nGovernment that sharing information with the private sector is both a \npriority and a necessity.\\4\\\n---------------------------------------------------------------------------\n    \\4\\ See Executive Order 13636, ``Improving Critical Infrastructure \nCybersecurity,'' 78 Fed. Reg. 11739 (February 19, 2013).\n---------------------------------------------------------------------------\n    Further, we also support an incentive-based approach to information \nsharing. There is no doubt that businesses can gain a competitive \nadvantage by not disclosing information to their competitors. However, \na well-incentivized program of collaboration can help offset those \ndisadvantages and keep the information flowing freely. We also need to \naddress policies that discourage businesses who would be willing to \nshare information but choose not to because of fear of prosecution. \nTherefore, liability protections are necessary to improve bi-\ndirectional information sharing.\n    As with any partnership, information sharing is founded upon and \nenabled by trust. That trust is weakened when Government information-\nsharing mandates are imposed on industry. Enhanced self-interest and a \nflexible approach are more likely to improve information sharing than \nGovernment mandates.\n           protecting privacy as we share threat information\n    At Symantec, we understand the vital importance of sharing \ninformation for cybersecurity awareness and response. We recognize that \ninformation stored on our servers is sensitive, confidential, and often \npersonal in nature. Therefore, we take very seriously our role in \nsafeguarding our customer's personal information and go to great \nlengths to ensure that personal information remains private.\n    Information pertaining to customers such as credit card \ninformation, addresses, or other PII is not shared under any \ncircumstances unless we are compelled by law, following appropriate due \nprocess. In addition, we comply with the Payment Card Industry Data \nSecurity Standard and follow specific rules under our privacy program \nto ensure that we collect only data that is proportionate for the \npurposes for which it is collected, and that is relevant and necessary \nfor the services provided.\n    Information sharing on cyber threats happens in a number of ways \nand for various reasons. We get information from myriad sources--from \nour customers, our partners, the Government, and our network of \nsensors. The information itself can be high-level threat data, details \nabout a particular incident or attack, data signatures, or other \ninformation. All of this data is then aggregated and analyzed, and \nduring that process we remove PII. The resulting work product can range \nfrom machine-level signatures or identifying information for a specific \npiece of malware to a quick analysis of a particular attack to a \npublished white paper on current and future threat vectors. This work \nproduct can then be provided to our customers and partners in both the \nprivate sector and the Government, depending on the particular \nparameters of the sharing agreement.\n    In some cases, the communication is purely bilateral--a customer \nprovides us information about activity on its system (either manually \nor through an automated sensor), and we report back on what we see \nhappening. Other times we share it broadly, including sometimes \npublicly, but only after removing any PII to ensure that the report \ncannot be linked to a particular individual or customer. When we share \nreports on attack trends or publish white papers on particular threats, \nPII is removed as part of long-standing policy and we only share \ninformation directly related to the cyber threat. We have legal and \norganizational safeguards to ensure that information is only disclosed \nto the intended partners and only used for the expressed purpose.\n    In closing, Symantec is deeply committed to securing the privacy \nand security of our customer's information. Thank you again for the \nopportunity to testify, and I will be happy to answer any questions you \nmay have.\n\n    Mr. Meehan. Thank you, Ms. McGuire.\n    The Chairman now recognizes Ms. Pearson to testify.\n\n    STATEMENT OF HARRIET P. PEARSON, PARTNER, HOGAN LOVELLS\n\n    Ms. Pearson. Thank you very much, Chairman Meehan, Ranking \nMember Clarke, and Members of the subcommittee.\n    My name is Harriet Pearson. I am a partner in the Hogan \nLovells law firm, where I focus on cybersecurity and privacy \nlaw. From November 2000 until July 2012, I served as the IBM \ncorporation's chief privacy officer and security counsel, and I \nhave been engaged in this area of privacy and security since \nthe mid-1990s.\n    Thank you for the opportunity to participate in today's \nhearing on how we in the United States in the business \ncommunity and in Government can protect our critical \ninfrastructure from cyber-based threats while safeguarding \nindividual privacy.\n    Let me start with the observation that the relationship \nbetween cybersecurity and privacy is complex, as we have heard. \nOn the one hand, cybersecurity that protects data from \nintrusion, theft, and misuse obviously is a significant privacy \nsafeguard that cannot be understated. On the other hand, some \ncybersecurity measures that monitor access and use of systems \nand digital networks can implicate the collection of personal \ninformation, or PII, where data can be linked to individuals \nand thus raises some privacy concerns.\n    Understanding that relationship and integrating privacy \ninto cybersecurity has never been more important. As we have \nheard and as the committee well knows, the threat is out there. \nThere are risks, and the risks come in multiple forms, \nparticularly for those businesses that are part of the critical \ninfrastructure and that have to take these measures. The \nprivate sector's role in this respect is vital. You know that \nthe critical information, much of it and much of the most \nvaluable intellectual property of our society are owned and \nmanaged largely by the private sector. Therefore, the steps \nthat companies take to safeguard their most precious \npossessions and assets and figuratively to lock up and secure \ntheir premises are very significant. Increasingly companies are \nstepping up to that challenge and taking those measures.\n    Let me articulate a couple of, or give you a couple of \nexamples of the kinds of measures that might implicate some \nlevel of collection or access to potentially personal \ninformation. There are some measures, such as systems and \nnetwork monitoring; you have to know what is going on in your \nsystems. You might have to access and collect some personal \ninformation. Background checks, more of us are bringing our own \ndevices and hooking them up to sensitive or important networks, \nand you have to make and take safeguards. Supply chain and \nvendor networks need to be secured, and sometimes you need \ninformation. Information sharing, as has been discussed with \nGovernment and other entities in the private sector, might also \nat times implicate some kind of personal information and thus \nsteps need to be taken.\n    My recommendations for how these concerns can be addressed \nstart with the premise that it can be addressed. There are \nresponsible ways and many organizations are already taking \nthose steps in the business community. Some suggestions for how \nand observations on how organizations are taking those steps \ninclude, first, we have talked already on the panel, and \nChairman and Ranking Member talked about the Fair Information \nPractice Principles, or the FIPPs. That is an important acronym \nto keep in mind in my view. Applying the FIPPs is what privacy \nprofessionals do in the United States all day long, every day, \nin many situations. Applying FIPPs to information sharing and \nother cybersecurity measures and steps is absolutely critical.\n    Second, one of the most foundational elements of the FIPPs \nis this notion of transparency, articulating what you are \ndoing, educating and being open about the steps taken, not of \ncourse to the degree that it compromises the important security \nmeasures that need to be taken but articulating it so that \nthere is some understanding of the measures and that there is \nsome ability to say, hmm, what is going on, let's have a \nconversation about it in the democratic tradition of the United \nStates.\n    Third, we have in this country a tradition of creating \ncodes of conduct, voluntary measures that once organizations \nbuy into them and engage in them, actually become quite \nimportant as a measure of establishing base lines of behavior \nin business. I endorse the development of voluntary codes of \nconduct for the privacy-sensitive deployment of certain \ncybersecurity measures and programs that are common enough to \nwarrant such effort. Examples of this might include \ninformation-sharing codes of conduct in which organizations \nthat engage in information-sharing partnerships with each other \nand with Governmental agencies developed and commit to adopt \nprivacy-sensitive practices such as the one that Ms. McGuire \nmentioned.\n    Another example is the new work that is being undertaken by \nNIST, as mandated by the recently-issued Executive Order on \ncritical infrastructure cybersecurity, to develop a privacy--to \ndevelop a cybersecurity framework. As you know, NIST is \nconsulting with multiple stakeholders on the development of \nthis kind of framework, and the committee can play an important \nrole in asking about and looking at the kind of privacy for \nconsideration built into that framework.\n    Finally, through law, the expectations, responsibilities, \nand legal protections for privacy when data is shared or \nrequested by Government in particular need to be clear, and \nthere have been certain legislation enacted through this house \nthat have clarified the role and some important progress and \nlanguage has been included in that and further efforts by \nGovernment and industry leaders outside of this kind of \nlegislation will also be useful to educate and enable \nstakeholders involved in these activities to design privacy in \ninformation sharing and related activities.\n    Thank you for the opportunity to appear before you today, \nand I will be happy to take questions.\n    [The prepared statement of Ms. Pearson follows:]\n                Prepared Statement of Harriet P. Pearson\n                             April 25, 2013\n    Chairman Meehan, Ranking Member Clarke, and Members of the \nsubcommittee, my name is Harriet Pearson and I am a partner in the \nHogan Lovells law firm, where I focus on cybersecurity and privacy \nlaw.\\1\\ From November 2000 until July 2012 I served as the IBM \nCorporation's chief privacy officer and security counsel.\n---------------------------------------------------------------------------\n    \\1\\ My professional service includes membership on the advisory \nboards of the Future of Privacy Forum and the Electronic Privacy \nInformation Center. I was a founding and long-time member of the board \nof the International Association of Privacy Professionals. I also serve \non the American Bar Association president's Cybersecurity Legal Task \nForce, co-chair the Cybersecurity Law Institute of the Georgetown \nUniversity Law Center, and was a member of the CSIS Commission on \nCybersecurity for the 44th Presidency. The views I express are mine \nonly, and are not offered on behalf of Hogan Lovells or its clients, or \nother organizations.\n---------------------------------------------------------------------------\n    Thank you for the opportunity to participate in this hearing on how \nwe in the United States can protect our critical infrastructure from \ncyber-based threats while safeguarding individual privacy.\n    The relationship between cybersecurity and privacy is complex. On \nthe one hand, cybersecurity that protects data from intrusion, theft, \nand misuse obviously is a significant privacy safeguard. On the other \nhand, cybersecurity measures that monitor access and use can implicate \nthe collection of personal information (or data that can be linked to \nindividuals), and thus raises privacy concerns.\n    Organizations of all types increasingly are taking steps to protect \nthemselves and the people that rely on them from cyber-based threats. \nCyber threats come from many different sources. The risk to information \nsystems and the data that resides or travels on them can come from \nactivists, criminals, or spies. Most of the time, these bad actors \nattack from outside the company; sometimes, they strike from within. \nFrequently they are enabled by the carelessness or inattention of \notherwise well-meaning individuals who leave the digital analog of the \nfront door open for easy entry. And sometimes there is no affirmative \nattack at all, as in case where a system malfunction occurs or \nsensitive data is lost or misdirected by accident--presenting risks \nthat are still quite significant if such information gets into the \nwrong hands.\n    Since the critical infrastructure and the most valuable IP of our \nsociety are owned and managed largely by the private sector, the steps \ncompanies take to safeguard their most precious possessions and \nfiguratively to lock their doors, close their windows, and make sure \nonly authorized people and things cross the threshold are exactly the \nsteps needed to improve cybersecurity for society at large. Sharing \ninformation about observed threat patterns and vulnerabilities with \nother companies and with appropriate authorities is also part of the \nmix. This is akin to participating in a neighborhood watch that \ninvolves proactive and collaborative engagement with law enforcement.\n    While adoption of cybersecurity defenses will, as I noted, serve to \nprotect personal data (indeed, there can be no data privacy without \nsufficient security, including cybersecurity), some of the defense \ntechniques may require the monitoring or collection of personal \ninformation, and thus implicate privacy concerns.\n  <bullet> First, there is network and system monitoring.--Experts \n        agree that in order to detect and defend against cyber attacks, \n        organizations should be aware of how their information networks \n        and IT systems are behaving. Such monitoring typically is \n        focused on non-personal information such as malware indicators, \n        bad IP addresses, and network flow data. Of course, the more \n        specifically one monitors, and potentially records, activity, \n        the more potential there is that personal data will be part of \n        the information reviewed and/or collected.\n  <bullet> The next issue is that of background checks.--Not all cyber-\n        defense measures involve cyber tactics. Organizations \n        frequently find it prudent to conduct background checks--at \n        times quite extensive--on individuals with access to certain \n        sensitive systems and data. By definition, background checks \n        require the collection and use of personal information.\n  <bullet> A new aspect of data security arises from the ``Bring Your \n        Own Device'' phenomenon.--An increasing number of organizations \n        are allowing their workforce to use personally-owned \n        smartphones, PCs, and other devices. The steps organizations \n        take to secure such devices and the data that might be stored \n        on them often involve access to personal data.\n  <bullet> Steps taken to strengthen supply chain and vendor security \n        may also raise privacy issues.--Security-conscious enterprises \n        understand that the weakest link in their organization may lie \n        outside their formal control. Measures imposed on their vendors \n        and suppliers may require those third parties to conduct \n        background checks and share other information that has privacy \n        implications.\n  <bullet> Information sharing with third parties and Government \n        agencies means that personal information may be shared.--\n        Finally, but importantly, experts agree that rapid and \n        preferably automated cross-organizational sharing of cyber \n        threat information is essential to help detect and defend \n        against cyber attacks. And as Members well know, given the \n        recent passage of H.R. 624, the Cyber Intelligence Sharing and \n        Protection Act, there can be significant privacy issues raised \n        by such sharing.\n    While each of these areas of cybersecurity techniques raises \nprivacy concerns, those concerns can be addressed responsibly.\n    First, consistent with the well-known Fair Information Practice \nPrinciples,\\2\\ data collection should be thoughtfully limited; used \nonly for the purpose of security or other carefully considered and \napproved purposes; retained only for as long as needed for security and \nother legitimate purposes; and shared only with those that need the \ndata for security or other carefully considered and approved purposes, \nwith accompanying limitations on their sharing, use, and retention. \nThese are concepts that privacy professionals in American business \napply every day, and close collaboration between privacy professionals \nand security personnel at companies is essential to ensure that the \nsecurity/privacy balance is correct and that Fair Information Practice \nPrinciples are applied to design privacy into cybersecurity programs.\n---------------------------------------------------------------------------\n    \\2\\ The U.S. privacy framework is based on underlying principles of \nfairness known as ``Fair Information Practice Principles'' or \n``FIPPs,'' which were first developed in the United States in the 1970s \nand have since influenced every privacy law, regulation, or code of \nconduct adopted in this and many other nations. The Fair Information \nPractice Principles focus on empowering individuals to exercise control \nover personal information that pertains to them, and on ensuring that \nmeasures are taken to achieve adequate data security.\n---------------------------------------------------------------------------\n    Second, there should be transparency as to the cybersecurity \nmeasures that organizations, especially operators of critical \ninfrastructure, increasingly are using. Transparency is fundamental to \nthe Fair Information Practice Principles. When implemented, it \nreassures individuals that the processing of information that relates \nto them is not being done in secret, thus enabling them to pursue any \nrecourse available if necessary.\n    As it relates to cybersecurity measures, transparency would include \nencouraging companies that are deploying network and systems monitoring \nto disclose their use of such measures (not in sufficient detail as to \ndefeat their operations, of course, but in enough detail that \nindividuals know about the systems monitoring the use of workplace \ntechnologies and the like). The more we inform and educate each other \nabout how cybersecurity systems work, and how privacy considerations \nare addressed in their design and implementation, the more these \nmeasures are demystified.\n    Third, I endorse the development of voluntary codes of conduct for \nthe privacy-sensitive deployment of cybersecurity measures and programs \nthat are common enough to warrant such effort. Examples might include \ninformation-sharing codes of conduct, in which organizations that \nengage in information-sharing partnerships with each other and with \nGovernmental agencies develop and commit to adopting privacy-sensitive \npractices. Another example is new work by the National Institute for \nStandards and Technology as mandated by the recently-issued Executive \nOrder on Improving Critical Infrastructure Cybersecurity, to develop a \nvoluntary Cybersecurity Framework that includes consideration of \nprivacy. As you know, NIST will be consulting with stakeholders in both \nGovernment and industry as it develops the Framework. This subcommittee \ncan keep the focus on privacy issues by showing interest in, and \nrequesting to see, how privacy is integrated into NIST's and others' \ncybersecurity efforts.\n    Finally, the expectations, responsibilities, and legal protections \nfor privacy when data is shared with or requested by Government need to \nbe clear. Legislation that clarifies the rules surrounding information \nsharing is a valuable first step, and it is encouraging to see that the \nprivacy issues associated with information sharing have been discussed \nand that language addressing these issues has been included in the \nlegislation proposed in this Congress. Further efforts by Government \nand industry leaders, outside of new legislation, will also be useful \nto educate and enable stakeholders involved in these activities to \ndesign privacy into information sharing and related activities.\n    Thank you for the opportunity to appear before you today and to \npresent my thoughts on how we can achieve a meaningful balance between \nprivacy and protecting the United States' critical infrastructure.\n\n    Mr. Meehan. Thank you, Ms. Pearson.\n    Thanks, each of you on the panel, for helping us to set the \ntable on this issue. Let me begin, because I think that may be \none of the places for us to begin to draw the parameters around \nthis issue to get to the places where we think the real crux of \nthe privacy issues find themselves.\n    I was struck your testimony, Ms. Callahan, where you said, \nif done right, increased cybersecurity with appropriate \nstandards and procedures also means increased privacy.\n    Ms. McGuire, you testified that security is portrayed as \nbeing in conflict with or somehow undermining privacy; in the \ndigital world, nothing could be further from the truth.\n    Ms. Pearson, you discussed a little bit where there may be \nsome sort of conflicts, but at the same time, there are some \nsteps being taken. You talked about FIPPs.\n    Maybe that is a good place to start. I would like your \ngeneral observations, each in order, about what you believe are \nthe important steps that are being taken to create the privacy \nprotections while we enable information to be shared and maybe \nspecifically what FIPPs is and how that enhances this ability. \nMs. Pearson or others, if you have an area in which you find \nyou say ``but,'' don't tell hesitate to tell us what the \n``but'' is.\n    Ms. Callahan, I will recognize you.\n    Ms. McGuire, Ms. Pearson, in order.\n    Ms. Callahan. Thank you very much, sir.\n    My testimony with regard to increased cybersecurity can \nenhance increased privacy goes to the FIPP of security because \nthe information has to be kept secure; it has to be kept \ncontained. Ms. McGuire testified about 93 million exposed \nidentities, and those people did not have the FIPPs to protect \nthem in that circumstance. But what is important is the \nparenthetical that you read of mine, which is, you have to have \nthe appropriate standards, procedures, and safeguards within \nthat in order to protect that information.\n    Mr. Meehan. Can you take one moment and tell me 93,000 \npeople----\n    Ms. Callahan. Ninety-three million identities.\n    Mr. Meehan [continuing]. Did not have the FIPPs. Would you \nexplain what you mean by that?\n    Ms. Callahan. It is Ms. McGuire's number, but I think it \ninvolves data breaches, ma'am.\n    Ms. McGuire. The number was 93 million identities that were \nlost or stolen in 2012, and that could be through any number. \nIt could be cyber attacks, laptops stolen, et cetera.\n    Mr. Meehan. Okay.\n    Ms. Callahan. So the concept of unauthorized access, \nwhether we are talking about it as a laptop or a device, as Ms. \nPearson talked about, or an actual cyber attack, where an \norganized cyber criminal is taking the information. In that \ncircumstance, not all FIPPs prevent. That is my point about \nsecurity as an important element to the protection of privacy, \nbecause if you can't keep the information secure, then you \ncan't have privacy, but you can enhance it if indeed you have \nthe proper safeguarding.\n    Mr. Meehan. So, in other words, even though the Government \nmay not be getting that information for 94 million people, it \nis already out there in not only the private sector but out \nthere in the world of criminality and otherwise.\n    Ms. Callahan. That is correct. It could be as much as that. \nThat we need to mitigate that and address that going forward.\n    Mr. Meehan. Ms. McGuire.\n    Ms. McGuire. So I think it might be useful for me to take a \nlittle bit about Symantec's sort-of, our privacy principles, \nand we have three of those: First, that we believe that \ncustomers should be empowered to decide how their personal \ninformation is used and informed what, if anything, will be \ndone with it; and second, that privacy protections must be \nintegrated into the development of products and services and \nnot added as an after-thought; and finally, that we all need to \nbe proactive in protecting our own privacy, and absent strong \nsecurity, as I said before, information is vulnerable. We take \na number of steps as a company to secure the privacy, the PII \ninformation of our customers and our partners and those are \ntied directly to the FIPPs, as Ms. Callahan discussed, as well \nas a number of internal policies, privacy policies, and privacy \nimpact tools that we use across our company. So I think it has \nto be a multi-pronged approach, both with informing customers \nas well as developing your own internal policies and practices \nto safeguard that personally identifiable information.\n    Mr. Meehan. Where do you come down on the industries \ndeveloping personal policies, but where does the Government \ncome in on creating policies that the industry needs to adhere \nto?\n    Ms. McGuire. Well, I think that, as Ms. Pearson talked \nabout, this notion of voluntary or codes of conduct that have \nbeen developed over time, the adoption of those can be quite \nuseful, as well as internationally developed standards that \nmany times those codes of conduct form the basis for as it \nmoves through the standard development process.\n    Mr. Meehan. I am worried about the changing nature of the \nthreat and whether or not we will be able to create consistent, \nsort-of, this is today's standard, it may be less relevant \ntomorrow if there are new technologies or new ways to get \naround it.\n    Ms. McGuire. Well, I think you raise a very, very important \npoint, and that is standards need to be flexible enough so \nthat, as time evolves, the nature of the threat evolves, that \nthey can evolve--the standard can evolve as well. Sometimes if \nthey are written too tightly, they will constrict the ability \nto respond and deal with the next level of threat as it \nevolves.\n    Mr. Meehan. Thank you.\n    Ms. Pearson, my time is up, but your time is still ticking \nto answer and be responsive to any of the issues that were \nraised.\n    Ms. Pearson. What I will say is that the Fair Information \nPractice Principles were developed in the United States over 30 \nyears ago, and they are still as good today as they were back \nthen. So that shows the power of having principles that can \nguide our behaviors. When it comes to identifying what kind of \ninformation you collect, if you are a business trying to \nprotect your assets and your people and then share, there are \nsome really foundational questions, which is: What am I doing, \nwhat am I collecting, do I really need to collect it? The \nanswer may be, no, or the answer may be I do collect a lot of \ninformation so that I can identify patterns, so I can see \nabhorrent uses, so I can secure my networks. Once you decide on \nkind of a principle level, what are you collecting, the \nquestion then becomes: What do you need to share it, what \nexactly do you need to share? From my own experience and \npersonal experience with my clients, I know that the vast \nmajority of the information involved in addressing cyber \nthreats has nothing to do with individuals. It is IP addresses. \nIt is the signatures. It is very technical information. So when \nit comes time to share that information, that really is not a \nprivacy-related concern. Where there might be information that \nrelates to individuals, then the question becomes: Do you need \nto share it? How important is it to the mission involved or to \nthe goal? Are there abilities to strip or share or amass or \nprotect that information? That is really the question.\n    Operationally speaking, I see companies more and more being \nable to do that. I see innovation in the marketplace, American \ninnovation on the part of the companies, like Ms. McGuire's and \nothers, coming up the curve to help deal with that particular \nprivacy issue and help address technical or operational or \nmarket measures. That is what I see.\n    Then, finally, as you deal with industry-to-Government, the \nquestion I think that you are all in an excellent place to \naddress is: What will Government do with it? What will happen \nto it, and what kind of assurances back and forth are in place \nto make predictable to the American people and to business what \nhappens to that information, including protecting its \nconfidentiality for privacy purposes as well as business \nconfidentiality purposes?\n    Mr. Meehan. Thank you.\n    My time has expired, and now, at the suggestion of the \nRanking Member, we are going to go out of order and recognize \nthe gentlemen from Nevada, Mr. Horsford, for questioning.\n    Mr. Horsford. Thank you very much, Mr. Chairman.\n    Thank you to the Ranking Member, I appreciate the courtesy \nto our witnesses, and thank you for being here.\n    Just briefly, obviously, this is an important National \nsecurity issue, and the need for qualified cybersecurity \nexperts has grown at the same time. Everyone from our President \nto the GAO has said that we have to address this as a serious \neconomic challenge, both in the public and private sectors.\n    Now it appears that our ability to meet the cybersecurity \nworkforce needs of the Nation are not fully understood or fully \nquantified. Would you recommend that the Federal Government \nwork with the private sector as well as training and \neducational institutions to address the problem of kind of the \nworkforce areas of cybersecurity? If so, how?\n    Ms. McGuire. So, really important this issue of workforce \ndevelopment and education and training for the future \ncybersecurity experts and workers of the future. Today, we have \na number of public-private partnerships between industry and \nGovernment that have been quite effective. Unfortunately, they \nare not effective enough because the demand is so high for \nthese types of high-skilled employees in the future, but things \nlike the National Cybersecurity Alliance, the National \nInitiative for Cyber Education, that DHS and NIST and the \nDepartment of Defense and Commerce are leading, those are the \nkinds of efforts, as well as National Science Foundation's, \nCyber Corps to train up that next generation.\n    We need more of those kinds of programs, frankly, in order \nto meet the challenge of this deficit. It really is a deficit \nthat we have. I can tell you today, as a company, we have more \nthan a thousand openings, a thousand job openings, for high-\nskilled engineers, and we could go across any number of high-\ntech companies as well as manufacturing and other industries, \nwho cannot meet the challenge today. That really is impacting \nour country's economics moving forward.\n    Ms. Callahan. I would note briefly the Secretary and Deputy \nSecretary have testified before this committee asking for such \nflexibility, and these initiatives that Ms. McGuire spoke about \nare helpful, but I think that we need to do more to really help \nbuttress the cybersecurity options.\n    Ms. Pearson. One thought on privacy aspects here, as I have \nworked with cybersecurity professionals, the best ones have \ntaken training and have an enormous degree of sensitivity to \nthe importance of privacy as they work on defending against \nattacks and also safeguarding information. So an element of \ncybersecurity curricula ought to be, and I believe it is in \nmost of these programs, an element of data protection or \nprivacy training as well.\n    Mr. Horsford. So gathering all of these, like you said, \ninitiatives and public-private partnerships to know what is out \nthere and what is working and where the gaps might be, steps \nthis committee could take to move some ideas forward.\n    Let me also ask, as I said, cyber threats are both in the \nprivate and public sector. I am from Nevada, and we have a \nlarge number of facilities critical to National security. The \nNevada National Test Site is in my district, for example, and \nis a critical component to National security efforts. \nObviously, do you agree that we need to do everything we can to \nprotect these facilities?\n    Ms. Callahan. Yes, absolutely.\n    Ms. McGuire. Yes.\n    Mr. Horsford. So my follow-up question is: In this \nbudgetary environment, does the protection from cyber threats \nagainst our National security facilities need to be a budget \npriority?\n    Ms. McGuire. We have stated during this uncomfortable \nperiod of sequestration and some of the cuts that are going on, \nthat cybersecurity issues should be at the forefront and a \npriority to not be taking the scalpel to at this point in time. \nI think you can look at any number of reports, whether they are \nour report or others, as well as reports coming out of various \nagencies, that this is not the time to be putting our critical \ninfrastructure, our National security apparatus at risk.\n    Mr. Horsford. Thank you very much, Mr. Chairman.\n    Thank you to the Ranking Member, again, for the courtesy.\n    Mr. Meehan. I thank the gentlemen for taking the time to \njoin us today. I know he had conflicts in his schedule. It is \ndeeply appreciated.\n    Also, for the record, I think we all share the genuine \nappreciation to assure the adequate funding for this very, very \nimportant area, although this is one of the areas, actually the \nbudget was plussed up in this area, which was, in this day, a \nvictory, where staying even is the new staying ahead; that was \na good result.\n    At this moment, the Chairman now recognizes the gentleman \nfrom Montana, Mr. Daines.\n    Mr. Daines. Thank you, Mr. Chairman.\n    I was--my last 12 years in the private sector before I came \nto Congress here in January was actually the cloud computing \ncompany that we took public in global operations. So we were \nvery much in the midst of denial-of-service attacks and I guess \nliving in the world you all live in every day.\n    We had a case one time where the Federal Government came \nasking for customer data regarding a threat to our National \nsecurity; in fact, it was the Secret Service that approached \nus, and we refused to give the information up, saying this was \ncustomers' data; it was not our data, ultimately. The Secret \nService moves quickly, and a subpoena came about 2 hours later, \nand then we had a process where we could hand the data over to \ninvestigate the situation.\n    What do you think is the minimum amount of data, talking \nabout the balance of privacy and protecting our country and \nindustry from cyber attacks, what is the minimum amount of data \nthat you think we need to adequately trace back a cyber attack? \nI would love to get opinions on that.\n    Ms. McGuire. So I think there is often a lot of questions \naround IP addresses and whether or not that is considered PII \nor not. In our view, IP addresses are really a pointer back to \na specific threat, and they need to be aggregated with other \ninformation in order to actually resolve back to an individual. \nSo, at the face value, because we get this question a lot, are \nIP addresses PII, and there is a little bit of a gray area \nthere; sometimes they can be, but generally they are not. So I \nthink this goes to the crux of the broader issue around \nattribution and the difficulty we have with attribution today \nbecause IP addresses are not generally static; there are \nconstantly changing. So to your question around what is or \nisn't, it is not always clear, but I think if you have the \nproper standards and practices and policies in place to make \nsure that privacy or PII information and privacy is protected, \nthat you are on the right side of the issue.\n    Ms. Callahan. I would add, for the Department of Homeland \nSecurity, when I was there, the way they would address it is \nthat there were these signatures or indicators that may or may \nnot contain what could be personally identifiable information. \nMs. McGuire mentioned IP address. There also may be other \nindications that could be personally identifiable information. \nSo what the Department has done, due to its standard operating \nprocedures, is to look at that and see whether or not that \npersonally identifiable information needs to be shared or \ninformation that could be personally identifiable needs to be \nshared as part of the signature or indicator. If it does, then \nit has to be approved by a supervisor to make sure that it \nindeed is consistent with the SOP. So if it is necessary, that \ninformation will be shared, but you have to analyze it to make \nsure that it is not just being shared because it is easier.\n    Mr. Daines. Ms. Pearson.\n    Ms. Pearson. I agree with my colleagues. Most of the time, \npiecing together what happened or what is the source does not \nreally require access to personally identifiable information, \nbut sometimes it does. It is a little bit like detective work. \nI think you can avoid that kind of data to some degree, but \nsometimes, it is just embedded in systems. It is embedded in \nthe kind of thinking you have to do. It is not just the digital \ndetective work; sometimes you have to think about, for example, \nwas somebody trying to--and this is an amalgam of client \nexperiences I have had--is somebody trying to get at a system \nusing a mix of physical as well as digital measures? So then \nthe question becomes: Well, who had access, physically who had \naccess? That is the kind of information that might be collected \nand might conceivably be shared with law enforcement because \nfundamentally most of this kind of activity we are talking \nabout is against the law.\n    Mr. Daines. Right. Let me ask you this, Wayne Gretzky made \nthe famous comment, ``skate to where the puck is going.'' In \nthis very dynamic and world of innovation and break fix, and \nthings change within minutes and hours; you talked a bit about \ntechnology that could be used to minimize data as it is coming \nin as it is relates to privacy. Where do you see that headed \nas--of course, we have had a lot of concerns from our \nconstituents about the whole privacy issue, but where do you \nthink this is all headed here when you make advancements in \ntechnology that can cost-effectively minimize data, still \nallows us to investigate but yet protects the privacy of our \nconstituents?\n    Ms. Pearson. My own view is that the market speaks, and as \nthe market looks for solutions like this, that protected \nsecurity by either requesting or rewarding the ability to \nmanage in mass data, then these solutions are technically \nfeasible and have already been invented, frankly, and it is a \nmatter of commercializing them, doing what you did, taking it \nto the market.\n    One thing to note, in my view also, is that we are here \ntalking about homeland security issues, cybersecurity issues as \nit relates to that aspect, but there are so many other reasons \nthat companies need to keep information secure and \nconfidential. There are other sources of legal obligation. \nThere are other sources of reputational issues.\n    Mr. Daines. The forces of competition.\n    Ms. Pearson. The forces of competition are absolutely \nthere, and the innovations available to embed, whether it is \ncloud computing or in new ways of segmenting information on \ndevices that we all carry and use these days, are available or \nare coming. It is a matter, I think, of pooling them.\n    Mr. Daines. I know my time is up. I would love to have Ms. \nMcGuire answer that if I could, Mr. Chairman.\n    Mr. Meehan. The Chairman would allow Ms. McGuire to share \nher instincts on this.\n    Ms. McGuire. Thank you. I think there are--there is a lot \nof work being done in this area as far as innovation with \nmoving to machine, really machine-to-machine readable data, so \nthat people don't even get into the middle of this. It is about \nreally identifying at the front end when the data is coming in \nwhat would be considered PII so that maybe a human never \nactually even looks at it. So I think that is certainly a \ndirection that we need to go in when we are talking about this \nkind of information sharing for cybersecurity protection. That \nis, I think, is a major innovation the industry is moving \ntowards today.\n    Mr. Daines. Thank you.\n    Mr. Meehan. Thank you, Mr. Daines.\n    The Chairman now recognizes the Ranking Member, the \ngentlelady, Ms. Clarke.\n    Ms. Clarke. Thank you very much, Mr. Chairman.\n    I thank the panelists once again for bringing their \nexpertise to bear on this very timely issue. There are two \ncentral privacy concerns when we talk about private-sector \ncollaboration with the Government to stop cyber attacks, are \nover what information gets sent and who in the Government it is \nsent to. Various legislative approaches to these two questions \nhave been quite controversial and is something we in Congress \nare still struggling to get right.\n    So I want to ask the panel three questions: How much \nminimization of the information should be required from the \nprivate sector side when sharing information? Does too much \nminimization place an undue burden on companies, and where is \nthe right place in the Government for this sharing to occur?\n    Ms. Callahan. Thank you very much, Ranking Member Clarke. \nThe concept of minimization is an important tenant of the FIPPs \nand one that the DHS applied very consistently through its \nstandard operating procedures when I was there, and I believe \ncontinues to do so. With that said, how much minimization is \nappropriate, necessary from the private sector? I don't think \nthe question how much is--I think it is more to think about how \nto effectively and efficiently implement it, rather than \nputting the burden on the private sector to go through all \nthese laborious steps, but if they address it, either through \nmachine-to-machine readable that Ms. McGuire spoke about, or \nthrough other standard policies and procedures, like the \nDepartment has been implementing, which is kind of now like \nmuscle memory in terms of how to implement it, I think it can \nbe an effective tool in order to share timely information on \nthreats without unduly burdening privacy.\n    Ms. McGuire. From our perspective, we think that reasonable \nminimization standards or practices as are outlined in the \nFIPPs is appropriate and is not an undue burden for industry. \nAt least from our perspective, we do that today.\n    As far as your question about where should the information-\nsharing relationship reside within the Government today, our \nview is that it should reside with the civilian agency and for \na couple of reasons. One is, we believe that it sends the right \nmessage to our citizens and to other governments. We have a \nlong tradition of--in this country of being a civilian-led \ngovernment, and we also believe that the civilian agencies \ntoday have a framework in place to work with the private \nindustry.\n    If you look at the level of investment over the last 10 \nyears, that industry as well as Government has put into the \npublic/private partnerships, for example, that DHS today is the \nfocal point and lead for with the participation of the rest of \nthe associated agencies as well as the Department of Defense, \nwe believe that we should build on that foundation and not, you \nknow, spend another 10 years trying to create something that, \nwhile we need improvements, we can utilize and build on today.\n    Ms. Pearson. Let me add my perspective on this. In terms of \ndata minimization, one thing to note would be that, by far, the \nmajority, if not every single organization, the private sector \nthat I have seen, no one is eager to open the door and hand \nover information to Government unless there is process of some \nsort, some rules around it. The gentleman spoke about a \nsubpoena or some kind of legal structure, and I think the \nminimization of information to be handed over or to be shared \nor to be allowed to access to, a lot of that motivation is \nthere already. So in terms of standards, I think educating and \nputting that thought process into, for example, the new NIST \ncybersecurity framework so that it is put in there as other \nelements are put in as a voluntary framework that we all know \nwill be quite influential. I think is very important to send a \nsignal and the expectation there.\n    Certain businesses and organizations in the private sector \nhave more sophistication than others, and so I think as well \nfor smaller and medium-sized businesses, particularly that \nthought process and the technology of how to do that, I think, \nwill be perhaps more challenging than other large \norganizations, so that is an open issue that I don't have a \nsolution for at this moment, but again, you know, I would point \nto it.\n    Then, finally, in terms of the right place or the central \nlocation, I guess my observation would be that in the last \nnumber of years that I have been working in this area, that \nthere has been a collaboration among agencies as everyone has \nsorted through who has expertise, how do you go about doing \nthis, how do you work with the private sector, and that \ncollaboration today, while imperfect, no doubt, has been \neffective and has shown a regard for the mission and the \nobjective over a regard for individual organizational dynamics, \nand that, I think, is the most important element to continue.\n    I share Ms. McGuire's general view of the importance of \ncivilian-led engagement, but I also am cognizant of the fact \nthat there have been collaborations that have been very \neffective and worthwhile that have been handled primarily \nthrough the military more or military agencies.\n    Ms. Clarke. Very well. Thank you very much.\n    I yield back, Mr. Chairman.\n    Mr. Meehan. I thank the gentlelady.\n    The Chairman now recognizes the gentleman, the former \nprosecutor for Massachusetts, Mr. Keating.\n    Mr. Keating. Thank you, Mr. Chairman, Ranking Member.\n    I just had a question. There has been a lot of discussion \nabout the private-sector involvement, the Governmental \ninvolvement. To what extent are universities and colleges \ninvolved in dealing with this issue, trying to seek resolution, \ntrying to do research, looking at programs? What is your \nexperience about their involvement in this and how has that \nbeen utilized by either government or the private sector? \nAnyone?\n    Ms. Callahan. I guess I will start. So, there is a great \ndeal of research going on with cybersecurity and cybersecurity \nprotections. There is also a lot of integration among the \ndifferent colleges to help protect it. In addition, as you \nnote, sir, the colleges themselves have potentially critical \ninfrastructure information or research information that they \nwill need to protect themselves. So, from the Department's \nperspective, they have been--they were--when I was there, and I \nthink they have continued since I have left, continued to do \noutreach to try to help bolster both the cybersecurity training \nthat Ms. McGuire spoke about but also to help bolster the \nresearch involved therein.\n    Ms. Pearson. The additional observation I will make is that \nuniversities and colleges in our country are among the most \nprivacy-sensitive organizations, particularly because they are \nFederally statutorily mandated to protect educational records, \nand so I think from a privacy side of the cybersecurity \nequation, they would be among the institutions I would say \nwould be most sensitive to the aspects of what to do to monitor \nsystems to, you know, protect information that way.\n    They also, as a group, happen to have access to some of the \nleading-edge innovation in intellectual property in this \ncountry, and so incenting them and helping universities \nidentify their crown jewels and to encourage them to protect \nis, I think, an important attribute of what we are doing as a \nstrategy and National strategy, and you know, I think that is \nimportant.\n    Mr. Keating. I believe there is a middle ground myself that \nthey could really occupy, where they don't have a commercial \ninterest as much as some cyber, you know, some private-sector \nsides. The additional benefit of investing in universities will \naddress one of the other issues that were brought up. As we are \nusing and utilizing universities, we are going to have more \ntrained people available in the workforce, so that is a major \nside benefit of doing that, so I just----\n    Ms. McGuire. I would also just add that the academic \ninstitutions and universities have been involved in this \ninformation sharing for quite awhile now with their research \nand education networking, information sharing and analysis \ncenter, the REN-ISAC as it is called. It is actually a \nconsortium of universities that share threat and other types of \ndata amongst themselves so that they can help to bolster their \nown protections, and that has been in existence for over 10 \nyears now. So I think it is important that we also make sure \nthat they are a part of this information-sharing partnership as \nwell moving forward.\n    Mr. Keating. You know, I do believe there is a greater \nplace for them in adopting some policies and using some of that \ninnovation and some of the models that might be there.\n    Quick question. Let's assume there is a major cyber attack, \nattack on systems, something that would have a dramatic effect \non our economy. Now, there will be a reaction to that. What \nwould be the one thing you would not want to see Government \nreact to perhaps that would be overreacting to such a major, \nmajor event, because there will be reaction when that happens, \nand there will be a suddenness if we don't move on our own \nahead of time? What would be your greatest fear that Government \nwould overreact in that kind of situation?\n    Ms. McGuire. I think there is two. One is on the \noperational real-world side, which is that--and this goes back \nto that attribution question that we talked about earlier, that \nperhaps there might be some kind of defensive posture taken \nthat is more detrimental as an outcome than the attack itself \nand perhaps targets the wrong systems or networks as part of \nthat defense.\n    The second piece is really around policy, and that is that \nwhen we--when we see big events of other types in the past, we \ncan often get a knee-jerk reaction in the development of policy \nor rules and regulations that may not, may not always be as \nconducive in the long run while they are trying to address the \nshort-term issue to our ability to protect ourselves for the \nlong term. So those are the two areas.\n    Mr. Keating. Thank you, Mr. Chairman. I yield back.\n    Mr. Meehan. Thank you, Mr. Keating.\n    The Chairman now recognizes the gentleman from Texas, Mr. \nVela. No questions at this point in time. Thank you. I am very \ngrateful for your taking the time to join us, Mr. Vela, and \nnotwithstanding.\n    If the--no objection, I have a few follow-up questions on \nsome issues that I would like to have you further clarify.\n    The panel has talked a number of times today about \npersonally identifiable information sort of in the context of \nother questions, but I think there is a fundamental question: \nJust what do you believe personally identifiable information \nmight be? Then, what is threat information, and how are they \ndistinguished? Are there similarities? Help me to help others \nunderstand what you think those terms mean.\n    Ms. Callahan. I guess I will go first. So, there is a kind \nof traditional definition of personally identifiable \ninformation which is associated with an individual, name, email \naddress, social security number, telephone number, and that has \ntraditionally been the definition of personally identifiable \ninformation. There has been an approach to broaden that for \ninformation that is identified or could be identified with an \nindividual, and that is the current Federal definition of \npersonally identifiable information, so you could have some \nliaison information with it.\n    In fact, the Federal Trade Commission, on a slight \ndifferent note actually has now included IP address, MAC \naddress associated with mobile devices and other information \nthat is personally identifiable information in their rule on \nchildren's privacy. So it is kind of a little bit of a moving \ntarget.\n    With regard to Department of Homeland Security and how they \nthink about personally identifiable information in the cyber \ncontext, they look at information, including IP address, and \nthey presume that it is personal information, so this data \nmineralization process I spoke about earlier with the gentleman \nfrom Montana talks about let's presume that an email address or \nan IP address is personal information, is it necessary to be \nincluded in the signature or the threat information?\n    Mr. Meehan. Right.\n    Ms. Callahan. It is a broad definition, and then the \nanalysis is whether or not it should be included in the threat. \nBut as my colleagues noted earlier, the vast majority of time, \neven that broad definition of personally identifiable \ninformation isn't necessary to include in the threat.\n    Mr. Meehan. Now, how about because we are watching--and I \nthink there was some testimony. I know it was in the written \ntestimony. We have seen a tremendous expansion in the amount of \nmobile devices that are now being used as back doors to that, \nso is that expanding on the amount of information that may be \ngetting caught up in the net if we are starting to do more to \nlook after protecting against violations that happen on \npersonal devices?\n    Ms. McGuire. Yeah. I think there is no question that the \nproliferation of different devices and ways for us to connect \nto the internet and to move our data around creates a larger \nattack surface, if you will, and more opportunities for the bad \nguys to access our personal information. So, you know, things \nlike FIPPs and other kinds of policies to protect your private \ndata, coupled with all of the necessary security that you need \nto have on all of those devices, they have to be done, done \ntogether to ensure, at least provide a level of assurance that \nyour information and your privacy is secured.\n    Ms. Pearson. So let's take a really concrete example. Let's \nsay you are a business with a few thousand employees and you \nallow employees to use their smartphones or iPads, or you know, \ndevice and connect and do work, and let's say that somebody who \noperates your systems sees some weird behavior, and they say: \nWell, what is going on? They look to see, and it is some of the \nsource of that information, of that aberration is coming from a \nfew of the devices that are hooked up to the network. What is \ncollected is system information and device information to find \nout what is going on, what is the source of it. That is threat \ninformation. That is the kind of information, when you are in a \nbusiness, you are collecting.\n    The next question is: Well, do you share it with anybody? \nDo you go to one of these information-sharing collaboratives \nwith industry and then say: I have seen something; have you \nseen something? You compare notes. It is kind of like a \nNeighborhood Watch. You say, well, you know, this is kind of \nhappening in my neck of the woods, my neighborhood.\n    Most of the information--all the information in that \ncontext is not identifiable information because you are just \nsaying, well, I have got devices, and this is what I have seen. \nThe question that turns it from threat information that is non-\nPII to personal information is if you have reason to say: Oh, \nand that device belonged to X.\n    Mr. Meehan. Why would you say that, though? Is there a \ncircumstance where you would?\n    Ms. Pearson. In a situation I just painted where you are \ntrying to figure out what is going on, probably not. If there \nis reason to think that some--that whoever had that device \nneeds to be contacted to be asked questions or maybe there was \nsomething going on, perhaps then there might be, which is why I \nthink all of us in our remarks have talked about how the \nmajority of information in the cyber context is not PII, but \nsometimes it might be, and then it becomes a matter of \nsafeguarding and treating that information well.\n    That is, I think the danger of trying to overcircumscribe \nhow this stuff works because it is very--it is complex, it is \nchanging, the technology is changing, and the way to address \nthese issues today is very different from what it was even a \ncouple of years ago and it will change going forward.\n    Mr. Meehan. Go ahead and recognize my Ranking Member for \nsome follow-up questions as well.\n    Ms. Clarke.\n    Ms. Clarke. Thank you, Mr. Chairman.\n    You know, this is such a fascinating area that we are \nengaged with right now, and we are really just at the beginning \nof what can ultimately be a way of life for us because the \ntechnologies is ever-evolving, but I have a question about data \nbreach information, obligations, rather.\n    When a company is hacked, what is its obligation to its \ncustomers? What is its obligations to its employees and its \nshareholders? Do you think that current law is sufficient to \ncompel corporations to give their stakeholders the information \nthey need? That is one question.\n    Then I want to ask another very important question because \nthis is over time. So, over the past decade, we have witnessed \nan explosion in the usage of the internet for all aspects of \neveryday life. Networking technologies have now fully \npenetrated our civil society. Many are worried about the \nintended and unintended consequences of this. Some have talked \nabout changing expectation of privacy as a result of the \ninternet. Many people have mused that no one will be able to \nrun for President in the future due to the amount of \ninformation about us through social media, whether it is \nFacebook, LinkedIn, all of these things that reveal so much \nabout us. Do you think that these technologies are changing how \nwe think of our privacy? How do you see the internet affecting \nour conception of privacy in the future?\n    Ms. Pearson. Really simple questions. Can I start?\n    Ms. Callahan. Sure. Go ahead.\n    Ms. Pearson. I will start with the second one first. That \nis the broad question, I think, of our time for those of us who \nwork in this area daily. There is something--every realm, every \ntype of new technology that has some implication for the \ncollection management of information over time, starting with, \nyou know, even before the camera, but the camera is kind of a \nmodern era start of the technology cycle that has led us to \ncamera to telegraph to telephone to video, et cetera, et \ncetera, prompts this question, and we as a society search for \nthe answer, and we as an American society have come up with a \nunique blend of mechanisms, law enforcement, policies, norms to \nanswer it for ourselves as a people.\n    This current era in which we live is a very rapid \ntechnology cycle, and the rapidity of it has challenged our \nwhole concept. So while I resisted tweeting that I was coming \nin here, I will tweet on my way out, and it is, I think, the \ngeneration to come, the digital native generation will \nreflexively, I think, engage in this information sharing, to \nspeak of another kind of information-sharing activity, much \nmore normally and as regularly than we might. But I believe \nfirmly, and I think there are studies that show it academically \nthat the human psyche needs a zone of privacy, and it just \nneeds to express itself in different ways, given the parameters \nof what we are living in.\n    So I firmly believe that despite some of the rhetoric \naround here, humans have, American--you know, in our American \nsociety, but globally, some sort of psychological need for a \nzone in which to express oneself, and you know, in our country, \nI think the challenge will be to reinvent that for the coming \nera and figure out what the laws and norms are around it.\n    Ms. McGuire. I will take the first question on data breach \nfirst. Clearly, companies have a series of obligations to \ninform their customers, their employees, and their \nshareholders.\n    Today, however, we do have a patchwork of regulation around \nthat. I think we have 48 different State laws, and that can be \ndifficult for companies to scale to when they have experienced \nan unfortunate data breach issue. So having some commonality \naround what that reporting should be, I think, at least from \nour perspective, would be desirable.\n    On the second question around internet--the increasing use \nof internet and how it is changing and evolving our perceptions \non privacy, there is no question that I think, as Ms. Pearson \nstated, that there is a big difference between, you know, the \nover-30 generation and the under-30 generation on how we \nperceive our privacy and our own information.\n    I was part of a panel a couple of weeks ago on privacy and \nsecurity where we were discussing the changing nature of \nanonymity on the internet and the role that that will play in \nregard to future views on privacy. So I think we are starting \nto see a huge evolution, if you will, just in how we are going \nto be thinking about these issues in the future.\n    Ms. Callahan. If I could have two small points on both \nquestions. You asked about data breach obligations, and I think \nit is worthwhile to note that the patchwork of State laws that \nMs. McGuire mentioned involved a very narrow definition of \npersonally identifiable information. So it would be first and \nlast name, coupled with a sensitive identifier, such as social \nsecurity number, but there can be many cyber breaches that may \nnot reach the level of a data breach for notification.\n    Now, there is--so it is almost two different types of \nbreaches, a cybersecurity incident and a data breach incident. \nWith that said, there is guidance from the SEC that public \ncompanies should notify about if there has been an incident, \nbut they also should notify whether or not there is a \npossibility or some sort of problems, and I think that is worth \nnoting in terms of your shareholder question.\n    With regard to the internet, I think that the FIPPs of user \ncontrol and transparency are going to be important tenets as we \nget into this kind of ubiquitous always on-line information. \nYou should know what is being happening with information and \nhow you as an individual can control it. I think that will help \ndefine privacy in the future.\n    Mr. Meehan. Well, I thank you. Let me ask one sort of \nclosing question to the extent you feel comfortable answering \nit, because obviously as we work through, this is one example, \nalthough one of the critically important issues that we are \ndealing with as we try to find a framework for legislation that \nhelps us find the very balance that we are exploring today. So, \nif you were in our shoes and you were writing the legislation, \nhow would you look to write something that accommodates the \nconcerns that we are sharing today? What would be in that \nlegislation to help, you know, limit the sharing of PII but \nstill encourage the ability for us to get the necessary threat \ninformation that we need to protect?\n    Then what kind of rules do you think we should be putting \nin place to encourage and give guidance to companies to allow \nthem to feel comfortable doing information sharing, in fact, to \nencourage it, because part of the fear is if you have outliers \nthat don't participate, as you have stated, the weakest link \nmay be the avenue in, how do we make sure that we do the most \nto protect our system?\n    So, you are the legislators and we have got to go to draft, \nwhat would be included to address those issues? I will ask you \nto move across.\n    Ms. Callahan. Well, thank you very much, and I am happy to \nbe a legislator. I enjoyed my time in the Executive branch, but \nI look forward to being on your side. No, just kidding.\n    If I were writing the legislation, I would want to make \nsure that this--that the FIPPs were thoroughly integrated into \nthe legislation, and we have spoken a lot about how effective \nthat is and how it is a framework, and it is very flexible, and \nI think those are important tenets to put in there. We don't \nwant to be too prescriptive, we don't want to be too specific, \nbut we want to have the framework and the concepts, and I think \ndata minimalization from the information sharing is a very \nimportant tenet.\n    With regard to the types of rules to be put in place, \nFIPPs, obviously, but I will also say that the NIST \ncybersecurity framework that is currently going on with the \nExecutive Order can be a very useful tool to help all the \nsmall- and medium-sized enterprises who are going to be sharing \ninformation as well as the large multinational ones have the \nsame kind of baseline and not try to reinvent the wheel.\n    Ms. McGuire. I largely agree with everything that Ms. \nCallahan has said, but I will just add that I think there is \none or two additional pieces. In addition to the FIPPs \ncomponents and building on the existing frameworks that we have \nin place today, those two key pieces are that civilian agency, \nas a lead, I think, are very important to ensuring that our \ncitizens feel comfortable that their personal information is \nnot somehow being used for purposes other than securing \nnetworks and systems, and also the legal liability issue for \ncompanies especially to feel comfortable to share information \nwith the Government.\n    Today we are--we have a very laborious process. If we want \nto share something that is not part of a contractual \narrangement that exists today, a business arrangement with \nGovernment agencies, that can take a lot of time, and \noftentimes the information becomes stale.\n    Mr. Meehan. They say in a moment where we are talking \nmicroseconds sometimes about information being relevant to \npreventing a threat.\n    Ms. McGuire. Yes. Information becomes stale very quickly, \nand so today we have to go through a series of internal privacy \nchecks as well as legal checks and antitrust checks if we want \nto share with other companies even. As you can imagine, that \ntakes a lot of time and resources when time is often of the \nessence.\n    Mr. Meehan. Thank you.\n    Ms. Pearson.\n    Ms. Pearson. I also largely agree with my colleagues. The \nadditional couple of points I would make is that as \nlegislators, the oversight function that you have the ability \nto play should not be underestimated at all and should continue \nto be exercised, particularly in this area, to make sure that \nthe agencies involved and the stakeholders involved are \ndischarging for obligations here. I think that is very \nimportant.\n    Another point to make is that certainty is important. \nCertainty is important to business, of course, and I know from \nmy service on, for example, the American Bar Association \nCybersecurity Legal Task Force, which cuts across the entire \nbar association and other fora that, as a whole, the members of \nthe bar who are counseling companies across the board, \ndifferent industries, are coming off the curb, so to speak, on \ntheir understanding how the different laws here intersect with \none another and work with another, whether it is antitrust or \nprivacy or other things, and encouraging that kind of \nmaturation, I think, for example, by holding briefings, by----\n    Mr. Meehan. Are you saying that they are beginning to \nunderstand the parameters and more effectively counsel their \nclients as to what they may or may not do?\n    Ms. Pearson. It is a complex--as you noted before, it is a \ncomplex area of law, and the challenge with security and \nsecuring is that it implicates so many areas of law, current \nlaw and then a lot of the law that is coming. So what I see \nhappening is more and more, you know, the defense industrial-\nbased pilot, for example, was it a fantastically successful \npilot? As involvement of industry broadens in the framework at \nNIST and the voluntary efforts, so is an additional expansion \nof individuals, particularly in the legal community who are \nstarting to understand how to put all those pieces together, \nand so that should be encouraged, in my view.\n    Mr. Meehan. Well, I think we have time constraints, so I \nwant to express my deep appreciation. I think we could go on \nwith this hearing well into the evening hours, but I need to \nrespect everybody's time, and I particularly appreciate the \nwork that each and every one of you has done, not just in the \npreparation for this hearing, but your long period of service \nin what is a vital and important area now for our Nation as we \nmove forward trying to find the right balance on this and the \nother questions that are relevant to the challenge that we \nface.\n    I don't think anybody denies or is running from the true \nnature of the very real threat that exists out there in the \ncyber world that is affecting people in so many different \ncapacities, but I also am confident in our capacity to meet the \nchallenge if we do it with enough forethought.\n    So I thank you for having very, very valuable testimony to \nthis consideration as we work together as a committee to try to \nreach the right challenge in the bills that we will propose. \nThere may be Members from the committee who have a question, \nand if they do and they submit it to you, I would ask that you \ndo your best to try to respond in writing, if that should \nhappen. But I thank you for your continuing work and I look \nforward to continuing dialogue as we move through on this very \nimportant issue.\n    I thank the Members of the committee. The committee now \nstands--subcommittee now stands adjourned.\n    [Whereupon, at 3:44 p.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"