[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 FACILITATING CYBER THREAT INFORMATION SHARING AND PARTNERING WITH THE 
                  PRIVATE SECTOR TO PROTECT CRITICAL 
           INFRASTRUCTURE: AN ASSESSMENT OF DHS CAPABILITIES

=======================================================================

                                HEARING

                               before the

                     SUBCOMMITTEE ON CYBERSECURITY,
                       INFRASTRUCTURE PROTECTION,
                       AND SECURITY TECHNOLOGIES

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 16, 2013

                               __________

                           Serial No. 113-17

                               __________

       Printed for the use of the Committee on Homeland Security


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                                _____

                  U.S. GOVERNMENT PRINTING OFFICE

85-613 PDF                WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2250  Mail: Stop SSOP, Washington, DC 
20402-0001





















                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Paul C. Broun, Georgia               Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice    Brian Higgins, New York
    Chair                            Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Jeff Duncan, South Carolina          Ron Barber, Arizona
Tom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah                 Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania           Filemon Vela, Texas
Chris Stewart, Utah                  Steven A. Horsford, Nevada
Richard Hudson, North Carolina       Eric Swalwell, California
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Vacancy
                       Greg Hill, Chief of Staff
          Michael Geffroy, Deputy Chief of Staff/Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 ------                                

SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY 
                              TECHNOLOGIES

                 Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama                 Yvette D. Clarke, New York
Jason Chaffetz, Utah                 William R. Keating, Massachusetts
Steve Daines, Montana                Filemon Vela, Texas
Scott Perry, Pennsylvania            Steven A. Horsford, Nevada
Vacancy                              Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
               Alex Manning, Subcommittee Staff Director
                    Dennis Terry, Subcommittee Clerk














                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Patrick Meehan, a Representative in Congress From 
  the State of Pennsylvania, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies...................................................     1
The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Oral Statement.................................................    19
  Prepared Statement.............................................     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security..............................................     2

                               Witnesses

Ms. Roberta Stempfley, Acting Assistant Secretary, Office of 
  Cybersecurity and Communications, U.S. Department of Homeland 
  Security, Accompanied by Larry Zelvin, Director, National 
  Cybersecurity and Communications Integration Center, U.S. 
  Department of Homeland Security:
  Oral Statement.................................................     5
  Joint Prepared Statement.......................................     8
Mr. Charles K. Edwards, Acting Inspector General, U.S. Department 
  of Homeland Security:
  Oral Statement.................................................    14
  Prepared Statement.............................................    16

 
 FACILITATING CYBER THREAT INFORMATION SHARING AND PARTNERING WITH THE 
PRIVATE SECTOR TO PROTECT CRITICAL INFRASTRUCTURE: AN ASSESSMENT OF DHS 
                              CAPABILITIES

                              ----------                              


                         Thursday, May 16, 2013

             U.S. House of Representatives,
                    Committee on Homeland Security,
 Subcommittee on Cybersecurity, Infrastructure Protection, 
                                 and Security Technologies,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 9:05 a.m., in 
Room 311, Cannon House Office Building, Hon. Patrick Meehan 
[Chairman of the subcommittee] presiding.
    Present: Representatives Meehan, Clarke, Vela, Horsford, 
and Thompson.
    Also present: Representative Jackson Lee.
    Mr. Meehan. The Committee on Homeland Security Subcommittee 
on Cybersecurity, Infrastructure Protection, and Security 
Technologies will come to order. The subcommittee is meeting 
today to examine the Department of Homeland Security's National 
Cyber and Communications Integration Center, better known as 
the NCCIC, and its capabilities to protect critical 
infrastructure from cyber attack.
    I would like to welcome everybody to today's hearing, which 
will give Members an opportunity to examine in-depth the work 
of the Department and Homeland Security's National 
Cybersecurity Communications and Integration Center.
    The NCCIC is one of the U.S. Government's key civilian 
interfaces with the private sector for cyber-threat information 
sharing, incident response, and protecting the U.S. critical 
infrastructure. The NCCIC is a collaborative method for Federal 
agencies, State and local governmental entities, the private 
sector, all to communicate cyber-threat information, analysis, 
and prevention methods in real time.
    The subcommittee has been crafting a body of work that will 
help establish key areas where we can improve the Department's 
critical infrastructure protection from cyber attack. We have 
examined the threat, particularly from nation states. We have 
looked at protecting U.S. citizens from civil liberty 
violations. Today we look at the threat mitigation capabilities 
at the Department of Homeland Security.
    The director of the National Intelligence, James Clapper, 
testified before Congress this year, stating that cyber is the 
No. 1 National security threat facing our country. On March 12, 
Director Clapper stated, and I quote: ``We assess that highly 
networked business practices and information technology are 
providing opportunities for foreign intelligence and security 
services, trusted insiders, hackers, and others to target and 
collect sensitive United States National security and economic 
data.''
    In addition, the director for the National Security Agency, 
General Keith Alexander, has said that cyber espionage has 
caused the ``greatest transfer of wealth in history.''
    Our Nation is in a new era and our security is no longer 
protected by oceans and borders. Indeed, American achievement 
in the 21st Century will be intricately tied to our ability to 
secure our networks, primarily our critical infrastructure 
networks.
    While our military protects our Nation from foreign 
adversaries, the security of our critical infrastructure--our 
economy, our roads and bridges, domestic energy, water and 
public utility systems--must be a collaborative effort between 
the private sector, the local, State, and Federal Government. 
We need a civilian agency to facilitate this partnership, and 
that agency is the Department of Homeland Security.
    Today's hearing will give us an opportunity to hear from 
our expert panel regarding ways the NCCIC currently brings a 
collaborative, National response to cybersecurity. Our capacity 
within the Committee on Homeland Security is to provide proper 
oversight to ensure that the NCCIC is functioning properly and 
is capable of leading in the protection of Federal agencies in 
cyberspace; it is capable of partnering with critical 
infrastructure owners and operators to share information and 
reduce risk; and providing the necessary intelligence elements 
to assure that State and local critical infrastructure 
operators are mitigating cyber threats and, I would add, 
responding appropriately in the aftermath of any kind of 
activity.
    I am looking forward to hearing from our witnesses, 
particularly in areas that will help the committee as 
legislators strengthen the Department's capabilities.
    We must examine ways to encourage increased participation 
from owners and operators of critical infrastructure, many of 
those--most of it--in the private sector. We need to ensure the 
Department is successfully disseminating threat data with other 
Federal agencies--in particularly, the Department of Justice 
and Defense. Most importantly, we must make sure that there are 
sufficient privacy protections in place to ensure that the 
Department is able to anonymize data for both personally 
identifiable information and stakeholder identifiable 
information.
    I look forward to hearing from our panel.
    The Chairman now recognizes the Ranking Member of the 
overall Committee on Homeland Security, Mr. Thompson.
    Mr. Thompson. Thank you, Mr. Chairman. Thank you for 
holding today's hearing.
    I also want to thank the witnesses for testifying here 
today.
    Over the past few years the cybersecurity mission of the 
Department of Homeland Security has undergone an unprecedented 
expansion in funding and a change in organizational structure. 
Today I look forward to hearing the testimony from some of the 
officials responsible for implementing these expanded programs 
and activities and overseeing the change in the organizational 
structure and culture.
    I also look forward to hearing about how these changes will 
assist DHS in its efforts to become, in perception and reality, 
the civilian lead for cybersecurity in the Federal sector. 
Though once in doubt, it now appears that DHS is bringing 
together the necessary elements to solidify its leadership 
role.
    In support of these efforts, last month Chairman McCaul and 
I sponsored an amendment to cyber information-sharing 
legislation, CISPA, that would establish a center within DHS as 
the Federal hub for information sharing. I hope this amendment 
sent a clear signal that any cybersecurity legislation passed 
by Congress during this session should have a strong role for 
DHS as a Federal leader in areas where Government and the 
private sector must work together to prevent cyber attacks and 
mitigate their impacts.
    Today, I want to hear more about DHS's human capital 
resources. It is my understanding that DHS, like all Federal 
agencies, is suffering from a shortage of cyber personnel.
    As DHS works to ensure its role as a Federal lead for 
domestic cybersecurity, we cannot ignore our Nation's ability 
to prepare for, respond to, and recover from advanced cyber 
threats in a forward-looking endeavor that cannot succeed 
without sufficient, qualified personnel. We cannot rely on 
other countries to develop our cyber workforce.
    While we cannot predict what cyber threats may occur, we 
can certainly be prepared and be ready. Be prepared and be 
ready is a philosophy DHS encourages the public to adopt for 
natural disasters. Yes, when the oncoming disaster may be a 
man-made cyber threat, the Department seems to have adopted a 
``let tomorrow take care of itself'' philosophy. Surely this is 
not acceptable.
    DHS must adopt a preparedness philosophy in all aspects of 
its work. In the world of cyber threats, a part of preparation 
must be capacity-building programs that include education, 
outreach, and awareness initiatives.
    This year, as hundreds of millions of dollars are poured 
into Einstein and continuous diagnostic programs, the 
administration's budget request slashed funding for National 
initiative for cybersecurity education by $4.8 million, cutting 
the program by one-third. These cuts will delay efforts to 
provide cyber outreach and education to 1.7 million high school 
students.
    We cannot continue to complain about the lack of skilled 
cybersecurity professionals in the American workforce if we are 
willing to allow DHS to cut the funding it uses to develop the 
cyber workforce. Again, let me say: We cannot rely on other 
countries to develop our cyber workforce.
    Mr. Chairman, I look forward to hearing from the witnesses 
and hope that we can work together to restore this funding and 
ensure that DHS is properly building a defense-in-depth 
strategy to protect the Nation far into the future.
    I yield back.
    Mr. Meehan. Let me thank the gentleman from Mississippi.
    Let me also let the other Members of the committee 
appreciate that opening statements may be submitted for the 
record, and we are pleased today to have a distinguished panel 
of witnesses before us on this very, very important topic.
    [The statement of Ranking Member Clarke follows:]
              Statement of Ranking Member Yvette D. Clarke
                              May 16, 2013
    After a significant expansion of the Department of Homeland 
Security's cybersecurity mission and programs, beginning in fiscal year 
2012, I am glad that we are finally holding a hearing to look at these 
programs in depth and to assess the progress of the Department in 
carrying out that mission.
    This is the subcommittee's third hearing on cybersecurity this 
Congress--first, we held a hearing on the threats in cyberspace to our 
critical infrastructure from state and non-state actors. Next, we 
learned about how DHS protects the privacy of our citizens in 
cyberspace.
    And with that background in place, today we will hear from the 
witnesses about whether the Department has the people, programs, and 
resources in place to successfully address the significant cyber 
threats to our critical infrastructure while protecting privacy. It is 
high time that our subcommittee takes a closer look at these programs, 
some of which did not even exist just a few years ago.
    The continuous diagnostics and EINSTEIN programs, in particular, 
have undergone rapid expansion, and I am pleased that the Department is 
fulfilling its role as the protector of the dot-gov domain, with the 
resources to match. But though these Federal network security programs 
get the majority of the funding and attention, I believe the 
Department's responsibilities for protecting critical infrastructure, 
most of which is found in the private sector, is equally important.
    For this reason, I am particularly pleased that we are joined by 
Deputy Inspector General Charles Edwards, who can discuss recent work 
done by the OIG to assess the progress that ICS-CERT has made to brand 
itself as the Cyber 9-1-1 for critical infrastructure before, during, 
and after cyber incidents.
    ICS-CERT, recently incorporated as an operational arm of the NCCIC, 
has done great work in mitigating cyber risks to critical 
infrastructure, and I look forward to learning more about this mission 
and the challenges that still remain to share information with the 
private sector quickly and efficiently.
    Finally, I want to register my concerns over the continuing drain 
of senior cybersecurity leadership at the Department, a trend that has 
gotten particularly bad in the last 6 months, with the departures of 
the assistant secretary and the deputy under secretary.
    We have been hearing about the difficulties DHS faces in attracting 
and retaining skilled junior and mid-level cyber employees for a long 
time, but what does it say about the Department's cyber organization 
when it cannot retain its senior leaders, either? Rumors are 
circulating about future replacements for these losses, and I am sure 
DHS would like to make a splash with these appointments, getting 
leaders who command respect in the information security and critical 
infrastructure worlds. But most of all, DHS needs to find leaders who 
believe in the mission and will stay on board as a steady hand on the 
wheel during this period of immense expansion and evolution of our 
cybersecurity efforts.
    As part of this process, I believe DHS needs to do some soul-
searching and identify why their senior officials have been leaving, 
and if changes need to be made to ensure future leaders will be more 
empowered to do their job, I expect that the Department will do so. I 
hope to work with the Department in this endeavor to guarantee that the 
vital cybersecurity mission gets the leadership it needs.

    Mr. Meehan. I have had the chance to visit the NCCIC and to 
see the great work that is done there, and to listen first-hand 
to the explanation of what they do, and as a result, it is a 
great privilege for us today to have the people who are at the 
front end of that.
    First, Ms. Roberta Stempfley is the acting assistant 
secretary of the Office of Cybersecurity and Communications, 
where she plays a leading role in developing the strategic 
direction of the cyber communications and security. A lot of 
the problem is you have got to figure out all of these letters 
in operating things, but it oversees five strategic divisions.
    She has previously served as the deputy assistant secretary 
for the CS&C and as the director of the National Cybersecurity 
Division. Prior her to work at the CS&C, Ms. Stempfley served 
as the chief information officer for the Defense Information 
Systems Agency, where she was responsible for supporting the 
director in decision making, strategy development, and 
communication, and management of information technology 
resources at that agency.
    Mr. Larry Zelvin is the director of the National 
Cybersecurity and Communications Integration Center, the NCCIC, 
which is housed at the Department of Homeland Security. The 
NCCIC is comprised of several components, including the U.S. 
Computer Emergency Readiness team, the National Coordination 
Center for Telecommunications, the Industrial Control Systems 
Cyber Emergency Response team, and a 24/7 operations center. 
Mr. Zelvin is a retired U.S. Navy captain and naval aviator 
with 26 years of active service.
    Mr. Charles Edwards is the deputy inspector general of the 
Department of Homeland Security. Mr. Edwards is the head of the 
Office of Inspector General, a role he first attained when 
named acting inspector general in February 2011. Mr. Edwards 
has over 20 years of experience in the Federal Government and 
has held leadership positions at several agencies, including 
the TSA, United States Postal Office, Inspector--the Office of 
the Inspector General, and the United States Postal Service.
    The witnesses' full written statements appear in the 
record, and I know that Ms. Stempfley and Mr. Zelvin have 
offered a joint statement.
    So the Chairman now recognizes Ms. Stempfley for 5 minutes 
to testify, but I do want you to make sure that you hit the 
important points you have in your testimony. So thank you, Ms. 
Stempfley. The Chairman now recognizes you for your testimony.

  STATEMENT OF ROBERTA STEMPFLEY, ACTING ASSISTANT SECRETARY, 
OFFICE OF CYBERSECURITY AND COMMUNICATIONS, U.S. DEPARTMENT OF 
   HOMELAND SECURITY, ACCOMPANIED BY LARRY ZELVIN, DIRECTOR, 
 NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER, 
              U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Stempfley. Thank you very much, Chairman Meehan, 
Ranking Member Thompson, and distinguished Members of the 
committee. I appreciate the time you have taken today and it is 
certainly our pleasure to appear before you to discuss the 
Department of Homeland Security's National Cybersecurity and 
Communications Integration Center and its role in protecting 
critical infrastructure from cyber attacks, securing our 
Federal networks, and coordinating cybersecurity information 
sharing with the private sector.
    Before I begin, I want to thank you for your leadership, 
sir--Mr. Thompson commented in his opening statement, as well--
during the recent legislation debate over the Cyber 
Intelligence Sharing and Protection Act, and especially in 
supporting the passing of that amendment designating DHS as the 
lead civil Federal entity to receive cyber threat information.
    Cybersecurity puts the confidentiality, integrity, and 
availability of critical services at risk. DHS, along with its 
Government and private-sector partners, work to counter these 
threats while supporting a cyber ecosystem that is open, 
transparent, and less vulnerable to manipulation. The NCCIC 
supports this effort by providing comprehensive and robust 
information sharing, incident response, technical assistance, 
and analysis capabilities to and with our private sector, 
Government, and international partners. While coordinating with 
these partners, our goal is to ensure that privacy, 
confidentiality, civil rights, and civil liberties are not 
diminished by our security initiatives.
    The Department's transparency and public accountability 
allow us to act as a pipeline to get cyber threat information 
in the hands of critical infrastructure owners and operators. 
We are able to share experiences and trends with law 
enforcement and intelligence communities while preventing 
malicious actors from gaining access to sensitive sources and 
methods.
    Within DHS's National Protection and Programs Directorate, 
the Office of Cybersecurity and Communications focuses on 
managing the risk to communications and information technology 
infrastructures and the sectors that depend on them. Our role 
is to enable timely response and recovery of these 
infrastructures under all circumstances.
    The Department manages and facilitates cybersecurity 
information-sharing efforts, analysis, and incident response 
activities through the NCCIC. It is a round-the-clock 
organization where Government, private-sector, and 
international partners work together towards a whole-of-Nation 
approach to address cybersecurity and communications issues at 
the operational level.
    We thank those of you who have come out for a tour and 
invite those who have yet to to do so to come and see the 
center in operation, with our private-sector partners shoulder-
to-shoulder with us in the capabilities.
    The NCCIC has experienced over the last year a 68 percent 
increase from 2011 to 2012 in incidents reported. In 2012 we 
received 190,000 cyber incidents reported to the NCCIC.
    Recently we have been working with the Departments of 
State, Justice, Treasury, and other interagency partners as 
well as our industry partners, such as the Financial Services 
Information Sharing and Analysis Center, to respond to the 
series of denial-of-service attacks against our financial 
services industry that have occurred over the past few months. 
US-CERT has worked, along with the FBI and other interagency 
partners, to provide technical data, on-site assistance, 
classified and unclassified briefings in order to help 
financial institutions and their information technology service 
providers improve their defensive capabilities.
    In addition to sharing with the private-sector entities, we 
have provided this information to over 120 international 
partners, many of whom have contributed to the mitigation 
efforts. These efforts have not only helped financial 
institutions blunt the impact of these attacks, but have helped 
the industry develop new strategies that DHS is sharing with 
other sectors of critical infrastructure should they face 
similar attacks.
    The Industrial Control Systems Computer Emergency 
Response--Cyber Emergency Response Team's mission is to reduce 
the risk to the Nation's critical infrastructure and the 
control systems that operate within it by strengthening those 
control systems. We have responded to almost 200 incidents over 
the last year with 89 on-site visits and 15 teams deployed 
jointly with the US-CERT to assist in significant private-
sector engagements.
    In March 2012, the Control Systems--the ICS-CERT identified 
a campaign of cyber intrusions targeting natural gas pipeline 
sector with spear phishing e-mails that dated back to December 
2011. Responding quickly, we immediately began an action 
campaign with the Department of Energy and other partners to 
conduct classified and unclassified briefings across the 
country providing warnings and mitigation. These entities have 
been very--have benefitted from this rapid information sharing.
    The third entity in the NCCIC is the National Coordination 
Center for Telecommunications. It leads and coordinates 
initiation, restoration, and reconstitution of National 
security emergency preparedness telecommunication services 
under all conditions.
    It has recently collaborated with industry in response to 
Hurricane Sandy, which enhanced wireless coverage to emergency 
responders providing emergency services to the 33,400 citizens 
in Long Beach, New York, the 1.4 million citizens in Nassau 
County, and the 130,000 citizens in faraway Queens. Their 
effort supported the recovery of communications to the U.S. 
financial sector by coordinating fuel and power restoration to 
key facilities in New York City, ensuring no impact to 
international financial trading.
    The Department's efforts to protect critical infrastructure 
are enhanced by the recently-issued cybersecurity Executive 
Order and Presidential Policy Directive on critical 
infrastructure security and resilience. Both of these documents 
improve the NCCIC's ability to execute its mission in support 
of the private sector by strengthening and securing the 
resilience of critical infrastructure, increasing the role of 
cybersecurity and securing physical assets, and expanding the 
coordination and information sharing with critical 
infrastructure partners.
    The Executive Order also supports DHS's strong privacy and 
civil liberty goals by reinforcing those protections and their 
incorporation in every aspect of our cybersecurity efforts. The 
Department believes, however, that the comprehensive suite of 
cybersecurity legislation is still an essential to improving 
the Nation's cybersecurity and we are pleased that the 
administration will continue to work with Congress to achieve 
this.
    Thank you so much for your support and continued attention 
to this critical issue, and I look forward to your questions.
    [The joint prepared statement of Ms. Stempfley and Mr. 
Zelvin follows:]
   Joint Prepared Statement of Roberta Stempfley and Lawrence Zelvin
                              May 16, 2013
                              introduction
    Chairman Meehan, Ranking Member Clarke, and distinguished Members 
of the committee, it is a pleasure to appear before you today to 
discuss the Department of Homeland Security's (DHS) National 
Cybersecurity and Communications Integration Center (NCCIC). 
Specifically, I will discuss the NCCIC's role, responsibilities, and 
future planning to protect our Nation's critical infrastructure from 
cyber attacks, secure Federal networks, and coordinate private-sector 
cyber-threat information sharing.
    Before I begin, I would like to thank the committee for its 
leadership during the recent legislative debate over the Cyber 
Intelligence Sharing and Protection Act, especially in support of 
passing an amendment to designate DHS as the lead civilian Federal 
entity to receive cyber threat information. Cybersecurity threats put 
the confidentiality, integrity, and availability of critical services 
at risk. DHS, along with its Government and private-sector partners, 
works to counter these threats while supporting a cyber ecosystem that 
is open, transparent, and less vulnerable to manipulation. The NCCIC 
supports this effort by providing comprehensive and robust information 
sharing, incident response, technical assistance, and analysis 
capabilities to private-sector, Government, and international partners.
                        current threat landscape
    Cyberspace is woven into the fabric of our daily lives. According 
to recent estimates, this global network of networks encompasses more 
than 2 billion people with at least 12 billion computers and devices, 
including global positioning systems, mobile phones, satellites, data 
routers, ordinary desktop computers, and industrial control computers 
that run power plants, water systems, and more. While this increased 
connectivity has led to significant transformations and advances across 
our country--and around the world--it also has increased the importance 
and complexity of our shared risk. Our daily life, economic vitality, 
and National security depend on cyberspace. A vast array of 
interdependent IT networks, systems, services, and resources are 
critical to communicating, traveling, powering our homes, running our 
economy, and obtaining Government services. No country, industry, 
community, or individual is immune to cyber risks.
    The United States confronts a dangerous combination of known and 
unknown vulnerabilities in cyberspace and strong and rapidly expanding 
adversary capabilities. Cyber crime also has increased significantly 
over the last decade. Sensitive information is routinely stolen from 
private-sector and Government networks, undermining the integrity of 
the data contained within these systems. The Department currently sees 
malicious cyber activity from foreign nations and non-state actors 
engaged in intellectual property theft and information operations, 
terrorists, organized crime, and insiders. Their methods range from 
distributed denial of service (DDoS) attacks and social engineering to 
viruses and other malware introduced through remote access, thumb 
drives, supply chain exploitation, and leveraging trusted insiders' 
access.
    The Department has seen motivations for attacks vary from 
intellectual property theft to criminals seeking financial gain and 
hackers who may seek bragging rights in the hacker community. 
Industrial control systems also are targeted by a variety of malicious 
actors who may have intentions to damage equipment and facilities or 
steal data. Foreign actors also are targeting intellectual property 
with the goal of stealing trade secrets or other sensitive corporate 
data from U.S. companies in order to gain an unfair competitive 
advantage in the global market.
    Successful response to dynamic cyber threats requires leveraging 
homeland security, law enforcement, and military authorities and 
capabilities, which respectively provide for domestic preparedness, 
criminal deterrence and investigation, and National defense. DHS, the 
Department of Justice (DOJ), and the Department of Defense (DOD) each 
play a key role in responding to cybersecurity incidents that pose a 
risk to the United States. To achieve a whole-of-Government response, 
DHS, DOJ, and DOD coordinate continuously to effectively respond to 
specific incidents. While each agency operates within the parameters of 
its authorities, the U.S. Government's response to cyber incidents of 
consequence is coordinated among these three agencies such that ``a 
call to one is a call to all.''
                     nccic's cybersecurity mission
    DHS coordinates the overall Federal effort to promote the security 
and resilience of the Nation's critical infrastructure by ensuring 
maximum coordination and partnership with the private sector while 
ensuring that privacy, confidentiality, and civil rights and civil 
liberties are not diminished by its security initiatives. Accordingly, 
the Department has implemented rigorous privacy and civil rights and 
civil liberties standards, which apply to all of its cybersecurity 
programs and initiatives. In order to protect privacy while 
safeguarding and securing cyberspace, DHS institutes layered privacy 
responsibilities throughout the Department, embeds fair information 
practice principles into cybersecurity programs and privacy compliance 
efforts, and fosters collaboration with cybersecurity partners.
    Within DHS's National Protection and Programs Directorate (NPPD), 
the Office of Cybersecurity and Communications (CS&C) focuses on 
managing risk to the communications and information technology 
infrastructures and the sectors that depend upon them, as well as 
enabling timely response and recovery of these infrastructures under 
all circumstances. CS&C executes its mission by supporting 247 
information sharing, analysis, and incident response; facilitating 
interoperable emergency communications; advancing technology solutions 
for private and public-sector partners; providing tools and 
capabilities to ensure the security of Federal civilian executive 
branch networks; and engaging in strategic-level coordination for the 
Department with private-sector organizations on cybersecurity and 
communications issues.
    To better manage and facilitate cybersecurity information-sharing 
efforts, analysis, and incident response activities, the Department 
established the NCCIC, a round-the-clock information sharing, analysis, 
and incident response center where Government, private-sector, and 
international partners all work together. The NCCIC is comprised of 
four branches: The United States Computer Emergency Readiness Team (US-
CERT), the Industrial Control Systems Cyber Emergency Response Team 
(ICS-CERT), the National Coordinating Center for Telecommunications 
(NCC), and Operations Integration (O&I). As mutually-supporting and 
integrated elements of the NCCIC, these branches provide the unique 
authorities, capabilities, and partnerships needed to drive a whole-of-
Nation approach to addressing cybersecurity and communications issues 
at the operational level.
   US-CERT provides advanced information sharing, incident 
        response, and analysis expertise for malicious cyber activity 
        targeting private-sector and Government networks. US-CERT's 
        global partnerships allow it to work directly with analysts 
        from across multiple sectors and international borders to 
        develop a comprehensive picture of malicious activity and 
        mitigation options. US-CERT's mission focuses specifically on 
        computer network defense, and it is able to apply its full 
        resources to supporting prevention, protection, mitigation, 
        response, and recovery efforts.
   ICS-CERT reduces risk to the Nation's critical 
        infrastructure by strengthening the cybersecurity of systems 
        that operate our Nation's critical infrastructure. It carries 
        out this mission by performing incident response to support 
        asset owners with discovery, analysis, and recovery efforts as 
        well as providing situational awareness through training, 
        alerts, and advisories to warn of cyber-based threats and 
        vulnerabilities affecting critical infrastructure assets. In 
        addition, ICS-CERT conducts assessments and technical analysis 
        of malware, digital media, system vulnerabilities, and emerging 
        exploits and partners with the control systems community to 
        coordinate risk management activities.
   NCC leads and coordinates the initiation, restoration, and 
        reconstitution of the National Security/Emergency Preparedness 
        (NS/EP) telecommunications services or facilities during any 
        human-caused or natural event where physical communications 
        infrastructure is damaged or vulnerable. NCC leverages 
        partnerships across Government, industry, and international 
        partners to gain situational awareness and determine priorities 
        for protection and response. NCC's presence in the NCCIC allows 
        DHS to synchronize operational processes supporting both the 
        physical and the virtual components of our Nation's information 
        and communications technology infrastructure.
   O&I applies planning, coordination, and integration 
        capabilities to synchronize analysis, information sharing, and 
        incident response efforts, ensuring effective synchronization 
        across the NCCIC.
                            strategic goals
    The NCCIC works to proactively analyze cybersecurity and 
communications threats and vulnerabilities and coordinate their 
findings with partners to manage risks to critical systems; create 
shared situational awareness among public-sector, private-sector, and 
international partners by collaboratively developing and sharing timely 
and actionable cybersecurity and communications information; and 
rapidly respond to routine and significant cybersecurity and 
communications incidents and events to mitigate harmful activity, 
manage crisis situations, support recovery efforts, and assure NS/EP.
    To accomplish its strategic goals, NCCIC relies on the voluntary 
coordination, collaboration, capabilities, and resources of its 
partners. The center works closely with those Federal agencies most 
responsible for securing the Government's cyber and communications 
systems, including the Departments of Treasury and Energy. The NCCIC 
also actively engages with the appropriate private-sector entities, 
information-sharing and analysis centers, State, local, Tribal, and 
territorial governments, and international partners. As integral parts 
of the cyberspace and communications community, these groups work 
together to protect the portions of critical information technology 
that they interact with, operate, manage, or own. These groups of 
stakeholders represent natural communities of practice providing the 
foundation for effective information sharing and response.
Threat Analysis
    NCCIC collaborates with private-sector, Government, and 
international partners to identify, research, and verify suspicious, 
malicious, or potentially harmful cybersecurity and communications 
activity, events, or incidents. For example, US-CERT operates NCCIC's 
Advanced Malware Analysis Center, which receives malware samples and 
other potentially malicious files from around the world. The Advanced 
Malware Analysis Center analyzes those files, shares that analysis 
broadly to alert partners to malicious activity, and provides them with 
actionable indicators and recommendations to improve their ability to 
protect themselves.
    By understanding the nature of attacks, vulnerabilities, and risks, 
NCCIC is able to determine possible impacts, set priorities, and 
proactively develop and share effective mitigation strategies. NCCIC 
strives to anticipate potentially harmful activity and provide 
actionable alert and warning information to partners before they are 
impacted. NCCIC's analysis efforts, whether focused on a new piece of 
malware or a tropical storm with the potential to damage critical 
communications systems, contribute directly to its information sharing, 
response, and protection and prevention capabilities.
Situational Awareness
    The success of the NCCIC's mission is heavily reliant on its 
ability to establish shared situational awareness of potentially 
harmful activity, events, or incidents across multiple constituencies 
to improve the ability of diverse and distributed partners to protect 
themselves. To do this, NCCIC integrates analysis and data received 
through its own analysis, intelligence community and law enforcement 
reporting, and data shared by private-sector and international partners 
into a comprehensive series of actionable information products, which 
are shared with partners in easy-to-digest machine-readable formats.
    Multidirectional sharing of alerts, warnings, analysis products, 
and mitigation recommendations among Federal, State, local, Tribal, and 
territorial governments, private sector, including information sharing 
and analysis centers, and international partners is a key element of 
NCCIC's cyber and communications protection and prevention framework. 
The NCCIC continuously works with a broad range of partners to explore 
and innovate new ways to enhance information sharing and move closer to 
network speed communications.
Rapid Response
    The NCCIC applies the collective capabilities of its partners and 
constituents to identify, prioritize, and escalate confirmed 
cybersecurity incidents in order to minimize impacts to critical 
information infrastructure. To ensure a 247 capability, NCCIC 
maintains cross-functional incident response teams, which draw from the 
capabilities of NCCIC's branches, along with expertise from elsewhere 
in DHS such as the United States Secret Service (USSS) and Immigration 
and Customs Enforcement (ICE). Working under a voluntary request for 
technical assistance, these incident response teams analyze malware, 
review network logs, and assess security posture to identify possible 
malicious activity, its impacts, as well as mitigation and recovery 
options.
    Recognizing the possibility of a cyber incident with physical 
impacts or a physical incident with cyber implications, NCCIC works 
increasingly closely with NPPD's National Infrastructure Coordinating 
Center (NICC). This collaboration, directed by Presidential Policy 
Directive 21 (PPD-21), helps to ensure strong synchronization between 
DHS's infrastructure protection efforts in both the cyber and physical 
realms. In addition, the NCCIC assists in the initiation, coordination, 
restoration, and reconstitution of the NS/EP telecommunications 
services or facilities under all conditions, crises, or emergencies 
including executing Emergency Support Function 2--Communications 
responsibilities under the National Response Framework.
    These efforts provide a whole-of-Nation approach to incident 
response, efficiently and effectively leveraging capabilities from 
across DHS's partner base while implementing key policies.
                   protecting critical infrastructure
    Protecting critical infrastructure against growing and evolving 
cyber threats requires a layered approach. DHS actively collaborates 
with public and private-sector partners every day to improve the 
security and resilience of critical infrastructure while responding to 
and mitigating the impacts of attempted disruptions to the Nation's 
critical cyber and communications networks and to reduce adverse 
impacts on critical network systems.
    DHS coordinates the National protection, prevention, mitigation, 
and recovery from cyber incidents and works regularly with business 
owners and operators to take steps to strengthen their facilities and 
communities, and through collaboration between the NCCIC and the NICC, 
integrates efforts across the physical and cyber domains. The 
Department also conducts on-site risk assessments of critical 
infrastructure and shares risk and threat information with State, 
local, and private-sector partners. NCCIC enhances situational 
awareness among stakeholders, including those at the State and local 
level, as well as industrial control system owners and operators, by 
providing critical cyber threat, vulnerability, and mitigation data. 
These efforts provide unique value to private-sector partners by 
integrating data from companies and industries that might not normally 
communicate.
    In 2011, DHS launched the Cyber Information Sharing and 
Collaboration Program (CISCP), which is specifically designed to 
elevate the cyber awareness of all critical infrastructure sectors 
through close and timely cyber threat information sharing and direct 
analytical exchange. Through the CISCP, participating private-sector 
partners are able to share data directly with Government. When 
requested, these datasets are covered by the Protected Critical 
Infrastructure Information (PCII) program, which protects the name of 
the company that shared the information from disclosure through Freedom 
of Information Act requests, regulatory processes, civil litigation, 
and other sunshine law requirements. Submitted datasets are analyzed in 
the context of other data received from across sectors, and based on 
this analysis regular analytical products are shared back out with 
partners. CISCP has signed 40 Cooperative Research and Development 
Agreements (CRADAs), and is in the process of finalizing agreements 
with 66 additional entities to formalize a streamlined information-
sharing process. Since December 2011, CISCP has released over 900 
products containing approximately 18,000 cyber threat indicators, which 
are based on information the Department has gleaned from participant 
submissions, open-source research, and from sensitive Government 
information.
    NCCIC has also benefited from close collaboration with the USSS and 
ICE, which have complementary jurisdiction over the investigation of 
computer crime violations that they exercise to protect the Nation's 
leaders and critical infrastructure and strategically target 
transnational organized criminals who are exploiting the financial 
system through cybercrimes. By working closely together, NCCIC and its 
law enforcement partners are able to leverage each organization's 
expertise and unique authorities to more effectively and efficiently 
execute DHS's cybersecurity mission.
                      responding to cyber threats
    As the civilian Department at the intersection of public-private 
information sharing, DHS is a focal point for coordinating 
cybersecurity information sharing with the private sector, the 
Department engages with owners and operators, based on their requests 
for technical assistance, by providing on-site analysis, mitigation 
support, and assessment assistance. The Department has repeatedly 
demonstrated its ability to expeditiously support private-sector 
partners with cyber intrusion mitigation and incident response. 
Initiating technical assistance with any private company to provide 
analysis and mitigation advice is a sensitive endeavor that requires 
trust and strict confidentiality. DHS's efforts focus on civilian 
computer network defense and protection rather than law enforcement, 
military, or intelligence functions in order to mitigate threats to the 
networks and reduce future risks.
    Since 2009, the NCCIC has responded to nearly half-a-million 
incident reports and released more than 26,000 actionable cybersecurity 
alerts to the Department's public- and private-sector partners. An 
integral player within the NCCIC, the US-CERT also provides response 
support and defense against cyber attacks for Federal civilian agency 
networks as well as private-sector partners upon request. In 2012, US-
CERT processed approximately 190,000 cyber incidents involving Federal 
agencies, critical infrastructure, and the Department's industry 
partners. This represents a 68 percent increase from 2011. In addition, 
US-CERT issued over 7,455 actionable cyber-alerts in 2012 that were 
used by private sector and Government agencies to protect their 
systems, and had over 6,400 partners subscribe to the US-CERT portal to 
engage in information sharing and receive cyber-threat warning 
information.
    The Department's ICS-CERT also responded to 177 incidents last year 
while completing 89 site assistance visits and deploying 15 teams with 
US-CERT to respond to significant private-sector cyber incidents, which 
includes analyzing data and sharing results, developing mitigation 
recommendations, and providing alerts and warning to potential future 
victims. DHS also empowers owners and operators through a cyber self-
evaluation tool, the Cyber Security Evaluation Tool (CSET), which was 
used by over 1,000 companies last year. In addition, DHS provides in-
person and on-line training sessions that focus on network security.
    The NCCIC, and its Federal partners, works with the private sector 
and international partners in preventing intellectual property theft 
with a whole-of-Government approach. For example, the United States 
Secret Service--which brings together over 6,000 partners from across 
sectors through its 29 domestic Electronic Crimes Task Forces (ECTFs)--
investigates cyber crimes within its jurisdiction, and the United 
States Coast Guard contains a component of U.S. Cyber Command and U.S. 
Strategic Command for the conduct of military missions. In each case, 
DHS focuses not only on responding to the incident at hand, but also on 
identifying trends, warning potential victims, and proactively engaging 
with partners. DHS, in collaboration with FBI and other partners, 
released a series of Joint Indicator Bulletins, containing cyber-threat 
indicators to help private-sector partners take action to stop this 
activity and protect them from theft of intellectual property, trade 
secrets, and sensitive business information.
    Most recently, and in close collaboration with interagency partners 
as well as industry partners like the Financial Services Information 
Sharing and Analysis Center, DHS has been engaged with private-sector 
and international partners during the series of DDoS incidents over the 
past few months. DHS has provided technical data and assistance, 
including identifying hundreds of thousands of DDoS-related IP 
addresses and supporting contextual information in order to help 
financial institutions and their information technology security 
service providers improve their defensive capabilities. In addition to 
sharing with these private-sector entities, DHS has provided this 
information to over 120 international partners, many of whom have 
contributed to our mitigation efforts. DHS, along with the FBI and 
other interagency partners, has also deployed on-site technical 
assistance to provide in-person support, and has conducted numerous 
classified briefings on the nature of the threat and mitigation 
strategies to hundreds of financial-sector IT security specialists. 
These efforts have helped to increase the U.S. Government's sharing and 
coordination efforts internally and with private-sector partners. 
Additionally, the mitigation strategies provided have not only helped 
financial institutions significantly blunt the impact of these attacks, 
but they have also helped the industry develop new strategies of their 
own that DHS hopes to share with other sectors of critical 
infrastructure to help mitigate similar attacks.
    NCCIC's NCC played a vital role in response to Hurricane Sandy 
recovery efforts. The NCC, as the coordinator for Emergency Support 
Function No. 2 under the National Response Framework, provided a wide 
range of communications support in partnership with industry to support 
responders, citizens, and industry response and recovery. NCC worked to 
improve first-responder actions by assisting in radio network 
infrastructure restoration such as microwave connectivity supporting 
local fire department dispatch and coordination. They also coordinated 
aid to citizens through more than 170 instances of emergency 
provisioning of communications installations supporting response 
organizations such as the American Red Cross, Army Corps of Engineers, 
Social Security Administration, and the Federal Emergency Management 
Agency. Collaborating with industry, NCC enhanced wireless coverage to 
first responders who provide emergency services to approximately 33,400 
citizens in Long Beach, New York; 1,400,000 citizens in Nassau County 
and 130,000 citizens in Far Rockaway, Queens. Their efforts also 
supported the recovery of communications to the U.S. financial sector 
by coordinating fuel and power restoration to a key facility in New 
York City, ensuring no impact to international financial trading.
    Finally, in March 2012, DHS identified a campaign of cyber 
intrusions targeting natural gas pipeline sector companies with spear-
phishing e-mails that dated back to December 2011. The attacks were 
highly-targeted, tightly-focused, and well-crafted. Stolen information 
could provide an attacker with sensitive knowledge about industrial 
control systems, including information that could allow for 
unauthorized operation of the systems. While there is no evidence that 
anyone has tried to subvert the operation of these industrial control 
systems, the intent of the attacker remains unknown. DHS immediately 
began an action campaign to alert the oil and natural gas pipeline 
sector community of the threat and offered to provide assistance. 
Industry partners have been responsive to these threats, and in May and 
June 2012, DHS deployed on-site assistance to two of the organizations 
targeted in this campaign: An energy company that operates a gas 
pipeline in the United States and a manufacturing company who 
specializes in producing materials specific to pipeline construction. 
DHS also partnered with the Department of Energy and others to conduct 
briefings across the country. Over 500 private-sector individuals 
attended the classified briefings and hundreds more received 
unclassified briefings providing warnings and mitigation strategies.
                        recent executive actions
    As today's physical and cyber infrastructures become increasingly 
linked, critical infrastructure and emergency response functions grow 
ever more inseparable from the information technology systems that 
support them. The Government's role in this effort is to share 
information and encourage enhanced security and resilience, while 
identifying and addressing gaps not filled by the marketplace. These 
policies work in conjunction with Executive Order 13618 of July 6, 
2012, Assignment of National Security and Emergency Preparedness 
Communications Functions, which improves how the Executive branch 
handles NS/EP Communications and ties cyber into emergency response 
communications.
    In February 2013, President Obama issued EO 13636, as well as PPD-
21 on Critical Infrastructure Security and Resilience, which will work 
to strengthen the security and resilience of critical infrastructure 
through an updated and overarching National framework that acknowledges 
the increased role of cybersecurity in securing physical assets, and 
will improve NCCIC's ability to execute its mission in support of the 
private sector. The President's actions mark an important milestone in 
the Department's on-going efforts to coordinate the National response 
to significant cyber incidents while enhancing the efficiency and 
effectiveness of our work to strengthen the security and resilience of 
critical infrastructure, and these policies will further enable NCCIC's 
mission. EO 13636 supports more efficient sharing of cyber-threat 
information with the private sector and directs the National Institute 
of Standards and Technology to develop a Cybersecurity Framework to 
identify and implement better security practices among critical 
infrastructure sectors. EO 13636 directs DHS to establish a voluntary 
program to promote the adoption of the Cybersecurity Framework in 
conjunction with Sector-Specific Agencies and to work with industry to 
assist companies in implementing the framework.
    EO 13636 also expands the DHS Enhanced Cybersecurity Services (ECS) 
program, key aspects of which are operated by the NCCIC. ECS is a 
voluntary information-sharing program that assists critical 
infrastructure owners and operators to improve protection of their 
systems from unauthorized access, exploitation, or data exfiltration. 
DHS works with cybersecurity organizations from across the USG to gain 
access to a broad range of cyber-threat information. ECS consists of 
the operational processes and security oversight required to share 
sensitive and classified cyber-threat information with qualified 
Commercial Service Providers (CSPs) that will enable them to better 
protect their customers who are critical infrastructure entities. CSPs 
can deliver approved services to validated critical infrastructure 
entities through commercial relationships. The ECS program is not 
involved in establishing commercial relationships between CSPs and CI 
entities. ECS augments, but does not replace, entities' existing 
cybersecurity capabilities. The ECS information-sharing process 
protects Critical Infrastructure (CI) entities against cyber threats 
that could otherwise harm their systems. ECS program participation is 
voluntary and designed to protect Government intelligence, corporate 
information security, and the privacy of participants, while enhancing 
the security of critical infrastructure. Validated CI entities from all 
16 CI sectors are eligible to participate in the ECS program and 
receive ECS services from an eligible CSP.
    In addition, the Presidential Policy Directive directs the 
Executive branch to strengthen our capability to understand and 
efficiently share information about how well critical infrastructure 
systems are functioning and the consequences of potential failures. It 
calls for a comprehensive research and development plan for critical 
infrastructure to guide the Government's effort to enhance market-based 
innovation. The strategic imperatives in PPD-21 also direct the NCCIC 
and the NICC to ``function in an integrated manner and serve as focal 
points for critical infrastructure partners to obtain situational 
awareness and integrated, actionable information to protect the 
physical and cyber aspects of critical infrastructure.'' As such, NPPD 
is enhancing the existing coordination of its two critical 
infrastructure operations centers, the NCCIC and the NICC.
                    continuing need for legislation
    We continue to believe that carefully-crafted information-sharing 
provisions, as part of a comprehensive suite of cybersecurity 
legislation, are essential to improve the Nation's cybersecurity to an 
acceptable level, and we will continue to work with Congress to achieve 
this.
    The administration's legislative priorities for the 113th Congress 
build upon the President's 2011 Cybersecurity Legislative Proposal and 
take into account 2 years of public and Congressional discourse about 
how best to improve the Nation's cybersecurity. Congress should enact 
legislation to incorporate privacy, confidentiality, and civil 
liberties safeguards into all aspects of cybersecurity; strengthen our 
critical infrastructure's cybersecurity by further increasing 
information sharing and promoting the establishment and adoption of 
standards for critical infrastructure; give law enforcement additional 
tools to fight crime in the digital age; and create a National Data 
Breach Reporting requirement.
                               conclusion
    Set within an environment characterized by a dangerous combination 
of known and unknown vulnerabilities, rapidly-evolving adversary 
capabilities, and a lack of comprehensive threat and vulnerability 
awareness, the cybersecurity mission is truly a National one requiring 
broad collaboration. DHS is committed to creating a safe, secure, and 
resilient cyber environment while promoting cybersecurity knowledge and 
innovation and protecting privacy, confidentiality, civil rights, and 
civil liberties in collaboration with its public, private, and 
international partners. Thank you for your continued support and 
attention to the critical issue of cybersecurity and I look forward to 
your questions.

    Mr. Meehan. [Off mike.]
    One of us thinks we have to get technology as my button to 
work.
    Thank you, Ms. Stempfley, for your testimony. As I 
identified at the outset, Mr. Zelvin joins in that testimony on 
behalf of the Department of Homeland Security.
    So now the Chairman recognizes Mr. Edwards, Inspector 
General's Office of DHS, for your testimony.

STATEMENT OF CHARLES K. EDWARDS, ACTING INSPECTOR GENERAL, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Mr. Edwards. Good morning, Chairman Meehan, Ranking Member 
Clarke, Ranking Member Thompson, and Members of the 
subcommittee. Thank you for the opportunity to discuss DHS 
efforts to secure the Nation's industrial control systems. The 
majority of information that I will provide is contained in our 
February 2013 report, ``DHS Can Make Improvements to Secure 
Industrial Control Systems.''
    Industrial control systems, or ICS, are systems that manage 
and monitor the Nation's critical infrastructure and key 
resources, or CIKR. ICS are increasingly under attack by a 
variety of malicious sources, ranking from hackers looking for 
attention and reputation to sophisticated nation states intent 
on damaging equipment and facilities, disgruntled employees, or 
competitors.
    Successful attacks on ICS can give malicious users direct 
control of operational systems, creating the potential for 
large-scale power outages or man-made environmental disasters 
and can cause physical damage, loss of life, and other 
cascading effects.
    DHS has strengthened the security of ICS by addressing the 
need to share critical cybersecurity information, analysis 
vulnerabilities, verify emerging threats, and disseminate 
mitigation strategies. DHS has taken a number of actions to 
improve ICS security and foster better partnership within 
Federal and private sectors.
    For example, DHS has established the ICS-CERT Incident 
Response Team, also known as the fly-away team, to support the 
public and private sectors through on-site and remote incident 
response services on a variety of cyber threats. DHS has 
improved the quality of its alerts and bulletins by including 
actionable information regarding vulnerabilities and 
recommended mitigations and best practices for securing ICS. 
Finally, the Department has strengthened its outreach efforts 
with the ICS community, including vendors, owners, operators, 
and academic community and other Federal agencies.
    Although DHS has made improvements, more needs to be done 
to reduce the cybersecurity risks for the Nation's ICS. Many of 
the private-sector partners we interviewed use portals such as 
the Homeland Security Information Network, or HSIN, to retrieve 
advisories, vulnerability information, and best practices. 
There are 55 communities of interest on the HSIC Critical 
Sectors portal intended to facilitate communication and 
collaboration among all CIKR sectors and the Federal 
Government.
    However, DHS does not have a consolidated summary overview 
page on the HSIN Critical Sectors portal that highlights new 
information and activities to ensure that ICS cybersecurity 
information is shared effectively. As a result, the content of 
each of the CIKR sectors must be searched individually for 
pertinent and updated information. These searches can be time-
consuming for the stakeholders.
    In addition, all the sector-specific agencies senior 
officials that we interviewed expressed a need to be notified 
in advance when ICS-CERT is performing on-site or remote 
technical assistant assessments with private companies within 
their sectors. For example, these officials suggested that ICS-
CERT publish a heads-up or a quick anonymous informational 
alert regarding an on-going investigative or pending event, 
sectors and devices affected, and whether a potential fix 
exists. Such notification would be helpful and would allow them 
to react more accordingly if other companies call them with 
questions.
    Overall, officials acknowledge that DHS had improved the 
quality of alerts and bulletins that address various cyber 
topics. However, they expressed concern regarding the 
timeliness of ICS-CERT's information sharing and 
communications. ICS-CERT management acknowledged that sector-
specific agencies, councils, and private sectors concerning 
regarding the sharing of active incidents and threats, such as 
identified cyber intrusions and spear phishing e-mails.
    However, proprietary information and on-going law 
enforcement investigations sometimes limit the amount of 
information ICS-CERT can disseminate. The report included two 
recommendations and NPPD concurred with both.
    Mr. Chairman, this concludes my prepared remarks, and I 
would be happy to answer any questions that you or the Members 
may have.
    Thank you.
    [The prepared statement of Mr. Edwards follows:]
                Prepared Statement of Charles K. Edwards
                              May 16, 2013
    Good morning Chairman Meehan, Ranking Member Clarke, and Members of 
the subcommittee: Thank you for the opportunity to discuss DHS' efforts 
to secure the Nation's industrial control systems. The majority of 
information that I will provide today is contained in our February 2013 
report, DHS Can Make Improvements to Secure Industrial Control Systems 
(OIG-13-39).
    Industrial control systems (ICS) are systems that include 
supervisory control and data acquisition, process control, and 
distributed control that manage and monitor the Nation's critical 
infrastructure and key resources (CIKR).\1\ ICS are an integral part of 
our Nation, and help facilitate operations in vital sectors. Beginning 
in 1990, companies began connecting their operational ICS with 
enterprise systems that are connected to the internet. This allowed 
access to new and more efficient methods of communication, as well as 
more robust data, and gain quicker time to market and interoperability. 
However, security for ICS was inherently weak because it allowed remote 
control of processes and exposed ICS to cybersecurity risks that could 
be exploited over the internet. As a result, ICS are increasingly under 
attack by a variety of malicious sources. These attacks range from 
hackers looking for attention and notoriety to sophisticated nation-
states intent on damaging equipment and facilities, disgruntled 
employees, competitors, and even personnel who inadvertently bring 
malware into the workplace by inserting an infected flash drive into a 
computer. A recent survey revealed that a majority of the companies in 
the energy sector had experienced cyber attacks, and about 55 percent 
of these attacks targeted ICS. These attacks involved large-scale 
denial-of-service and network infiltrations. Successful attacks on ICS 
can give malicious users direct control of operational systems, 
creating the potential for large-scale power outages or man-made 
environmental disasters and cause physical damage, loss of life, and 
other cascading effects that could disrupt services.
---------------------------------------------------------------------------
    \1\ There are 18 CIKR sectors: Agriculture and Food, Banking and 
Finance, Chemical, Commercial Facilities, Communications, Critical 
Manufacturing, Dams, Defense Industrial Base, Emergency Services, 
Energy, Government Facilities, Healthcare and Public Health, 
Information Technology, National Monuments and Icons, Nuclear Reactors, 
Material and Waste, Postal and Shipping, Transportation Systems, and 
Water.
---------------------------------------------------------------------------
    Some recent cyber attacks have included the following:
   In February 2011, the media reported that hackers had stolen 
        proprietary information worth millions of dollars from the 
        networks of six energy companies in the United States and 
        Europe.
   In December 2011, a sophisticated threat actor targeted the 
        oil and natural gas subsector. Affected asset owners across the 
        sector voluntarily worked with DHS during the investigation.
   Throughout 2011, there were reports of spear-phishing via 
        email in the energy sector; no negative impacts occurred to the 
        companies' control processes and operations.
   In March 2012, an alert was issued regarding phone-based 
        social engineering attempts at two or more power distribution 
        companies. The callers attempted to direct the company 
        personnel to take action to correct a problem that would have 
        allowed the attacker to gain access to their ICS.
   In April 2012, media reported that a Canadian ICS 
        manufacturing company inadvertently planted a backdoor login 
        account in its own operating systems, which contain switches 
        and servers used in mission-critical communications networks 
        that operate power grids and railway and traffic control 
        systems. This account could have allowed attackers to access 
        the devices via the internet.
    The Industrial Control Systems--Cyber Emergency Response Team's 
(ICS-CERT) operational capabilities focus on the private-sector CIKR 
ICS and networks, which is essential to the Department's mission to 
protect the Nation's critical infrastructure, particularly against 
emerging cyber threats. Additionally, ICS-CERT uses the Request Tracker 
Ticketing System to capture analytical and status information regarding 
vulnerabilities and incidents. The ticketing system maintains the 
incident response team's remote technical assistance and on-site 
assessment status and reports. Tickets are color-coded based on age. 
The ticketing system notifies the assigned personnel when the status of 
a ticket is changed or further action is needed. Additionally, ICS-CERT 
coordinates control systems-related security incidents and information 
sharing with Federal, State, and local agencies and organizations, as 
well as private-sector constituents, including vendors, owners, and 
operators of ICS.
    ICS-CERT exchanges information with stakeholders via the Homeland 
Security Information Network (HSIN)--Critical Sector. The Office of the 
Chief Information Officer (OCIO) develops and maintains HSIN and serves 
as data governance steward for HSIN policy documents, including the 
HSIN Model Charter and HSIN Terms of Service. Although OCIO is the data 
steward, the office is not responsible for maintaining the content that 
users and communities of interest post to any element of HSIN.\2\ Each 
community of interest sponsor is responsible for maintaining and 
sharing the content within the community of interest and through the 
community of interest shared space.\3\ The administration and 
governance of the communities of interest, including creation of 
individual sites within the community, is at the discretion of their 
sponsors. OCIO works in cooperation with each community of interest to 
enforce the rules in the charter and terms of services. OCIO conducts 
regular reviews of communities of interest to validate and justify its 
purpose, objectives, and operational need. National Protection and 
Programs Directorate (NPPD) sponsors and manages the critical sector 
communities of interest.
---------------------------------------------------------------------------
    \2\ HSIN communities of interest are separate environments wherein 
users involved in the same subject matter area or industry may post and 
view potentially relevant news and information and use collaborative 
tools.
    \3\ The HSIN shared space allows authorized stakeholders and 
content contributors to publish finished products and relevant 
documents that: (1) Have appropriate markings providing sharing 
permissions at the document level, and (2) are targeted to an 
authorized audience based on their credentials and related community of 
interest and system-wide rules for sharing.
---------------------------------------------------------------------------
 dhs' progress in improving the security of industrial control systems
    We reported that Department needed to improve the security of ICS 
and information sharing to enhance program effectiveness. DHS has 
strengthened the security of ICS by addressing the need to share 
critical cybersecurity information, analyze vulnerabilities, verify 
emerging threats, and disseminate mitigation strategies. For example, 
DHS has taken the following actions to improve ICS security and foster 
better partnerships between the Federal and private sectors:
   Establishing ICS-CERT Incident Response Team, also known as 
        the fly-away teams, to support the public and private sectors 
        through on-site and remote incident response services on a 
        variety of cyber threats, ranging from general malicious code 
        infections to advanced persistent threat intrusions. 
        Additionally, in March 2012, NPPD released the Cyber Security 
        Evaluation Tool Version 4.1. The updated tool assists users in 
        identifying devices connected to their networks, as well as 
        external connections, by creating a diagram of their systems.
   Operating a malware lab that provides testing capabilities 
        to analyze vulnerabilities and malware threats to control 
        system environments. The team verifies vulnerabilities for 
        researchers and vendors, performs impact analysis, and provides 
        patch validation and testing prior to deployment to the asset-
        owner community.
   Improving the quality of its alerts and bulletins by 
        including actionable information regarding vulnerabilities and 
        recommended mitigations and best practices for securing ICS.
   Providing products to the ICS community on a daily, weekly, 
        monthly, quarterly, and as-needed basis, through email, 
        website, and portal postings. These products help ICS-CERT to 
        improve the situational awareness of ICS and provide status 
        updates of its working groups, articles of interest, and 
        upcoming events and training.
   Implementing a virtual private network solution to allow 
        NPPD program officials to access program applications and 
        systems (e.g., the ICS-CERT ticketing system) located at the 
        Idaho National Laboratory (INL).\4\
---------------------------------------------------------------------------
    \4\ A virtual private network is a technology for using the 
internet or another intermediate network to connect computers to 
isolated remote computer networks that would otherwise be inaccessible. 
Users can access resources on remote networks, such as files, printers, 
databases, or internal websites.
---------------------------------------------------------------------------
   Assisting in developing various roadmaps for the cross-
        sector, dams, nuclear, water, and transportation. The road maps 
        provide vision and framework for mitigating cybersecurity risk 
        to the wide variety of systems critical to each sector's 
        operations.
    Finally, the Department has strengthened its outreach efforts with 
the ICS community, including vendors, owners/operators, academia, and 
other Federal agencies. These efforts include participating in the 
periodic meetings with the Cross-Sector Cyber Security Working Group; 
Government Coordinating Council and Sector Coordinating Council; and 
various sector-specific groups.
                            major challenges
    Despite these actions, NPPD still faces challenges in reducing the 
cybersecurity risks for the Nation's ICS. Further, NPPD can improve its 
efforts to protect and secure control systems that are essential to the 
Nation's security and economy. Specifically, ICS-CERT needs to 
consolidate its information-sharing and communication efforts with 
Sector-Specific Agencies and the private sector to ensure that these 
stakeholders are provided with potential ICS threats and 
vulnerabilities to mitigate security threats timely. In addition, DHS 
needs to improve communications with Sector-Specific Agencies and the 
private sector by providing advanced notification of ICS-CERT's remote 
technical and on-site incident assessments.
Consolidation of Multiple Information-Sharing Communities of Interest
    Many of the private-sector partners we interviewed (e.g., owners/
operators, regulators, and working groups) use the HSIN, ICS-CERT, and 
United States Computer Emergency Readiness Team (US-CERT) portals to 
retrieve advisories, vulnerability information, and best practices. 
There are 55 communities of interest on the HSIN-Critical Sectors 
intended to facilitate communication and collaboration among all CIKR 
sectors and the Federal Government. However, DHS does not have a 
consolidated summary overview page on HSIN-Critical Sectors that 
highlights new information and activities to ensure that ICS 
cybersecurity information is shared effectively. As a result, the 
content for each of the CIKR sectors and must be searched individually 
for pertinent and updated information. For example, the Dams, Emergency 
Management, and Electricity and Oil and Natural Gas subsector 
communities of interest, which are used by companies that belong to 
multiple sectors, have to be searched individually and may contain non-
cybersecurity information, such as physical security, emergency 
response, and planning. These searches can be time-consuming for the 
stakeholders.
    Additionally, each community of interest is arranged differently, 
making it more cumbersome for the users to retrieve useful information. 
For example, some HSIN users told us that the various communities of 
interest contain duplicate information. As a result, some Sector-
Specific Agencies want to build additional portals for their 
stakeholders to streamline the information DHS provides.
    ICS-CERT officials acknowledged that existing communities of 
interest could confuse owners/operators. To eliminate duplicate 
information from the communities of interest, ICS-CERT created a 
subcommittee to address stakeholder concerns regarding the communities 
of interest. ICS-CERT officials said that ICS-CERT only contributed 
content to the communities of interest and does not have the 
responsibility for site set up. However, NPPD plans to hold discussions 
with OCIO to determine whether these communities of interest could be 
consolidated to better serve stakeholder needs.
    We recommended that the Under Secretary, NPPD collaborate with OCIO 
to streamline the HSIN portal to ensure that ICS cyber information is 
shared effectively.
Advance Notification of Remote Technical and On-site Assessments
    All the Sector-Specific Agencies senior officials that we 
interviewed expressed a need to be notified in advance when ICS-CERT is 
performing on-site or remote technical assistance assessments with 
private companies within their sectors. For example, these officials 
suggested that ICS-CERT publish a ``heads-up'' or ``quick anonymous'' 
informational alert regarding an on-going investigative/pending event, 
sectors and devices affected, and whether a potential fix exists. The 
Sector-Specific Agency officials told us that such notifications would 
be helpful and would allow them to react more appropriately if other 
companies call them with questions. For example, according to Nuclear 
Sector-Specific Agency officials, the Department's Domestic Nuclear 
Detection Office sends an email alert to State authorities and its 
offices regarding upcoming site visits.
    DHS does not communicate timely the results of its remote technical 
and on-site assessments to the public. We interviewed officials from 
three Sector-Specific Agencies, six Government and private-sector 
councils, and 23 private companies from the dams, energy, and nuclear 
sectors to evaluate whether ICS-CERT shared sufficient information and 
communicated effectively. Overall, these officials acknowledged that 
DHS had improved the quality of alerts and bulletins that addressed 
various cyber topics. However, they expressed concerns regarding the 
timeliness of ICS-CERT's information sharing and communications. As a 
result, the stakeholders are concerned that a great deal of time might 
elapse until stakeholders were made aware of the same or similar 
incident that could affect their systems.
    Additionally, both Sector-Specific Agencies and private-sector 
officials said that an advance notification would be helpful to 
increase dialogue with ICS-CERT on an event or threat that has not been 
made public. The private-sector officials suggested that advance 
notification can allow them to assist ICS-CERT in developing solutions 
and mitigating strategies as well as determining whether an incident is 
isolated or systemic.
    ICS-CERT management acknowledged the Sector-Specific Agencies', 
councils', and private sector's concerns regarding the sharing of 
active incidents and threats, such as identified cyber intrusions and 
spear-phishing emails. Additionally, ICS-CERT management told us that 
the private sector perceives that ICS-CERT has more useful information 
available than it is willing to share. However, ICS-CERT management 
said that proprietary information and on-going law enforcement 
investigations limit the amount of information ICS-CERT can 
disseminate. For example, there were instances in which the Federal 
Bureau of Investigation was engaged in an on-going investigation and 
had withheld sensitive law enforcement information. Additionally, the 
protected critical infrastructure information between DHS and the 
private-sector owner prohibits ICS-CERT from sharing vulnerability and 
malware assessment information.
    We recommended that the Under Secretary, NPPD promote collaboration 
with Sector-Specific Agencies and private-sector owners/operators by 
communicating preliminary technical and on-site assessment results to 
address and mitigate potential security threats on ICS.
    Mr. Chairman, this concludes my prepared statement. I appreciate 
your time and attention and welcome any questions from you or Members 
of the subcommittee.

    Mr. Meehan. Thank you, Mr. Edwards, for your testimony.
    Before we go to the opportunity for my colleagues to 
present their questions to you, I am pleased to be joined by 
the Ranking Member of our committee, the gentlelady from New 
York, and I recognize her now for opening comments that she may 
have?
    Ms. Clarke. Thank you very much, Mr. Chairman, and thank 
you to the Ranking Member and my colleagues.
    Mr. Chairman, I want to thank you once again for holding 
this morning's hearing. After significant expansion of the 
Department of Homeland Security's cybersecurity mission and 
programs beginning in fiscal year 2012, I am glad that this 
morning we have had the opportunity to examine these programs 
and are now able to assess the progress of the Department in 
carrying out the mission.
    As you are aware, this is the subcommittee's third hearing 
on cybersecurity in this Congress. First we held a hearing on 
the threats in cyberspace through our critical infrastructure 
from state and non-state actors. Next we learned about the 
DHS--how DHS protects the privacy of our citizens in 
cyberspace. With the background in place, today we have heard 
from the witnesses about the Department and has the--about 
whether the Department has people, programs, and resources in 
place to successfully address the significant cyber threats to 
our critical infrastructure while protecting privacy.
    It is high time that our subcommittee take a closer look at 
these programs, some of which did not even exist just a few 
years ago. The continuous diagnostics and Einstein programs in 
particular have undergone rapid expansion, and I am pleased 
that the Department is fulfilling its role as the protector of 
the dot-gov domain with the resources to match.
    But though these Federal network security programs get the 
majority of the funding and attention, I believe the 
Department's responsibilities for protecting critical 
infrastructure, most of which is found in the private sector, 
is equally important. For this reason, I am particularly 
pleased that we have been joined this morning by Deputy 
Inspector Charles Edwards and that he has discussed the recent 
work done by the OIG to assess the progress that ICS-CERT has 
made to brand itself as the cyber 9-1-1 for critical 
infrastructure before, during, and after cyber incidents.
    ICS-CERT, recently incorporated as an operational arm of 
the NCCIC, has done great work in mitigating cyber risks to 
critical infrastructure and it was important that we learned 
more about this mission and the challenges that still remain to 
share information with the private sector quickly and 
efficiently.
    Finally, I want to register my concerns about the 
continuing drain of senior cybersecurity leadership at the 
Department, a trend that has gotten particularly bad in the 
last 6 months, with the departures of the assistant secretary 
and the deputy under secretary. We have been hearing about the 
difficulties DHS faces in attracting and retaining skilled 
junior and mid-level cyber employees for a long time, but 
this--but what does it say about the Department's cyber 
organization when it cannot retain its senior leaders as well?
    Rumors are circulating about the future replacements of 
these losses, and I am sure DHS would like to make a splash 
with these appointments, getting leaders who command respect in 
information security and critical infrastructure worlds. But 
most of all, DHS needs to find leaders who believe in the 
mission, that will stay on-board as a steady hand on the wheel 
during this period of immense expansion and evolution of our 
cybersecurity efforts.
    As part of this process, I believe DHS needs to do some 
soul searching and identify with why their senior officials 
have been leaving. If changes need to be made to ensure future 
leaders will be more empowered to do their job, I expect that 
the Department will do so. I hope to work with the Department 
in this endeavor to guarantee that vital cybersecurity mission 
gets the leadership it needs.
    Once again, I would like to thank all of you for testifying 
before us this morning.
    I yield back the balance of my time.
    Mr. Meehan. I thank the Ranking Member for her opening 
comments.
    We are grateful, again, for your presence here today, of 
this distinguished panel.
    So I now recognize myself for 5 minutes of questioning.
    Let me begin by sharing an observation that I believe we in 
Congress, and in fact, across the Governmental sector, aren't 
doing a good enough job of really alerting the citizens in 
general about the true nature and scope of the threat that we 
face. We often respond in the aftermath of an incident and 
spend time analyzing what we could have done better.
    I believe the work that you are doing is not only vital to 
the security of our Nation, but you have done some tremendous 
things in the form of anticipating and sharing and 
communicating.
    So please, if I can just ask Mr. Zelvin and Ms. Stempfley, 
quickly, what is your assessment of the true nature of the 
threat that we face today in the world of cybersecurity?
    Ms. Stempfley.
    Ms. Stempfley. I had to figure the button out, too.
    Thank you very much for the opportunity to answer that 
question. As we have all recognized, cyber pervades almost 
every facet of our life--we do banking on-line, we do--I renew 
my driver's license on-line, our workplace has gone entirely 
on-line--and a recognition of that important part that the 
cyber landscape plays in this is certainly not something I 
think is widely known. So I agree with your point.
    We in the Department have been very focused on sharing 
actionable information, those threat indicators that can be put 
out there, whether it from a criminal source, whether it come 
from a hacktivist source, whether it comes from an intelligence 
source--putting that in the hands of the people who can do the 
most with it. I know Mr. Zelvin will give you very specific 
indications of that as he goes through his response to this 
question.
    But we have to pair that with raising the overall 
understanding of the population of the role that cyber plays, 
and so some of the other programs that are outside the 
technology programs that the Office of Cybersecurity and 
Communication has in things like the ``Stop, Think, Connect'' 
campaign and other broad awareness campaigns will raise that--
serves to raise that awareness so that consumers can understand 
what the impact is to them and will live up to some of their 
obligations, as well.
    Mr. Meehan. Mr. Zelvin, it is consumers, and Ms. Stempfley 
focused to some extent on the impact on the everyday American, 
but it is much broader than that, is it not, with respect to 
the very infrastructure that we have in this Nation, including 
our grids and other things of that nature?
    Mr. Zelvin. It is, Mr. Chairman. When I look at the 
challenge I look at the threats, I look at the victims, and I 
look at the mitigation capabilities. So as you look at the 
threats, it is as Ms. Stempfley said, it can affect the 
individuals.
    But there is also nation states. There are also criminal 
actors. There are nefarious actors and there are just people 
who want to see if they can do it for the sake of doing it.
    When you look at the victims, you have companies that are 
worth billions of dollars internationally. You have victims 
such as my aunt, who called me on a weekend and said, ``Why is 
DHS locking my computer and want $400 to unlock it?'' She was a 
victim of something called ransomware. Some virus got on and 
she couldn't unlock it.
    So the victims are very sophisticated or they are an 
elderly woman who doesn't understand why her computer isn't 
working.
    As you look at the mitigation capabilities, they are also 
varied. Some companies have magnificent capabilities, and 
probably we need the Government to provide information and a 
warning of what is happening and some suggestions on what to 
do, and then they are off and running and can deal with the 
challenges.
    Other places, they have no capability. They are not sure 
what to do. They are very confused by the threat and they know 
it is a problem, but they are not really sure what to do.
    In many cases they buy products from the commercial 
sector--anti-virus vendors--and hope that can be the solution. 
But it many cases it won't as they are stealing personal 
identifiable information, potentially financial information.
    Mr. Meehan. Would you jump off of that point, because I 
think it gets to the heart of what is so important about the 
work you do in the NCCIC, and particularly the fact that we 
have a moldable--or we have a broad range of capabilities, as 
you identified, very sophisticated capacities that not only 
rival but probably work in concert with the capacities--the 
highest level of capacities that we have in the Government 
sector, and I am talking about the banking sector, in some ways 
the communication sector and others.
    In other places we have systems that are dramatically 
behind, and I am talking about things like water systems or 
other kinds of municipal authorities, but all of which today 
are tied to the internet, and therefore, the operating systems 
are capable of being influenced and attacked.
    At some point, Mr. Edwards, you have done work into looking 
at that.
    But, Mr. Zelvin, explain the important role that the NCCIC 
plays in being more or less a junction that is able to tie 
together the capacity to take the best of what we have and 
allow it to be available to support those industries which are 
lagging dramatically behind.
    Mr. Zelvin. Mr. Chairman, as I look at the--you know, you 
mentioned what is it going to take for people to understand 
this cyber challenge? I will tell you, there is a variety of 
experiences, and those who have been attacked the most are 
obviously the most aware and the most prepared, and that, I 
think are the financial services sector and the communications 
sector and the information technology sector. These are the 
folks that are living and breathing attacks on a daily basis 
and they are becoming more sophisticated by the day.
    There are other sectors, as you mentioned, that haven't had 
these attacks. So what we do in the NCCIC is we look across the 
16 critical infrastructures and we try and raise the water to 
keep all the boats at the same level, if you will.
    So we highlight across the sectors. That is, what is 
happening in one sector today could be happening in another 
sector tomorrow. So we want to increase the awareness.
    We are also sharing those mitigation strategies. In some 
cases--in many cases--these are things that companies can do 
themselves, so we just want to reinforce. There is a friction 
within the critical infrastructure because in many cases--I 
apologize--the information technology and the security folks, 
they are not part of the profit, so--and there is money that 
needs to be brought into this solution.
    So what we try to do is we tell those that are in the 
leadership position to really listen to these security 
professionals and really deal with these cyber practices 
because they can affect your core businesses.
    I would also like to mention that we also work with State, 
local, and Tribal, territorial governments. We work with 
international partners. There are over 200 countries that we 
deal with almost on a weekly basis.
    So it is the critical infrastructure, it is our State, 
local, Tribal, territorial, it is our Federal Department's 
agencies, international, and as I said, the individuals. But 
the cyber threat is literally global in nature and we are 
trying to make sure we have awareness and help with the 
prevention mitigation across the board.
    Mr. Meehan. Well, my time is expired but I look forward to 
following up on some of that with the second line of questions.
    Now the Chairman recognizes the ranking lady from--the 
gentlelady from New York, the Ranking Member, Ms. Clarke?
    Ms. Clarke. Thank you, Mr. Chairman.
    Ms. Stempfley, I wanted to delve into Einstein 3. DHS has 
requested large funding increases to build out Einstein 3, 
which will help prevent intrusions into civilian Federal 
networks. While I am supportive of this program, I am concerned 
about the progress of such a large initiative and want to make 
sure it is carried out properly to ensure that our Federal 
networks are secured and to keep the cost to the taxpayers 
down.
    A recent report by GCN Magazine raised concerns that 
Einstein may be over budget and behind in implementation. For 
the record, can you give the subcommittee an update on 
Einstein, particularly Einstein 3? What is the schedule for 
deploying it at all departments and agencies, and do you expect 
there to be cost and time frame overruns?
    Ms. Stempfley. Thank you, ma'am.
    Einstein 3 is a part of a comprehensive set of capabilities 
for perimeter protection known as the National Cybersecurity 
Protection System. Just about a year ago we transitioned 
Einstein 3 from being a consolidated, Government-provided 
hardware and data capability--classified capability to be 
deployed at the internet service providers--to one that takes 
advantage of the innovation that the internet service providers 
can provide into this environment, so that classified 
Government information and countermeasures can be deployed in 
an environment where the ISPs, who are most knowledgeable of 
their own infrastructure and of the ability to transmit 
traffic, can absorb that and innovate with the Government in 
this environment.
    We are pleased to have notified Congress, I believe 5 weeks 
ago, of the award of the first of those contracts with 
CenturyLink, the first internet service provider, and we are in 
process of transitioning Federal departments onto that 
capability.
    An important piece of information here is that we 
transition Federal departments who are using that service 
provider. So we are not asking departments to move from 
whichever internet service provider provides their connection; 
we are employing this protection measure in place within that 
mechanism.
    So we are targeting those departments who are--whose 
service provider is CenturyLink. We are continuing to actively 
engage with the other four internet service providers for 
contract award in those instances, and that has been 
negotiation that is on-going. So we are very happy about that.
    We are still on target to reach our final operational 
capability in the end of 2015. This transition that we made a 
year ago actually moved our final operational capability from 
2018 back to 2015, so we saw that as a very beneficial 
capability for us to employ this protection across the entire 
Federal enterprise.
    Ms. Clarke. Fabulous. With that efficiency in time is there 
an efficiency in cost, as well?
    Ms. Stempfley. As it turned out in the analysis, the cost 
was identical between the two transitions within a small 
margin. It did not actually save us money but it also did not 
cost additional money over the life-cycle cost of the program.
    Ms. Clarke. Very well. Thank you for that update.
    Mr. Edwards, you released a report just yesterday detailing 
serious information security deficiencies at CBP. Is this--a 
little point of departure but I think it is critical when we 
look at our vulnerabilities.
    Some of the--what you outlined in your report is that there 
are some poor practices, including computers that were not 
locked or not password protected, a failure to require that 
employees sign in--or sign nondisclosure agreements for 
sensitive systems they received access to. Making matters 
worse, many of these issues had been previously identified by 
the OIG. Your recommendations based on these findings were 
directed to the CBP chief information officer and the DHS chief 
information officer but there is no role for the Office of 
Cybersecurity Communications within NPPD to play to help the 
rest of the Department improve their cyber practices.
    Could you give us a little more of a sense of what your 
observations and what this level of vulnerability can mean to 
the overall cyber environment that we find ourselves in?
    Mr. Edwards. Thank you, ma'am.
    The report that I released yesterday was in reference to 
the CBP I.T. management letter. Part of the financial statement 
audit--we use KPMG to do our financial statement audits, and 
part of that, we also do the I.T. part of it, we look at the 
FISCAM functions. There are five controls that we look at. We 
look at security management, access controls, integration 
management, segregation of duties, and contingency planning.
    So as we go through not only CBP but various different 
components, we identified I.T. control weaknesses. Even though 
CBP has fixed some of those weaknesses in the previous year 
that we identified, there are still additional controls and 
weaknesses that we have found that they need to address.
    So as, you know, part of the password protection and people 
being able to get into the systems, we have found not only in 
CBP but other parts of--even when we did within one of the 
components within NPPD we found almost a similar situation, so 
it is prominent throughout the Department.
    So I think sending a guidance to the entire Department on 
best practices and, you know, one would think instead of having 
a password as ``newuser1'' one would change it as soon as they 
are able to log in, and then maintain that, as well. Not, you 
know, quite often you find people, you know, writing the 
username and password and leaving it under the keyboard and 
other places where people can find it.
    So the--part of the review, what we did was we looked to, 
as the help desk we call up the component that we are doing the 
audit on and say, ``I am from the help desk. Can you give me 
your username and password?'' and without hesitation people 
tend to just give that up.
    Ms. Clarke. Mr. Chairman, I know that my time is lapsed 
here. I just wanted to add that, you know, we can put all of 
the new technologies we want in place but if cyber hygiene has 
not become a practice, the vulnerabilities remain perilous to 
us.
    So I want to thank you for your report.
    I yield back the balance--yield back to you, Mr. Chairman.
    Mr. Meehan. I thank the gentlelady, and I share that same 
observation.
    We are hearing--I know it is something you are talking 
about across the sector and we have heard testimony that more 
than 80 percent of our vulnerabilities could be addressed with 
better cyber hygiene. I think that is something--again, we talk 
about this process of educating America and the role that they 
can play with us. There is more sophisticated things and that 
is what you are dealing with, but we need the Nation to join us 
in battling the threat by doing better cyber hygiene.
    Ms. Clarke. We start with our own agencies, right?
    Mr. Meehan. We start with our own agencies, that is right, 
by setting the example.
    I am very grateful for that testimony, and now the Chairman 
recognizes the gentleman from Texas, Mr. Vela, for any 
questions he may have.
    Mr. Vela. Yes. Yes. On the issue of workforce, can you 
begin by explaining to us how your different divisions 
interact?
    Ms. Stempfley. Thank you, sir.
    In the Office of Cybersecurity and Communication we have 
five divisions, and those divisions span responsibility from 
National security emergency preparedness communications--that 
is the Office of Emergency Communications; the Office of 
Stakeholder Engagement and Critical Infrastructure Resilience, 
which is principally responsible for our outreach efforts, for 
our engagement with critical infrastructure to raise their 
understanding at a macro level, which is obviously supportive 
of the operational role that the NCCIC plays; as well as our 
Network Security Deployment Division, which is responsible 
primarily for the building and deployment of the--and operation 
of the National Cybersecurity Protection System; and finally, 
our Federal Network Resilience Division, which is focused on 
the dot-gov protections. That is both in terms of direct 
interaction with Federal departments and agencies and the 
building of the capability that you discussed earlier, the 
continuous diagnostics and mitigation capability, which is 
focused on the cyber hygiene for the Federal enterprise.
    Those five divisions operate together under the Office of 
Cybersecurity and Communications. You can see the mutually 
supportive role that they pay.
    For example, the communications infrastructure is moving to 
being I.P.-based. With an I.P.-based communications 
infrastructure you bring with it particular risks and 
opportunities. The technology awareness mechanisms of that are 
shared, then with the Stakeholder Engagement Organization and 
the threat information provided from the NCCIC is then 
disseminated and distributed.
    That data all support the requirements that go into the 
National Security--excuse me, the Network Security Deployment 
Division, and the Federal--and we want the Federal Government 
to be the best example of the right things to do within the 
Federal Network Resilience Organization. We realigned this 
structure last November, so not quite a year ago. It has been a 
very beneficial activity for the Office of Cybersecurity and 
Communication.
    Within the Department, the deputy secretary chairs a panel 
that ensures that we are--excuse me--coordinating across the 
Department. There is both operational engagement on the NCCIC 
floor from our Department colleagues for Secret Service, from 
Coast Guard, and others. We have policy conversations across 
the Department to ensure that we are sharing. We have a strong 
partnership with the CIO so that those FISMA requirements that 
we--the operational requirements that we publish in partnership 
with OMB are coordinated with and shared with the CIO 
organization to understand what that might mean to a large 
department that is informing back to us.
    Mr. Vela. The Ranking Member mentioned--or referenced a 
problem with retention of workforce, and are you seeing that in 
each of those five divisions, or--can you explain that?
    Ms. Stempfley. Absolutely. It is a competitive landscape 
for cybersecurity professionals. We are actively recruiting.
    If you look at the growth in terms of civilians that we 
have had in the Office of Cybersecurity and Communications in 
the 3 years I have been here, we have been actively engaged in 
this recruiting process. Mr. Zelvin shared earlier today with 
me a fact that, you know, for each announcement that we put out 
there we get candidates applying in numbers close to 100.
    The issues that we have in this competitive landscape are 
that the Department of Homeland Security's authorities for 
meeting the hiring needs are not commensurate with the other 
Federal departments' authorities, and so both in terms of pay 
and retention capabilities, we are competing against our own 
colleagues in the Federal Government and continue to compete 
against our colleagues in the broad commercial landscape, as 
well.
    We have a phenomenal mission and we keep people in part 
based on the mission responsibilities that we have. We do not 
have an exorbitant attrition rate at the operational level, 
certainly. People leave; they leave on, you know, based on 
their family and life desires. We don't see this, you know, 
exceptional attrition rate.
    But we do see that strong competition.
    Mr. Vela. So are you saying that you can't pay people 
enough, essentially?
    Ms. Stempfley. That is part of the issues, yes, sir.
    Mr. Vela. I noticed that your title is you are an acting 
assistant secretary. At the levels of leadership are there many 
spots that have not been permanently filled?
    Ms. Stempfley. Within the Office of Cybersecurity and 
Communication the acting assistant secretary is the only 
leadership position that has not been filled--or the assistant 
secretary. I have full-time career leadership. I am permanently 
the deputy assistant secretary so I am the full-time careerist 
in that position. At each of the division director level I have 
full-time fill in, you know, all of those as career positions.
    Mr. Meehan. I thank the gentleman for yielding back.
    We now recognize the gentleman from Nevada, Mr. Horsford, 
for his questions.
    Mr. Horsford. Thank you, Mr. Chairman.
    Appreciate very much this panel. You know, we have been 
meeting, as one of the new Members on this committee, a lot of 
the people in the private sector, and I want to commend the 
Center on its collaboration with a number of key private-sector 
entities and sectors.
    My question pertains to this collaboration with the private 
sector.
    You mentioned in your testimony the work with the over 
6,400 private-sector firms that work with the Center, and 
inevitably some of those have to be competitors, of course. So 
can you discuss the protocols and measures that you all have in 
place to ensure that one company's sensitive data does not pass 
on to another, particularly to a competitor, and what 
procedures are in place should such an incident occur?
    Mr. Zelvin. Yes. Thank you, Congressman.
    Last year alone, as Ms. Stempfley said, we had 190,000 
incidents reported and we put out almost 8,000 reports. This 
year we are going to exceed that just in--by May about 68 
percent.
    So when we get information there is a variety of ways a 
business can report. They can tell us that it is okay to say it 
is their company, and that is not an often occasion; they can 
ask us to anonymize, and we have this thing called traffic 
light protocol, and it is literally just an agreement between 
friends that we will not share. When I first saw it I was 
somewhat skeptical but it actually works, and we have a variety 
of ways of quantifying using a stop light protocol--red, 
yellow, green, so on and so forth, and it is actually an 
effective means.
    We have statutory capabilities under PII, Protected 
Infrastructure Information--I think I have the acronym right. 
But there is a statutory basis that we can anonymize 
information, and let's say, you know, you work for a financial 
sector. I will just refer to you as ``financial sector seven,'' 
or ``FIN7,'' or ``FIN8.'' What is important is not the identity 
of the company but the ability to port across cross-sector what 
is happening and, more importantly, what do you do about it.
    So we have folks on the floor at the NCCIC, so we have NSA, 
we have FBI, we have Secret Service, we have Cybercom. We also 
have all the information sharing and analysis centers of the 
financial services, communications, information technology, and 
also folks from individual companies that have full access to 
the floor even when we are at Top Secret or above 
classification. They have full access to all our computer 
systems, both the highly classified all the way down to below.
    So as you have these folks on board we are very cognizant 
of the competitor aspect, so we have abilities to put a label 
that anonymizes it that is either done through agreement or 
through statutory. In the agreement, why do--you know, why 
wouldn't we share? Well No. 1, I don't really need the 
information; the second thing is I don't want to betray your 
trust because if I do you will never talk to me again.
    So, you know, we are very cognizant of it and we are very 
successful at it, as well.
    Mr. Horsford. So my other part of my question is, it seems 
like some sectors are better at this than others, so how 
concentrated are certain sectors in working with the centers 
and do you see gaps? If so, what can we as Congress do to help 
facilitate bringing the sectors who aren't doing their part, 
you know, into the resources that you all have available?
    Mr. Zelvin. Yes, sir. Who has really focused on meeting the 
challenges really depends on their experience, as I mentioned, 
in cybersecurity and the attacks. There are certain sectors 
that have had a large number of attacks; there are others that 
haven't yet. It is all of our challenge to go out to them and 
say, ``Hey, this is really what others are facing, these are 
the things that you could be facing, and these----''
    Mr. Horsford. If I could be more specific----
    Mr. Zelvin. Sir.
    Mr. Horsford. So these people come into my office every day 
and my job is to, you know, encourage them to participate. You 
all have great capacity among Federal agencies, but as I have 
heard it, as the Chairman and the Ranking Member have educated 
us, the vulnerability is on the private-sector side and the 
private sector isn't always doing its part, and there are key 
sectors that seem to be completely kind of disengaged. So what 
do you need from us as Congress specifically to get those 
sectors to be more involved?
    Mr. Zelvin. In my view it is the continued dialogue and the 
continued conversation that we are having. I think, as I look--
you know, as I have briefed senior leaders, as I have briefed 
staff, you know, people generally understand there is a problem 
but they don't understand what to do about it, and when you 
talk about the problem they don't really--they know there is 
something wrong but they really have trouble quantifying what 
is it.
    The other thing I will tell you--and I say this often--the 
lexicon in cyber is not English, so if I say ``phishing,'' if I 
say ``D-DOS,'' if I say ``Trojan''--when I say ``phishing'' 
most people go to a lake someplace and think about, you know, 
maybe catching a fish but that is not when I am speaking of.
    I have often said also is that if I told you there was a 
Category 4 hurricane that hit the Gulf Coast you would go, 
``Oh, that is bad.'' Category 1? It is bad, but 4 is worse.
    If I told you there was an 8.0 earthquake on the West Coast 
you would automatically go, ``That is incredibly bad.'' 1.0? 
Most Californians probably wouldn't do anything.
    What is that in cyber? How do we get that imagery? How do 
we get the awareness across to the public of, ``Boy, this is 
something that is bad but we could probably be okay,'' or, 
``This is catastrophic and we need you to do these measures 
such as leave, you know, other precautions.''
    So we are still working that and I am hopeful, but we are 
not there yet.
    Mr. Horsford. Thank you, Mr. Chairman.
    Mr. Meehan. I thank the gentleman. I certainly, you know, 
one of the aspects are the ISACs and other things that can be 
present, and I think the gentleman's questioning was right on 
target about those that are engaged and those we have to do a 
better job of attracting.
    It is important to appreciate the vital role that you play 
and the interplay among our Governmental agencies at the outset 
before we get down to dealing with the various private-sector 
industries that are part of it, so I want to ask you to go for 
a moment off of this important observations, and it comes from 
General Alexander, who is the head of the NSA, and I use it in 
his words, and he says, ``I see the Department of Homeland 
Security as the entry point for working with industry,'' and 
there is great reasons for it: Transparency, having everybody 
doing exactly the right thing together to work as a team.
    The FBI, NSA, Cyber Command--the FBI would lead law 
enforcement and the attributions; NSA will work with foreign 
intelligence; Cyber Command are defending the Nation. But they 
have a civilian agency, by his own testimony, at the core of 
the ability for us to have a communications infrastructure that 
works across the Governmental sectors first and then 
simultaneously work effectively in real time with our civilian 
sectors.
    So please give me your observations with regards to 
somebody as significant as General Alexander looking at DHS as 
the center point for the engagement of our approach to 
cybersecurity.
    Mr. Zelvin. Thank you, Mr. Chairman.
    I agree with the general's assessment so much so I joined 
the Department. DHS is purely that civilian entity, and when 
folks come to us they know--and there is important other roles 
in Government, but within DHS we are really about that 
protection, prevention, mitigation, response, and recovery. We 
really do want to help understand the problem not only 
technically but through the tactics, techniques, and 
procedures, and then work through those mitigations, and then 
share that information, as I said, with the partners I have 
mentioned--State, local, critical infrastructure, 
international, other Federal departments and agencies.
    So when folks come to us--and it has been interesting. A 
number of private-sector partners have come to us because they 
see us as that place in Government where they can have a 
discussion where it is purely technical, there is not concerns 
potentially of being asked a lot more questions that will lead 
to other things and it is important for Government to do.
    As you look at vulnerabilities in cyberspace, there are 
things that have the potential for malicious activity but 
haven't quite matured to that point yet, and I look at things 
like have happened to a number of companies in that we discover 
a vulnerability that if somebody did something it could be 
catastrophic, but they haven't done it yet. Those are really 
the areas that we want to get ahead of.
    We don't always want to be responding. We don't always want 
to be catching up to our adversaries. We want to get ahead of 
those.
    For companies it can be often uncomfortable to say, ``We 
discovered a problem,'' and they don't want to be attributed--
they don't want their competitors to say, ``See, look. They are 
having yet another problem.'' So they come to us and we have 
the ability to provide the anonymity, work through the 
technical solutions, and then get it across the Nation and 
across the world so people can understand the threat and 
mitigate it without the fear of additional questions about who 
did it and where did they do it and how.
    Mr. Meehan. Effectively, you are a civilian agency so it 
removes some of the concern that legitimately people have 
outside that we are having private sector share either back and 
forth with our more sophisticated Governmental agencies like 
the NSA or FBI.
    Mr. Zelvin. That is correct, sir. It is absolutely a 
civilian organization and I don't have the challenges that some 
of my partners do in that I am not being pushed for things like 
attribution; I am not being pushed for bringing prosecution. 
There are other important entities that do that; that is not my 
role. My role is just to understand the problem and come up 
with the solutions.
    Mr. Meehan. Let me jump into one other piece, because we 
have done a good job of identifying the important role we place 
vis-a-vis the other Governmental--critical Governmental 
agencies, and of course, that extends down through the entire 
Governmental structure. But at the same time, we have 
relationships with the private sector.
    Now, those looking from the outside can get lost in forest, 
but there has been a lot of thought into how we are organized 
and I am impressed by it. Explain quickly: We have 16 different 
sectors--17 different sectors in which industries are 
organized, and they have their own sector communication 
coordinating councils in which they themselves look at the 
unique nature of threats, such as something that may go 
uniquely to banks, the denial of services as an example.
    Within those coordinating councils some--and this goes to 
Mr. Horsford's line of questioning--some have created what we 
call the ISAACs, these information sector analysis coordinating 
teams--very sophisticated for their--and they are housed with 
you. But my recollection is we have only got about four that 
are in there. They are some of the best, but we have got a lot 
of agencies or private-sector entities that may be lagging.
    Can you give me your observations with regard to how it is 
that, you know, we are effectively organized in that way but 
what we can do to begin to attract the collaboration of all of 
the other entities?
    Mr. Zelvin. Yes, Mr. Chairman.
    We deal with all of the critical infrastructures. We are 
working across the board. But I will tell you, as I look across 
the financial services sector, and specifically the Financial 
Services Information Sharing and Analysis Center, the FS-ISAC, 
they have done an absolutely extraordinary job helping us work 
through the recent distributed denial of services hacks that 
have been going against the financial institutions.
    So the Financial Services ISAC has not only been able to 
coordinate with Government, but also among itself. They provide 
extraordinary information not only with each other but also 
with Government. Some of the best information I get from the 
distributed denial-of-services comes from the private sector, 
and it is not only the sharing with us but also sharing within 
each other.
    The Communications ISAC, the Information Technology ISAC 
have similar experiences. I will also tell you, the Multi-State 
ISAC, so the sharing between all the States and the possessions 
and the territories--that information mechanism is very 
effective.
    There are others that we need to build up to that capacity, 
but I would tell you, I don't see that as a negative; I see it 
as a positive. We have learned a lot since these distributed 
denial-of-services attacks, and also the malware attacks that 
have affected Saudis and also in Qatar.
    This has changed the dynamic in cybersecurity just in the 
last few months. So ideas that were really well-thought-out 
earlier are really being developed and we need to catch back up 
with the others as we stay focused on the financial services 
sector, the comms, and----
    Mr. Meehan. You mean you are learning things with financial 
services that could apply to other sectors.
    Mr. Zelvin. That is exactly right, sir. I often tell folks 
that we need to share this across because the financial 
services sector needs power, they need water, they need 
transportation, they need health. They say, ``Why would we 
share with you? Why would you tell DHS?'' Well, because we have 
the ability that is unique in that we can share with these 
other sectors and we can make them aware of the challenges and 
we can share the mitigations, so why would you rebuild that 
capacity when it already exists?
    Mr. Meehan. Well, thank you.
    My time is expired and I now recognize the gentlelady from 
New York for her follow-up questions.
    Ms. Clarke. Let me thank you, Mr. Chairman, and acknowledge 
that we have been joined by our colleague on the Homeland 
Security Committee, the gentlelady from Texas, Ms. Jackson Lee, 
and ask for unanimous consent that she be authorized to sit and 
question the witnesses at today's hearing.
    Mr. Meehan. Pleased to do so. Unanimous consent, the 
gentlelady will be recognized in order, and I thank her for 
coming today.
    Ms. Clarke. Thank you very much, Mr. Chairman.
    I want to question each of you, just get your perspective 
on the dichotomy between the Enhanced Cybersecurity Services 
and Einstein. I support the expansion of the Enhanced 
Cybersecurity Services program to make sure that our critical 
infrastructure companies can benefit from U.S. Government 
intelligence on cyber threats. However, in the privacy impact 
assessment the Department states that Federal agencies as well 
as critical infrastructure may use ECS while the Einstein 
intrusion prevention capabilities are still being built out.
    My question is: Doesn't it seem a bit backwards or 
redundant, and how is it that you could build a cutting-edge 
cybersecurity program and have it available to the private 
sector before the Government itself adopts it? What is it about 
ECS that will make it available much more quickly than Einstein 
3?
    Ms. Stempfley. Thank you, ma'am.
    The Enhanced Cybersecurity Services is, as you point out, a 
cutting-edge capability in that it is the first time we have 
been able to provide effectively classified and sensitive 
countermeasures and indicators to commercial entities through a 
trusted cybersecurity provider, I think is very important. So 
we are very excited about this opportunity and engagement in 
both growing the number of service providers and the market 
that it generates with critical infrastructure partners.
    It provides, as you point out, in the privacy impact 
assessment, protection against--with two countermeasures: 
Domain name service and e-mail protection. Those are not in the 
traffic flow kinds of protection, which is the requirement for 
Einstein 3, and so there is a fairly important distinction 
there.
    While we will work to enhance the Enhanced Cybersecurity 
Services, enabling it to keep up with the threat environment 
and to provide new countermeasures into that capability, we are 
certainly in progress in that environment. We will reach that 
in a much more rapid manner in the Einstein 3 capability 
because its baseline requirement is to provide that in a real-
time capability inflow.
    That is a very technical way of describing--a technical way 
of describing it, the difference being inflow means you are 
actually affecting through the pipe as it is going on; out of 
line effectively means it gets stored, processed, and then 
forwarded on.
    Mr. Zelvin. Ma'am, I will tell you, there is some--I have a 
truly exciting job, and one of the really exciting parts is as 
you look at that dot-gov domain and the security awareness that 
I have, it is unlike any of others--so you have the dot-com, 
the dot-gov, and the dot-mil.
    So right now on the dot-gov I have extraordinary awareness 
of the traffic that is going on and we are watching that in 
almost a real-time basis in my center at the NCCIC. I have met 
with the Defense Department and we are building an awareness of 
the dot-mil similar to what we have on the dot-gov. So between 
the two of us we will have really strong awareness of what is 
going on.
    The dot-com will remain a challenge, but DHS has that dot-
gov responsibility. We are able to watch it, as I said, on a 
near real-time basis, and as we get these new enhancements, 
what we are able to do now is just to be able to see there is 
malicious activity and warn. What we will able to be doing here 
shortly is just not warn but actually mitigate and investigate 
and analyze.
    Because right now it is sort of like you know there is 
something bad in the mail but you let it get to the mailbox. 
Well, now we are going to be able to stop that and do 
appropriate measures to make sure that that bad delivery isn't 
made.
    Mr. Edwards. I will just agree with both Larry and Bobbie 
on this.
    Ms. Clarke. Very well.
    So is it anticipated that at some point the ECS will be 
phased out or become obsolete, or is there a unique capability 
within that instrument that is compatible or can partner with 
Einstein 3?
    Ms. Stempfley. Certainly. The ECS is intended to be a 
program for that information sharing and protection for the 
critical infrastructure. It has very, very limited report back 
to Government, obviously. Only, ``Did that indicator work? Is 
that a valuable piece of information for protection measures?''
    We would anticipate that to continue and that we would 
employ more countermeasures as we go through the legal, 
privacy, and other considerations for employment of those 
countermeasures in the unique situation of critical 
infrastructure.
    E3, and E3 Accelerated in particular, and its wide set of 
capabilities for the Federal enterprise we anticipate existing, 
as well. The specific countermeasures and which one would come 
forward into the Government space or the critical 
infrastructure space is really based on the very different 
legal models that are appropriate for us in that space.
    Mr. Meehan. I thank the Ranking Members.
    The Chairman now recognizes the gentlelady, Ms. Jackson 
Lee, for any questions she may have.
    Ms. Jackson Lee. Let me thank, first of all, the Chairman 
and the Ranking Member for holding the hearing and your 
courtesies of allowing me to come and to ask questions for 
something that I think is crucial for the entire Homeland 
Security Committee.
    Let me start out--and I am going to just offer for you to 
answer the questions who can answer it, and I will then ask the 
particular person if no one jumps in. The CERT teams that we 
have--this is enormously important, this whole idea of 
communication, the whole idea of reacting to the cyber threat--
with respect to the CERT systems, do we have the capacity to 
have a particularly defined CERT for each of the industries? I 
think of oil and gas; I think of the health-care industry, 
which is massive.
    That is my first question: Do we--are they defined so 
specifically that they focus on the needs of a particular 
industry?
    Madam Secretary.
    Ms. Stempfley. Ma'am, if I may take a----
    Ms. Jackson Lee. Yes. Thank you.
    Ms. Stempfley [continuing]. A first crack at your question, 
the technologies that are in use across these industries are 
very similar, and because of that the organization of our cyber 
emergency response teams or computer emergency readiness teams 
are oriented to be useful to all of the sectors, versus a 
particular emergency readiness team focused on any one sector. 
So you see the information technology infrastructure largely 
covered by the US-CERT, then the operational technology control 
systems community operated by the Industrial Control Systems 
CERT.
    So the infrastructures in the oil and natural gas, or in 
transportation, or in those mechanisms are largely produced by 
the same companies and in the same environment. This has proven 
to be one of the most effective and efficient organization 
models.
    Ms. Jackson Lee. Let me follow it with two questions, and 
maybe I will have time to make a comment. Thank you for that.
    We all understand that finding a problem in computer 
security or cybersecurity is like finding a needle in a 
haystack, and so have we developed the sophistication to be 
able to target where the problem is, to target where there is 
activity?
    My other question is on the Einstein 3 I notice that there 
is certainly a need for skilled individuals, and my question 
is: Do we as the Government have the capacity to bring people 
in laterally? It speaks to my issue of the STEM and 
diversifying. STEM education is great but it starts at 
kindergarten. If we need people right now, do we have the 
ability to cross-train them in the Government, which adds to 
the diversity and the skills that we need?
    I will--those are the two questions I will pose.
    Mr. Zelvin. Congresswoman, if I can maybe finish your first 
question and get to the second and----
    Ms. Jackson Lee. Yes.
    Mr. Zelvin [continuing]. Ask Ms. Stempfley to do the third. 
So on the first question on the specific CERTs for each of the 
sectors, I will tell you that when we operate in a sector we do 
it in intimate partnership with the sector-specific agency and 
the sector-specific coordination councils. So if there is an 
energy problem we are with the Department of Energy; if it is 
oil and natural gas, Department of TSA; Finance; Treasury; so 
on and so forth. We are fully partnered.
    So we bring the technical skills, the ability to understand 
the virtual and I.T. environment. They bring the experience and 
wealth of knowledge within----
    Ms. Jackson Lee. Do we have the capacity to target if there 
is activity that is in essence piercing our cyber framework 
involving our proprietary information? If somebody is attacking 
our system, you have that capacity?
    Mr. Zelvin. We have the--some capacity. We do not have 
absolute capacity.
    Ms. Jackson Lee. What would you need to get absolute 
capacity?
    Mr. Zelvin. Extraordinary intelligence and information. So, 
you know, in many cases there is vulnerability. So there was a 
mistake made and then found, and so there are things you do to 
correct that mistake.
    There are attacks. There are people who are purposely 
trying to do something you do not wish them to do. In many 
cases and not all--in many cases you are there reacting to the 
challenge and then building that technical mitigation to 
prevent.
    However, there are times they are are going to be--you 
know, we have to be good every time; they have to be good just 
some of the time. So I would never say that we are ever going 
to get to that place where we will be able to protect 
everything, but we have a great deal of information but it 
doesn't mean that we don't have vulnerabilities.
    I would ask Ms. Stempfley to follow up.
    Ms. Stempfley. We want to certainly thank Members of this 
committee and others for supporting the resource request that 
the Department has had over a number of years. You have seen 
the build-out of the capabilities in the National Cybersecurity 
and Communications Integration Center, which has been directly 
to your capacity question. We operate every day in that center, 
sharing information as a part of it.
    There is a responsibility the private sector has for 
adoption of best practices and adoption of cybersecurity 
principles, and we continue to work with them for further 
movement in that area.
    Your final question was on hiring and, in particular, is 
there--if I understood your question correctly----
    Ms. Jackson Lee. Cross-training.
    Ms. Stempfley. Right. So is there an ability for lateral 
hiring, I believe is what you said. One of the things that I 
think is universally recognized is that, given the importance 
of cybersecurity and the need for cybersecurity professionals 
in this area, we--all of the Federal enterprise and our 
commercial partners are engaged in trying to build the 
capabilities to ensure we have that.
    The Secretary chartered, through the Homeland Security 
Advisory Council, a cyber skills study that looked at the 
Department itself. The Department also has important 
responsibilities under the National Initiative for 
Cybersecurity Education, which continue to engage raising that 
lateral mechanism, that cross-skills.
    We certainly have to focus not only on, as you point out, 
STEM starting young--I am raising several kids who I am trying 
to direct into the technical workforce, as well--but to ensure 
that we have the capacity at a lateral level.
    We do this cross-training support in the Office of 
Cybersecurity and Communications. When we have an incident the 
NCCIC can call on individuals from across the SNC, can call on 
individuals from across the Department. One of the findings out 
of the Cyber Skills Task Force was the creation of a cyber 
surge capacity within the Federal Government and the Department 
specifically, to address your question.
    Ms. Jackson Lee. I would like to follow up with you.
    I thank the Chairman and Ranking Member for their 
courtesies. Thank you very much.
    Mr. Meehan. I thank the gentlelady for her attendance here 
and for her questions.
    I just have one--a couple of closing questions based on 
your testimony here today.
    Mr. Edwards, you identified something which goes to the 
reality that while we are dealing with a lot of these issues 
and the need for collaboration across sectors in the Government 
and, simultaneously, with the private sector, one thing you 
focused on that is the reality of this threat is speed. It is 
happening in real time and there is a need for us to be 
responsive in real time.
    Now, you have looked critically at the challenges that we 
face, so the first issue is, as you stated, sometimes 
information has gotten to our partners in the private sector 
but we have got to do a better job of organizing it so it 
allows them to get to the heart of what they need to know. The 
second thing is that we have got to try to find ways to be able 
to coordinate with our partners more in the sense of: ``Hey, we 
are seeing something in your systems and we are going onto 
it.''
    So how do we both maximize our ability to get the 
information that people need to know across sectors, not just 
in sectors? Then how do you tell people--when you are not even 
sure what you are looking yourself, where do you find the right 
balance of telling somebody you might be looking at something 
in their systems versus creating an alarm that may not be 
realized because you don't know what you have yet?
    Mr. Edwards. Thank you, sir.
    The Department has done a good job in advancing 
cybersecurity. One of the recommendations that we made was when 
you are passing out this information through--whether it is 
HISN, and now they are going to move to HISN-3--is to--for the 
entities to be able to share that information, you know, and 
also not to drill down to get to a particular question they are 
trying to answer. So I think HISN-3 is going to help towards 
that.
    But also the communication part of it. You know, there is 
excellent collaboration between the private sectors and the 
public sectors.
    But among the folks that we interviewed, quite often we 
found is a lot of this is also based on relationships, and the 
Department has senior leadership positions where people from 
the private sector pick up the phone and establish a 
relationship to somebody by name and now that person has moved 
on, they don't know who to contact. So rather than establishing 
relationship based on individuals, it needs to be based on 
processes and procedures, and I think the Department is moving 
towards that.
    But also, there is--private sector does a really good job 
in handling best practices. Larry's team, you know, by the 
reorganization and putting ICS and US-CERT and ISAC and C3O-I, 
all of them at one level is moving toward that. But you also 
find information and trend analysis that the CERT team is going 
to help towards that.
    Mr. Meehan. Well, I thank you.
    Let me just ask Mr. Zelvin and Ms. Stempfley, how about the 
private-sector companies themselves sharing information with 
the Government? What kinds of challenges do we have in that 
area?
    Mr. Zelvin. Thank you, Mr. Chairman.
    The biggest challenge, I will tell you, is a lack of 
clarity, of understanding what information can be shared. So it 
is quite often that we will meet with private sector entities 
and we are--we believe we have the ability to share information 
but there is anxiety. There is absolute determination not to 
violate law, regulatory guidance.
    Mr. Meehan. Is this information coming from you to them or 
from them to you?
    Mr. Zelvin. From them to me, sir. There is also, you know, 
lack of clarity as to what I can share with them but, you know, 
as we have looked across Government I have been given the 
thumbs-up from leadership and also those who look at what we 
are sharing in--across Government and says, ``No, this is 
appropriate and this is okay.''
    But that lack of clarity of what information can be shared 
is--still exists and there is anxiety, so----
    Mr. Meehan. What is the anxiety related to? Things like 
liability protection or otherwise?
    Mr. Zelvin. It is, sir. The ability to, as I said, that 
they are not breaking law, that they are not breaking 
regulatory compliance. They are just not sure so they err on 
the side of caution.
    As you mentioned, Mr. Chairman, speed is of the essence, so 
as the folks review all this data it is taking up precious 
time. We have, in our--many of our products and what we are 
starting to receive from the private sector and just recently 
this week an international partner is machine-readable 
information. That is wonderful because it is starting to take 
the humans out of the information exchange between us. What 
would be even better someday would be that machine-to-machine 
real-time information sharing.
    But I will tell you, the technical challenge is not, in my 
opinion, as great as the policy challenge. We first have to 
define what is it that we are sharing, and then we can design 
the machines to share it.
    Mr. Meehan. Well, with the tremendous scope of information, 
ultimately it is going to have to get to machine-to-machine 
because of the computing capacity that could go through 
something in hundredths of a second that would take days for 
humans to be able to analyze.
    Mr. Zelvin. Mr. Chairman, I agree. Right now there is a 
great deal of time spent preparing the information, sending the 
information, understanding the information, and then making the 
information actionable. We need to compress that loop of 
decision-making as small as we can get. I don't know if we will 
ever get to zero but we sure as heck can do a lot better than 
we are now.
    Mr. Meehan. Okay.
    Ms. Stempfley.
    Ms. Stempfley. Sir, one of the important things that the 
I.G. recognized and Mr. Zelvin spoke to is that this 
information sharing is in part based on trust, and you have to 
have a sense that the information will be used in the best 
interest of all parties as we go forward. That trust used to be 
person-to-person. We have moved it from person-to-person to 
organization-to-organization and we will continue to do so.
    One of the important ways that we are moving forward in 
this model is to communicate with our private-sector partners 
in ways that are most beneficial to them, which means that we 
have to be able and willing to ingest that information in the 
method that is most appropriate from our private-sector 
partner, and we must be able to produce our indicators, our 
alerts in methods that are appropriate without a--with a 
recognition that it may not be identical. We talk about the 
financial sector and the financial sector ISAC being one of our 
mature ISACs, and there being other sectors who are not at that 
level yet.
    So providing a piece of information to a high, capable 
organization may prove for it to be not as useful to an 
organization that isn't ready to ingest that. So we have had a 
real focus, not only in the NCCIC but across the entire Office 
of Cybersecurity and Communications, to release this 
information in a multitude of platforms and in a multitude of 
formats. So this machine-consumable output is formatted in a 
way that can be consumed by these different entities.
    This two-way dialogue helps to build that trust, which is a 
part of what we have to overcome is that sort of initial 
distrust that comes in any relationship.
    Mr. Meehan. Well, I thank you for the good work that each 
of you is doing, and on behalf of all of your entities, for not 
only creating the framework for this sharing of communication 
but by virtue of the collaboration that you are doing, 
enhancing that trust and enhancing our ability to protect our 
home front from the serious threat. We opened this hearing with 
discussing the very real concern about cybersecurity here in 
the Nation.
    Is there any closing thought that you--any of you have 
before we close the record this morning?
    Ms. Stempfley. If I may, I want to thank you again for this 
hearing. I think it is--the topic is one of absolute import for 
us as a Nation and we are grateful for your attention and your 
time here.
    I hope that you heard the commitment the Department has to 
this important mission and to ensure that we account for those 
mechanisms that are so vital: That inextricable tie between 
privacy, civil rights and civil liberties, and cybersecurity; 
the need for adoption of security principles across our 
critical infrastructure partners for information sharing.
    We talked about some of the important needs for hiring 
authorities for some of the programs that I know you are 
supportive of in Einstein. Our law enforcement colleagues in 
the Department continue to seek tools they need to fight crimes 
in the digital age, and that National breach reporting 
requirements that I know you are discussing.
    So thank you so much for your time and attention on this 
matter, as well.
    Mr. Meehan. Thank you.
    Mr. Zelvin. Mr. Chairman and Ranking Member, I would just 
also like to thank you for having us today. Really appreciate 
the opportunity to talk to you.
    You, your colleagues, your staff, and their colleagues are 
welcome at the NCCIC any time. We would welcome the opportunity 
to show you what the great men and women within the NCCIC, 
within CC&C and DHS are doing.
    I served 26 years in uniform in the Defense Department and 
I will tell you, the people that I work with at DHS every day 
are as good as fine as anyone I served with in uniform. Their 
passion and their patriotism are just as high as those I served 
with in uniform.
    I would also like to say that our partnership with our 
closest colleagues, both in the FBI and NSA, is critical. So it 
is truly a unity-of-effort approach, and that integration 
continues to grow and we look forward to the opportunity of 
having it grow not only within Government but also private 
sector and international.
    So thank you.
    Mr. Meehan. Thank you.
    Mr. Edwards.
    Mr. Edwards. Well, we live in a virtual world so, you know, 
DHS has matured and it is improving and it is moving in the 
right direction, but much work still needs to be done. The 
threat is not only going to be coming from nation states, but 
from hackers, but also the threat within. We have to be mindful 
of that.
    I hope I can come back and issue a report and say the 
Department has done perfectly everything right and there are no 
findings and no recommendations. That is what I hope I can do, 
but still there is much work to be done.
    Thank you.
    Mr. Meehan. Well, we would all love to be able to do that, 
but that is the important responsibility we have on oversight 
and we thank you for the good work that you are all doing to 
try to aspire to that standard.
    So I thank all of you for your testimony. The Members of 
the committee may have additional questions, and if they do we 
will ask you to respond in writing in the appropriate time.
    So without objection, the subcommittee stands adjourned. 
Thank you.
    [Whereupon, at 10:32 a.m., the subcommittee was adjourned.]

                                 
