b"<html>\n<title> - FACILITATING CYBER THREAT INFORMATION SHARING AND PARTNERING WITH THE PRIVATE SECTOR TO PROTECT CRITICAL INFRASTRUCTURE: AN ASSESSMENT OF DHS CAPABILITIES</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n FACILITATING CYBER THREAT INFORMATION SHARING AND PARTNERING WITH THE \n                  PRIVATE SECTOR TO PROTECT CRITICAL \n           INFRASTRUCTURE: AN ASSESSMENT OF DHS CAPABILITIES\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n                       INFRASTRUCTURE PROTECTION,\n                       AND SECURITY TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 16, 2013\n\n                               __________\n\n                           Serial No. 113-17\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n\n85-613 PDF                WASHINGTON : 2013\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2250  Mail: Stop SSOP, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O'Rourke, Texas\nSteven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii\nLou Barletta, Pennsylvania           Filemon Vela, Texas\nChris Stewart, Utah                  Steven A. Horsford, Nevada\nRichard Hudson, North Carolina       Eric Swalwell, California\nSteve Daines, Montana\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\nVacancy\n                       Greg Hill, Chief of Staff\n          Michael Geffroy, Deputy Chief of Staff/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                 Patrick Meehan, Pennsylvania, Chairman\nMike Rogers, Alabama                 Yvette D. Clarke, New York\nJason Chaffetz, Utah                 William R. Keating, Massachusetts\nSteve Daines, Montana                Filemon Vela, Texas\nScott Perry, Pennsylvania            Steven A. Horsford, Nevada\nVacancy                              Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (ex             (ex officio)\n    officio)\n               Alex Manning, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Patrick Meehan, a Representative in Congress From \n  the State of Pennsylvania, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies...................................................     1\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies:\n  Oral Statement.................................................    19\n  Prepared Statement.............................................     4\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security..............................................     2\n\n                               Witnesses\n\nMs. Roberta Stempfley, Acting Assistant Secretary, Office of \n  Cybersecurity and Communications, U.S. Department of Homeland \n  Security, Accompanied by Larry Zelvin, Director, National \n  Cybersecurity and Communications Integration Center, U.S. \n  Department of Homeland Security:\n  Oral Statement.................................................     5\n  Joint Prepared Statement.......................................     8\nMr. Charles K. Edwards, Acting Inspector General, U.S. Department \n  of Homeland Security:\n  Oral Statement.................................................    14\n  Prepared Statement.............................................    16\n\n \n FACILITATING CYBER THREAT INFORMATION SHARING AND PARTNERING WITH THE \nPRIVATE SECTOR TO PROTECT CRITICAL INFRASTRUCTURE: AN ASSESSMENT OF DHS \n                              CAPABILITIES\n\n                              ----------                              \n\n\n                         Thursday, May 16, 2013\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n Subcommittee on Cybersecurity, Infrastructure Protection, \n                                 and Security Technologies,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 9:05 a.m., in \nRoom 311, Cannon House Office Building, Hon. Patrick Meehan \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Meehan, Clarke, Vela, Horsford, \nand Thompson.\n    Also present: Representative Jackson Lee.\n    Mr. Meehan. The Committee on Homeland Security Subcommittee \non Cybersecurity, Infrastructure Protection, and Security \nTechnologies will come to order. The subcommittee is meeting \ntoday to examine the Department of Homeland Security's National \nCyber and Communications Integration Center, better known as \nthe NCCIC, and its capabilities to protect critical \ninfrastructure from cyber attack.\n    I would like to welcome everybody to today's hearing, which \nwill give Members an opportunity to examine in-depth the work \nof the Department and Homeland Security's National \nCybersecurity Communications and Integration Center.\n    The NCCIC is one of the U.S. Government's key civilian \ninterfaces with the private sector for cyber-threat information \nsharing, incident response, and protecting the U.S. critical \ninfrastructure. The NCCIC is a collaborative method for Federal \nagencies, State and local governmental entities, the private \nsector, all to communicate cyber-threat information, analysis, \nand prevention methods in real time.\n    The subcommittee has been crafting a body of work that will \nhelp establish key areas where we can improve the Department's \ncritical infrastructure protection from cyber attack. We have \nexamined the threat, particularly from nation states. We have \nlooked at protecting U.S. citizens from civil liberty \nviolations. Today we look at the threat mitigation capabilities \nat the Department of Homeland Security.\n    The director of the National Intelligence, James Clapper, \ntestified before Congress this year, stating that cyber is the \nNo. 1 National security threat facing our country. On March 12, \nDirector Clapper stated, and I quote: ``We assess that highly \nnetworked business practices and information technology are \nproviding opportunities for foreign intelligence and security \nservices, trusted insiders, hackers, and others to target and \ncollect sensitive United States National security and economic \ndata.''\n    In addition, the director for the National Security Agency, \nGeneral Keith Alexander, has said that cyber espionage has \ncaused the ``greatest transfer of wealth in history.''\n    Our Nation is in a new era and our security is no longer \nprotected by oceans and borders. Indeed, American achievement \nin the 21st Century will be intricately tied to our ability to \nsecure our networks, primarily our critical infrastructure \nnetworks.\n    While our military protects our Nation from foreign \nadversaries, the security of our critical infrastructure--our \neconomy, our roads and bridges, domestic energy, water and \npublic utility systems--must be a collaborative effort between \nthe private sector, the local, State, and Federal Government. \nWe need a civilian agency to facilitate this partnership, and \nthat agency is the Department of Homeland Security.\n    Today's hearing will give us an opportunity to hear from \nour expert panel regarding ways the NCCIC currently brings a \ncollaborative, National response to cybersecurity. Our capacity \nwithin the Committee on Homeland Security is to provide proper \noversight to ensure that the NCCIC is functioning properly and \nis capable of leading in the protection of Federal agencies in \ncyberspace; it is capable of partnering with critical \ninfrastructure owners and operators to share information and \nreduce risk; and providing the necessary intelligence elements \nto assure that State and local critical infrastructure \noperators are mitigating cyber threats and, I would add, \nresponding appropriately in the aftermath of any kind of \nactivity.\n    I am looking forward to hearing from our witnesses, \nparticularly in areas that will help the committee as \nlegislators strengthen the Department's capabilities.\n    We must examine ways to encourage increased participation \nfrom owners and operators of critical infrastructure, many of \nthose--most of it--in the private sector. We need to ensure the \nDepartment is successfully disseminating threat data with other \nFederal agencies--in particularly, the Department of Justice \nand Defense. Most importantly, we must make sure that there are \nsufficient privacy protections in place to ensure that the \nDepartment is able to anonymize data for both personally \nidentifiable information and stakeholder identifiable \ninformation.\n    I look forward to hearing from our panel.\n    The Chairman now recognizes the Ranking Member of the \noverall Committee on Homeland Security, Mr. Thompson.\n    Mr. Thompson. Thank you, Mr. Chairman. Thank you for \nholding today's hearing.\n    I also want to thank the witnesses for testifying here \ntoday.\n    Over the past few years the cybersecurity mission of the \nDepartment of Homeland Security has undergone an unprecedented \nexpansion in funding and a change in organizational structure. \nToday I look forward to hearing the testimony from some of the \nofficials responsible for implementing these expanded programs \nand activities and overseeing the change in the organizational \nstructure and culture.\n    I also look forward to hearing about how these changes will \nassist DHS in its efforts to become, in perception and reality, \nthe civilian lead for cybersecurity in the Federal sector. \nThough once in doubt, it now appears that DHS is bringing \ntogether the necessary elements to solidify its leadership \nrole.\n    In support of these efforts, last month Chairman McCaul and \nI sponsored an amendment to cyber information-sharing \nlegislation, CISPA, that would establish a center within DHS as \nthe Federal hub for information sharing. I hope this amendment \nsent a clear signal that any cybersecurity legislation passed \nby Congress during this session should have a strong role for \nDHS as a Federal leader in areas where Government and the \nprivate sector must work together to prevent cyber attacks and \nmitigate their impacts.\n    Today, I want to hear more about DHS's human capital \nresources. It is my understanding that DHS, like all Federal \nagencies, is suffering from a shortage of cyber personnel.\n    As DHS works to ensure its role as a Federal lead for \ndomestic cybersecurity, we cannot ignore our Nation's ability \nto prepare for, respond to, and recover from advanced cyber \nthreats in a forward-looking endeavor that cannot succeed \nwithout sufficient, qualified personnel. We cannot rely on \nother countries to develop our cyber workforce.\n    While we cannot predict what cyber threats may occur, we \ncan certainly be prepared and be ready. Be prepared and be \nready is a philosophy DHS encourages the public to adopt for \nnatural disasters. Yes, when the oncoming disaster may be a \nman-made cyber threat, the Department seems to have adopted a \n``let tomorrow take care of itself'' philosophy. Surely this is \nnot acceptable.\n    DHS must adopt a preparedness philosophy in all aspects of \nits work. In the world of cyber threats, a part of preparation \nmust be capacity-building programs that include education, \noutreach, and awareness initiatives.\n    This year, as hundreds of millions of dollars are poured \ninto Einstein and continuous diagnostic programs, the \nadministration's budget request slashed funding for National \ninitiative for cybersecurity education by $4.8 million, cutting \nthe program by one-third. These cuts will delay efforts to \nprovide cyber outreach and education to 1.7 million high school \nstudents.\n    We cannot continue to complain about the lack of skilled \ncybersecurity professionals in the American workforce if we are \nwilling to allow DHS to cut the funding it uses to develop the \ncyber workforce. Again, let me say: We cannot rely on other \ncountries to develop our cyber workforce.\n    Mr. Chairman, I look forward to hearing from the witnesses \nand hope that we can work together to restore this funding and \nensure that DHS is properly building a defense-in-depth \nstrategy to protect the Nation far into the future.\n    I yield back.\n    Mr. Meehan. Let me thank the gentleman from Mississippi.\n    Let me also let the other Members of the committee \nappreciate that opening statements may be submitted for the \nrecord, and we are pleased today to have a distinguished panel \nof witnesses before us on this very, very important topic.\n    [The statement of Ranking Member Clarke follows:]\n              Statement of Ranking Member Yvette D. Clarke\n                              May 16, 2013\n    After a significant expansion of the Department of Homeland \nSecurity's cybersecurity mission and programs, beginning in fiscal year \n2012, I am glad that we are finally holding a hearing to look at these \nprograms in depth and to assess the progress of the Department in \ncarrying out that mission.\n    This is the subcommittee's third hearing on cybersecurity this \nCongress--first, we held a hearing on the threats in cyberspace to our \ncritical infrastructure from state and non-state actors. Next, we \nlearned about how DHS protects the privacy of our citizens in \ncyberspace.\n    And with that background in place, today we will hear from the \nwitnesses about whether the Department has the people, programs, and \nresources in place to successfully address the significant cyber \nthreats to our critical infrastructure while protecting privacy. It is \nhigh time that our subcommittee takes a closer look at these programs, \nsome of which did not even exist just a few years ago.\n    The continuous diagnostics and EINSTEIN programs, in particular, \nhave undergone rapid expansion, and I am pleased that the Department is \nfulfilling its role as the protector of the dot-gov domain, with the \nresources to match. But though these Federal network security programs \nget the majority of the funding and attention, I believe the \nDepartment's responsibilities for protecting critical infrastructure, \nmost of which is found in the private sector, is equally important.\n    For this reason, I am particularly pleased that we are joined by \nDeputy Inspector General Charles Edwards, who can discuss recent work \ndone by the OIG to assess the progress that ICS-CERT has made to brand \nitself as the Cyber 9-1-1 for critical infrastructure before, during, \nand after cyber incidents.\n    ICS-CERT, recently incorporated as an operational arm of the NCCIC, \nhas done great work in mitigating cyber risks to critical \ninfrastructure, and I look forward to learning more about this mission \nand the challenges that still remain to share information with the \nprivate sector quickly and efficiently.\n    Finally, I want to register my concerns over the continuing drain \nof senior cybersecurity leadership at the Department, a trend that has \ngotten particularly bad in the last 6 months, with the departures of \nthe assistant secretary and the deputy under secretary.\n    We have been hearing about the difficulties DHS faces in attracting \nand retaining skilled junior and mid-level cyber employees for a long \ntime, but what does it say about the Department's cyber organization \nwhen it cannot retain its senior leaders, either? Rumors are \ncirculating about future replacements for these losses, and I am sure \nDHS would like to make a splash with these appointments, getting \nleaders who command respect in the information security and critical \ninfrastructure worlds. But most of all, DHS needs to find leaders who \nbelieve in the mission and will stay on board as a steady hand on the \nwheel during this period of immense expansion and evolution of our \ncybersecurity efforts.\n    As part of this process, I believe DHS needs to do some soul-\nsearching and identify why their senior officials have been leaving, \nand if changes need to be made to ensure future leaders will be more \nempowered to do their job, I expect that the Department will do so. I \nhope to work with the Department in this endeavor to guarantee that the \nvital cybersecurity mission gets the leadership it needs.\n\n    Mr. Meehan. I have had the chance to visit the NCCIC and to \nsee the great work that is done there, and to listen first-hand \nto the explanation of what they do, and as a result, it is a \ngreat privilege for us today to have the people who are at the \nfront end of that.\n    First, Ms. Roberta Stempfley is the acting assistant \nsecretary of the Office of Cybersecurity and Communications, \nwhere she plays a leading role in developing the strategic \ndirection of the cyber communications and security. A lot of \nthe problem is you have got to figure out all of these letters \nin operating things, but it oversees five strategic divisions.\n    She has previously served as the deputy assistant secretary \nfor the CS&C and as the director of the National Cybersecurity \nDivision. Prior her to work at the CS&C, Ms. Stempfley served \nas the chief information officer for the Defense Information \nSystems Agency, where she was responsible for supporting the \ndirector in decision making, strategy development, and \ncommunication, and management of information technology \nresources at that agency.\n    Mr. Larry Zelvin is the director of the National \nCybersecurity and Communications Integration Center, the NCCIC, \nwhich is housed at the Department of Homeland Security. The \nNCCIC is comprised of several components, including the U.S. \nComputer Emergency Readiness team, the National Coordination \nCenter for Telecommunications, the Industrial Control Systems \nCyber Emergency Response team, and a 24/7 operations center. \nMr. Zelvin is a retired U.S. Navy captain and naval aviator \nwith 26 years of active service.\n    Mr. Charles Edwards is the deputy inspector general of the \nDepartment of Homeland Security. Mr. Edwards is the head of the \nOffice of Inspector General, a role he first attained when \nnamed acting inspector general in February 2011. Mr. Edwards \nhas over 20 years of experience in the Federal Government and \nhas held leadership positions at several agencies, including \nthe TSA, United States Postal Office, Inspector--the Office of \nthe Inspector General, and the United States Postal Service.\n    The witnesses' full written statements appear in the \nrecord, and I know that Ms. Stempfley and Mr. Zelvin have \noffered a joint statement.\n    So the Chairman now recognizes Ms. Stempfley for 5 minutes \nto testify, but I do want you to make sure that you hit the \nimportant points you have in your testimony. So thank you, Ms. \nStempfley. The Chairman now recognizes you for your testimony.\n\n  STATEMENT OF ROBERTA STEMPFLEY, ACTING ASSISTANT SECRETARY, \nOFFICE OF CYBERSECURITY AND COMMUNICATIONS, U.S. DEPARTMENT OF \n   HOMELAND SECURITY, ACCOMPANIED BY LARRY ZELVIN, DIRECTOR, \n NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER, \n              U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Stempfley. Thank you very much, Chairman Meehan, \nRanking Member Thompson, and distinguished Members of the \ncommittee. I appreciate the time you have taken today and it is \ncertainly our pleasure to appear before you to discuss the \nDepartment of Homeland Security's National Cybersecurity and \nCommunications Integration Center and its role in protecting \ncritical infrastructure from cyber attacks, securing our \nFederal networks, and coordinating cybersecurity information \nsharing with the private sector.\n    Before I begin, I want to thank you for your leadership, \nsir--Mr. Thompson commented in his opening statement, as well--\nduring the recent legislation debate over the Cyber \nIntelligence Sharing and Protection Act, and especially in \nsupporting the passing of that amendment designating DHS as the \nlead civil Federal entity to receive cyber threat information.\n    Cybersecurity puts the confidentiality, integrity, and \navailability of critical services at risk. DHS, along with its \nGovernment and private-sector partners, work to counter these \nthreats while supporting a cyber ecosystem that is open, \ntransparent, and less vulnerable to manipulation. The NCCIC \nsupports this effort by providing comprehensive and robust \ninformation sharing, incident response, technical assistance, \nand analysis capabilities to and with our private sector, \nGovernment, and international partners. While coordinating with \nthese partners, our goal is to ensure that privacy, \nconfidentiality, civil rights, and civil liberties are not \ndiminished by our security initiatives.\n    The Department's transparency and public accountability \nallow us to act as a pipeline to get cyber threat information \nin the hands of critical infrastructure owners and operators. \nWe are able to share experiences and trends with law \nenforcement and intelligence communities while preventing \nmalicious actors from gaining access to sensitive sources and \nmethods.\n    Within DHS's National Protection and Programs Directorate, \nthe Office of Cybersecurity and Communications focuses on \nmanaging the risk to communications and information technology \ninfrastructures and the sectors that depend on them. Our role \nis to enable timely response and recovery of these \ninfrastructures under all circumstances.\n    The Department manages and facilitates cybersecurity \ninformation-sharing efforts, analysis, and incident response \nactivities through the NCCIC. It is a round-the-clock \norganization where Government, private-sector, and \ninternational partners work together towards a whole-of-Nation \napproach to address cybersecurity and communications issues at \nthe operational level.\n    We thank those of you who have come out for a tour and \ninvite those who have yet to to do so to come and see the \ncenter in operation, with our private-sector partners shoulder-\nto-shoulder with us in the capabilities.\n    The NCCIC has experienced over the last year a 68 percent \nincrease from 2011 to 2012 in incidents reported. In 2012 we \nreceived 190,000 cyber incidents reported to the NCCIC.\n    Recently we have been working with the Departments of \nState, Justice, Treasury, and other interagency partners as \nwell as our industry partners, such as the Financial Services \nInformation Sharing and Analysis Center, to respond to the \nseries of denial-of-service attacks against our financial \nservices industry that have occurred over the past few months. \nUS-CERT has worked, along with the FBI and other interagency \npartners, to provide technical data, on-site assistance, \nclassified and unclassified briefings in order to help \nfinancial institutions and their information technology service \nproviders improve their defensive capabilities.\n    In addition to sharing with the private-sector entities, we \nhave provided this information to over 120 international \npartners, many of whom have contributed to the mitigation \nefforts. These efforts have not only helped financial \ninstitutions blunt the impact of these attacks, but have helped \nthe industry develop new strategies that DHS is sharing with \nother sectors of critical infrastructure should they face \nsimilar attacks.\n    The Industrial Control Systems Computer Emergency \nResponse--Cyber Emergency Response Team's mission is to reduce \nthe risk to the Nation's critical infrastructure and the \ncontrol systems that operate within it by strengthening those \ncontrol systems. We have responded to almost 200 incidents over \nthe last year with 89 on-site visits and 15 teams deployed \njointly with the US-CERT to assist in significant private-\nsector engagements.\n    In March 2012, the Control Systems--the ICS-CERT identified \na campaign of cyber intrusions targeting natural gas pipeline \nsector with spear phishing e-mails that dated back to December \n2011. Responding quickly, we immediately began an action \ncampaign with the Department of Energy and other partners to \nconduct classified and unclassified briefings across the \ncountry providing warnings and mitigation. These entities have \nbeen very--have benefitted from this rapid information sharing.\n    The third entity in the NCCIC is the National Coordination \nCenter for Telecommunications. It leads and coordinates \ninitiation, restoration, and reconstitution of National \nsecurity emergency preparedness telecommunication services \nunder all conditions.\n    It has recently collaborated with industry in response to \nHurricane Sandy, which enhanced wireless coverage to emergency \nresponders providing emergency services to the 33,400 citizens \nin Long Beach, New York, the 1.4 million citizens in Nassau \nCounty, and the 130,000 citizens in faraway Queens. Their \neffort supported the recovery of communications to the U.S. \nfinancial sector by coordinating fuel and power restoration to \nkey facilities in New York City, ensuring no impact to \ninternational financial trading.\n    The Department's efforts to protect critical infrastructure \nare enhanced by the recently-issued cybersecurity Executive \nOrder and Presidential Policy Directive on critical \ninfrastructure security and resilience. Both of these documents \nimprove the NCCIC's ability to execute its mission in support \nof the private sector by strengthening and securing the \nresilience of critical infrastructure, increasing the role of \ncybersecurity and securing physical assets, and expanding the \ncoordination and information sharing with critical \ninfrastructure partners.\n    The Executive Order also supports DHS's strong privacy and \ncivil liberty goals by reinforcing those protections and their \nincorporation in every aspect of our cybersecurity efforts. The \nDepartment believes, however, that the comprehensive suite of \ncybersecurity legislation is still an essential to improving \nthe Nation's cybersecurity and we are pleased that the \nadministration will continue to work with Congress to achieve \nthis.\n    Thank you so much for your support and continued attention \nto this critical issue, and I look forward to your questions.\n    [The joint prepared statement of Ms. Stempfley and Mr. \nZelvin follows:]\n   Joint Prepared Statement of Roberta Stempfley and Lawrence Zelvin\n                              May 16, 2013\n                              introduction\n    Chairman Meehan, Ranking Member Clarke, and distinguished Members \nof the committee, it is a pleasure to appear before you today to \ndiscuss the Department of Homeland Security's (DHS) National \nCybersecurity and Communications Integration Center (NCCIC). \nSpecifically, I will discuss the NCCIC's role, responsibilities, and \nfuture planning to protect our Nation's critical infrastructure from \ncyber attacks, secure Federal networks, and coordinate private-sector \ncyber-threat information sharing.\n    Before I begin, I would like to thank the committee for its \nleadership during the recent legislative debate over the Cyber \nIntelligence Sharing and Protection Act, especially in support of \npassing an amendment to designate DHS as the lead civilian Federal \nentity to receive cyber threat information. Cybersecurity threats put \nthe confidentiality, integrity, and availability of critical services \nat risk. DHS, along with its Government and private-sector partners, \nworks to counter these threats while supporting a cyber ecosystem that \nis open, transparent, and less vulnerable to manipulation. The NCCIC \nsupports this effort by providing comprehensive and robust information \nsharing, incident response, technical assistance, and analysis \ncapabilities to private-sector, Government, and international partners.\n                        current threat landscape\n    Cyberspace is woven into the fabric of our daily lives. According \nto recent estimates, this global network of networks encompasses more \nthan 2 billion people with at least 12 billion computers and devices, \nincluding global positioning systems, mobile phones, satellites, data \nrouters, ordinary desktop computers, and industrial control computers \nthat run power plants, water systems, and more. While this increased \nconnectivity has led to significant transformations and advances across \nour country--and around the world--it also has increased the importance \nand complexity of our shared risk. Our daily life, economic vitality, \nand National security depend on cyberspace. A vast array of \ninterdependent IT networks, systems, services, and resources are \ncritical to communicating, traveling, powering our homes, running our \neconomy, and obtaining Government services. No country, industry, \ncommunity, or individual is immune to cyber risks.\n    The United States confronts a dangerous combination of known and \nunknown vulnerabilities in cyberspace and strong and rapidly expanding \nadversary capabilities. Cyber crime also has increased significantly \nover the last decade. Sensitive information is routinely stolen from \nprivate-sector and Government networks, undermining the integrity of \nthe data contained within these systems. The Department currently sees \nmalicious cyber activity from foreign nations and non-state actors \nengaged in intellectual property theft and information operations, \nterrorists, organized crime, and insiders. Their methods range from \ndistributed denial of service (DDoS) attacks and social engineering to \nviruses and other malware introduced through remote access, thumb \ndrives, supply chain exploitation, and leveraging trusted insiders' \naccess.\n    The Department has seen motivations for attacks vary from \nintellectual property theft to criminals seeking financial gain and \nhackers who may seek bragging rights in the hacker community. \nIndustrial control systems also are targeted by a variety of malicious \nactors who may have intentions to damage equipment and facilities or \nsteal data. Foreign actors also are targeting intellectual property \nwith the goal of stealing trade secrets or other sensitive corporate \ndata from U.S. companies in order to gain an unfair competitive \nadvantage in the global market.\n    Successful response to dynamic cyber threats requires leveraging \nhomeland security, law enforcement, and military authorities and \ncapabilities, which respectively provide for domestic preparedness, \ncriminal deterrence and investigation, and National defense. DHS, the \nDepartment of Justice (DOJ), and the Department of Defense (DOD) each \nplay a key role in responding to cybersecurity incidents that pose a \nrisk to the United States. To achieve a whole-of-Government response, \nDHS, DOJ, and DOD coordinate continuously to effectively respond to \nspecific incidents. While each agency operates within the parameters of \nits authorities, the U.S. Government's response to cyber incidents of \nconsequence is coordinated among these three agencies such that ``a \ncall to one is a call to all.''\n                     nccic's cybersecurity mission\n    DHS coordinates the overall Federal effort to promote the security \nand resilience of the Nation's critical infrastructure by ensuring \nmaximum coordination and partnership with the private sector while \nensuring that privacy, confidentiality, and civil rights and civil \nliberties are not diminished by its security initiatives. Accordingly, \nthe Department has implemented rigorous privacy and civil rights and \ncivil liberties standards, which apply to all of its cybersecurity \nprograms and initiatives. In order to protect privacy while \nsafeguarding and securing cyberspace, DHS institutes layered privacy \nresponsibilities throughout the Department, embeds fair information \npractice principles into cybersecurity programs and privacy compliance \nefforts, and fosters collaboration with cybersecurity partners.\n    Within DHS's National Protection and Programs Directorate (NPPD), \nthe Office of Cybersecurity and Communications (CS&C) focuses on \nmanaging risk to the communications and information technology \ninfrastructures and the sectors that depend upon them, as well as \nenabling timely response and recovery of these infrastructures under \nall circumstances. CS&C executes its mission by supporting 24\x1d7 \ninformation sharing, analysis, and incident response; facilitating \ninteroperable emergency communications; advancing technology solutions \nfor private and public-sector partners; providing tools and \ncapabilities to ensure the security of Federal civilian executive \nbranch networks; and engaging in strategic-level coordination for the \nDepartment with private-sector organizations on cybersecurity and \ncommunications issues.\n    To better manage and facilitate cybersecurity information-sharing \nefforts, analysis, and incident response activities, the Department \nestablished the NCCIC, a round-the-clock information sharing, analysis, \nand incident response center where Government, private-sector, and \ninternational partners all work together. The NCCIC is comprised of \nfour branches: The United States Computer Emergency Readiness Team (US-\nCERT), the Industrial Control Systems Cyber Emergency Response Team \n(ICS-CERT), the National Coordinating Center for Telecommunications \n(NCC), and Operations Integration (O&I). As mutually-supporting and \nintegrated elements of the NCCIC, these branches provide the unique \nauthorities, capabilities, and partnerships needed to drive a whole-of-\nNation approach to addressing cybersecurity and communications issues \nat the operational level.\n  <bullet> US-CERT provides advanced information sharing, incident \n        response, and analysis expertise for malicious cyber activity \n        targeting private-sector and Government networks. US-CERT's \n        global partnerships allow it to work directly with analysts \n        from across multiple sectors and international borders to \n        develop a comprehensive picture of malicious activity and \n        mitigation options. US-CERT's mission focuses specifically on \n        computer network defense, and it is able to apply its full \n        resources to supporting prevention, protection, mitigation, \n        response, and recovery efforts.\n  <bullet> ICS-CERT reduces risk to the Nation's critical \n        infrastructure by strengthening the cybersecurity of systems \n        that operate our Nation's critical infrastructure. It carries \n        out this mission by performing incident response to support \n        asset owners with discovery, analysis, and recovery efforts as \n        well as providing situational awareness through training, \n        alerts, and advisories to warn of cyber-based threats and \n        vulnerabilities affecting critical infrastructure assets. In \n        addition, ICS-CERT conducts assessments and technical analysis \n        of malware, digital media, system vulnerabilities, and emerging \n        exploits and partners with the control systems community to \n        coordinate risk management activities.\n  <bullet> NCC leads and coordinates the initiation, restoration, and \n        reconstitution of the National Security/Emergency Preparedness \n        (NS/EP) telecommunications services or facilities during any \n        human-caused or natural event where physical communications \n        infrastructure is damaged or vulnerable. NCC leverages \n        partnerships across Government, industry, and international \n        partners to gain situational awareness and determine priorities \n        for protection and response. NCC's presence in the NCCIC allows \n        DHS to synchronize operational processes supporting both the \n        physical and the virtual components of our Nation's information \n        and communications technology infrastructure.\n  <bullet> O&I applies planning, coordination, and integration \n        capabilities to synchronize analysis, information sharing, and \n        incident response efforts, ensuring effective synchronization \n        across the NCCIC.\n                            strategic goals\n    The NCCIC works to proactively analyze cybersecurity and \ncommunications threats and vulnerabilities and coordinate their \nfindings with partners to manage risks to critical systems; create \nshared situational awareness among public-sector, private-sector, and \ninternational partners by collaboratively developing and sharing timely \nand actionable cybersecurity and communications information; and \nrapidly respond to routine and significant cybersecurity and \ncommunications incidents and events to mitigate harmful activity, \nmanage crisis situations, support recovery efforts, and assure NS/EP.\n    To accomplish its strategic goals, NCCIC relies on the voluntary \ncoordination, collaboration, capabilities, and resources of its \npartners. The center works closely with those Federal agencies most \nresponsible for securing the Government's cyber and communications \nsystems, including the Departments of Treasury and Energy. The NCCIC \nalso actively engages with the appropriate private-sector entities, \ninformation-sharing and analysis centers, State, local, Tribal, and \nterritorial governments, and international partners. As integral parts \nof the cyberspace and communications community, these groups work \ntogether to protect the portions of critical information technology \nthat they interact with, operate, manage, or own. These groups of \nstakeholders represent natural communities of practice providing the \nfoundation for effective information sharing and response.\nThreat Analysis\n    NCCIC collaborates with private-sector, Government, and \ninternational partners to identify, research, and verify suspicious, \nmalicious, or potentially harmful cybersecurity and communications \nactivity, events, or incidents. For example, US-CERT operates NCCIC's \nAdvanced Malware Analysis Center, which receives malware samples and \nother potentially malicious files from around the world. The Advanced \nMalware Analysis Center analyzes those files, shares that analysis \nbroadly to alert partners to malicious activity, and provides them with \nactionable indicators and recommendations to improve their ability to \nprotect themselves.\n    By understanding the nature of attacks, vulnerabilities, and risks, \nNCCIC is able to determine possible impacts, set priorities, and \nproactively develop and share effective mitigation strategies. NCCIC \nstrives to anticipate potentially harmful activity and provide \nactionable alert and warning information to partners before they are \nimpacted. NCCIC's analysis efforts, whether focused on a new piece of \nmalware or a tropical storm with the potential to damage critical \ncommunications systems, contribute directly to its information sharing, \nresponse, and protection and prevention capabilities.\nSituational Awareness\n    The success of the NCCIC's mission is heavily reliant on its \nability to establish shared situational awareness of potentially \nharmful activity, events, or incidents across multiple constituencies \nto improve the ability of diverse and distributed partners to protect \nthemselves. To do this, NCCIC integrates analysis and data received \nthrough its own analysis, intelligence community and law enforcement \nreporting, and data shared by private-sector and international partners \ninto a comprehensive series of actionable information products, which \nare shared with partners in easy-to-digest machine-readable formats.\n    Multidirectional sharing of alerts, warnings, analysis products, \nand mitigation recommendations among Federal, State, local, Tribal, and \nterritorial governments, private sector, including information sharing \nand analysis centers, and international partners is a key element of \nNCCIC's cyber and communications protection and prevention framework. \nThe NCCIC continuously works with a broad range of partners to explore \nand innovate new ways to enhance information sharing and move closer to \nnetwork speed communications.\nRapid Response\n    The NCCIC applies the collective capabilities of its partners and \nconstituents to identify, prioritize, and escalate confirmed \ncybersecurity incidents in order to minimize impacts to critical \ninformation infrastructure. To ensure a 24\x1d7 capability, NCCIC \nmaintains cross-functional incident response teams, which draw from the \ncapabilities of NCCIC's branches, along with expertise from elsewhere \nin DHS such as the United States Secret Service (USSS) and Immigration \nand Customs Enforcement (ICE). Working under a voluntary request for \ntechnical assistance, these incident response teams analyze malware, \nreview network logs, and assess security posture to identify possible \nmalicious activity, its impacts, as well as mitigation and recovery \noptions.\n    Recognizing the possibility of a cyber incident with physical \nimpacts or a physical incident with cyber implications, NCCIC works \nincreasingly closely with NPPD's National Infrastructure Coordinating \nCenter (NICC). This collaboration, directed by Presidential Policy \nDirective 21 (PPD-21), helps to ensure strong synchronization between \nDHS's infrastructure protection efforts in both the cyber and physical \nrealms. In addition, the NCCIC assists in the initiation, coordination, \nrestoration, and reconstitution of the NS/EP telecommunications \nservices or facilities under all conditions, crises, or emergencies \nincluding executing Emergency Support Function 2--Communications \nresponsibilities under the National Response Framework.\n    These efforts provide a whole-of-Nation approach to incident \nresponse, efficiently and effectively leveraging capabilities from \nacross DHS's partner base while implementing key policies.\n                   protecting critical infrastructure\n    Protecting critical infrastructure against growing and evolving \ncyber threats requires a layered approach. DHS actively collaborates \nwith public and private-sector partners every day to improve the \nsecurity and resilience of critical infrastructure while responding to \nand mitigating the impacts of attempted disruptions to the Nation's \ncritical cyber and communications networks and to reduce adverse \nimpacts on critical network systems.\n    DHS coordinates the National protection, prevention, mitigation, \nand recovery from cyber incidents and works regularly with business \nowners and operators to take steps to strengthen their facilities and \ncommunities, and through collaboration between the NCCIC and the NICC, \nintegrates efforts across the physical and cyber domains. The \nDepartment also conducts on-site risk assessments of critical \ninfrastructure and shares risk and threat information with State, \nlocal, and private-sector partners. NCCIC enhances situational \nawareness among stakeholders, including those at the State and local \nlevel, as well as industrial control system owners and operators, by \nproviding critical cyber threat, vulnerability, and mitigation data. \nThese efforts provide unique value to private-sector partners by \nintegrating data from companies and industries that might not normally \ncommunicate.\n    In 2011, DHS launched the Cyber Information Sharing and \nCollaboration Program (CISCP), which is specifically designed to \nelevate the cyber awareness of all critical infrastructure sectors \nthrough close and timely cyber threat information sharing and direct \nanalytical exchange. Through the CISCP, participating private-sector \npartners are able to share data directly with Government. When \nrequested, these datasets are covered by the Protected Critical \nInfrastructure Information (PCII) program, which protects the name of \nthe company that shared the information from disclosure through Freedom \nof Information Act requests, regulatory processes, civil litigation, \nand other sunshine law requirements. Submitted datasets are analyzed in \nthe context of other data received from across sectors, and based on \nthis analysis regular analytical products are shared back out with \npartners. CISCP has signed 40 Cooperative Research and Development \nAgreements (CRADAs), and is in the process of finalizing agreements \nwith 66 additional entities to formalize a streamlined information-\nsharing process. Since December 2011, CISCP has released over 900 \nproducts containing approximately 18,000 cyber threat indicators, which \nare based on information the Department has gleaned from participant \nsubmissions, open-source research, and from sensitive Government \ninformation.\n    NCCIC has also benefited from close collaboration with the USSS and \nICE, which have complementary jurisdiction over the investigation of \ncomputer crime violations that they exercise to protect the Nation's \nleaders and critical infrastructure and strategically target \ntransnational organized criminals who are exploiting the financial \nsystem through cybercrimes. By working closely together, NCCIC and its \nlaw enforcement partners are able to leverage each organization's \nexpertise and unique authorities to more effectively and efficiently \nexecute DHS's cybersecurity mission.\n                      responding to cyber threats\n    As the civilian Department at the intersection of public-private \ninformation sharing, DHS is a focal point for coordinating \ncybersecurity information sharing with the private sector, the \nDepartment engages with owners and operators, based on their requests \nfor technical assistance, by providing on-site analysis, mitigation \nsupport, and assessment assistance. The Department has repeatedly \ndemonstrated its ability to expeditiously support private-sector \npartners with cyber intrusion mitigation and incident response. \nInitiating technical assistance with any private company to provide \nanalysis and mitigation advice is a sensitive endeavor that requires \ntrust and strict confidentiality. DHS's efforts focus on civilian \ncomputer network defense and protection rather than law enforcement, \nmilitary, or intelligence functions in order to mitigate threats to the \nnetworks and reduce future risks.\n    Since 2009, the NCCIC has responded to nearly half-a-million \nincident reports and released more than 26,000 actionable cybersecurity \nalerts to the Department's public- and private-sector partners. An \nintegral player within the NCCIC, the US-CERT also provides response \nsupport and defense against cyber attacks for Federal civilian agency \nnetworks as well as private-sector partners upon request. In 2012, US-\nCERT processed approximately 190,000 cyber incidents involving Federal \nagencies, critical infrastructure, and the Department's industry \npartners. This represents a 68 percent increase from 2011. In addition, \nUS-CERT issued over 7,455 actionable cyber-alerts in 2012 that were \nused by private sector and Government agencies to protect their \nsystems, and had over 6,400 partners subscribe to the US-CERT portal to \nengage in information sharing and receive cyber-threat warning \ninformation.\n    The Department's ICS-CERT also responded to 177 incidents last year \nwhile completing 89 site assistance visits and deploying 15 teams with \nUS-CERT to respond to significant private-sector cyber incidents, which \nincludes analyzing data and sharing results, developing mitigation \nrecommendations, and providing alerts and warning to potential future \nvictims. DHS also empowers owners and operators through a cyber self-\nevaluation tool, the Cyber Security Evaluation Tool (CSET\x04), which was \nused by over 1,000 companies last year. In addition, DHS provides in-\nperson and on-line training sessions that focus on network security.\n    The NCCIC, and its Federal partners, works with the private sector \nand international partners in preventing intellectual property theft \nwith a whole-of-Government approach. For example, the United States \nSecret Service--which brings together over 6,000 partners from across \nsectors through its 29 domestic Electronic Crimes Task Forces (ECTFs)--\ninvestigates cyber crimes within its jurisdiction, and the United \nStates Coast Guard contains a component of U.S. Cyber Command and U.S. \nStrategic Command for the conduct of military missions. In each case, \nDHS focuses not only on responding to the incident at hand, but also on \nidentifying trends, warning potential victims, and proactively engaging \nwith partners. DHS, in collaboration with FBI and other partners, \nreleased a series of Joint Indicator Bulletins, containing cyber-threat \nindicators to help private-sector partners take action to stop this \nactivity and protect them from theft of intellectual property, trade \nsecrets, and sensitive business information.\n    Most recently, and in close collaboration with interagency partners \nas well as industry partners like the Financial Services Information \nSharing and Analysis Center, DHS has been engaged with private-sector \nand international partners during the series of DDoS incidents over the \npast few months. DHS has provided technical data and assistance, \nincluding identifying hundreds of thousands of DDoS-related IP \naddresses and supporting contextual information in order to help \nfinancial institutions and their information technology security \nservice providers improve their defensive capabilities. In addition to \nsharing with these private-sector entities, DHS has provided this \ninformation to over 120 international partners, many of whom have \ncontributed to our mitigation efforts. DHS, along with the FBI and \nother interagency partners, has also deployed on-site technical \nassistance to provide in-person support, and has conducted numerous \nclassified briefings on the nature of the threat and mitigation \nstrategies to hundreds of financial-sector IT security specialists. \nThese efforts have helped to increase the U.S. Government's sharing and \ncoordination efforts internally and with private-sector partners. \nAdditionally, the mitigation strategies provided have not only helped \nfinancial institutions significantly blunt the impact of these attacks, \nbut they have also helped the industry develop new strategies of their \nown that DHS hopes to share with other sectors of critical \ninfrastructure to help mitigate similar attacks.\n    NCCIC's NCC played a vital role in response to Hurricane Sandy \nrecovery efforts. The NCC, as the coordinator for Emergency Support \nFunction No. 2 under the National Response Framework, provided a wide \nrange of communications support in partnership with industry to support \nresponders, citizens, and industry response and recovery. NCC worked to \nimprove first-responder actions by assisting in radio network \ninfrastructure restoration such as microwave connectivity supporting \nlocal fire department dispatch and coordination. They also coordinated \naid to citizens through more than 170 instances of emergency \nprovisioning of communications installations supporting response \norganizations such as the American Red Cross, Army Corps of Engineers, \nSocial Security Administration, and the Federal Emergency Management \nAgency. Collaborating with industry, NCC enhanced wireless coverage to \nfirst responders who provide emergency services to approximately 33,400 \ncitizens in Long Beach, New York; 1,400,000 citizens in Nassau County \nand 130,000 citizens in Far Rockaway, Queens. Their efforts also \nsupported the recovery of communications to the U.S. financial sector \nby coordinating fuel and power restoration to a key facility in New \nYork City, ensuring no impact to international financial trading.\n    Finally, in March 2012, DHS identified a campaign of cyber \nintrusions targeting natural gas pipeline sector companies with spear-\nphishing e-mails that dated back to December 2011. The attacks were \nhighly-targeted, tightly-focused, and well-crafted. Stolen information \ncould provide an attacker with sensitive knowledge about industrial \ncontrol systems, including information that could allow for \nunauthorized operation of the systems. While there is no evidence that \nanyone has tried to subvert the operation of these industrial control \nsystems, the intent of the attacker remains unknown. DHS immediately \nbegan an action campaign to alert the oil and natural gas pipeline \nsector community of the threat and offered to provide assistance. \nIndustry partners have been responsive to these threats, and in May and \nJune 2012, DHS deployed on-site assistance to two of the organizations \ntargeted in this campaign: An energy company that operates a gas \npipeline in the United States and a manufacturing company who \nspecializes in producing materials specific to pipeline construction. \nDHS also partnered with the Department of Energy and others to conduct \nbriefings across the country. Over 500 private-sector individuals \nattended the classified briefings and hundreds more received \nunclassified briefings providing warnings and mitigation strategies.\n                        recent executive actions\n    As today's physical and cyber infrastructures become increasingly \nlinked, critical infrastructure and emergency response functions grow \never more inseparable from the information technology systems that \nsupport them. The Government's role in this effort is to share \ninformation and encourage enhanced security and resilience, while \nidentifying and addressing gaps not filled by the marketplace. These \npolicies work in conjunction with Executive Order 13618 of July 6, \n2012, Assignment of National Security and Emergency Preparedness \nCommunications Functions, which improves how the Executive branch \nhandles NS/EP Communications and ties cyber into emergency response \ncommunications.\n    In February 2013, President Obama issued EO 13636, as well as PPD-\n21 on Critical Infrastructure Security and Resilience, which will work \nto strengthen the security and resilience of critical infrastructure \nthrough an updated and overarching National framework that acknowledges \nthe increased role of cybersecurity in securing physical assets, and \nwill improve NCCIC's ability to execute its mission in support of the \nprivate sector. The President's actions mark an important milestone in \nthe Department's on-going efforts to coordinate the National response \nto significant cyber incidents while enhancing the efficiency and \neffectiveness of our work to strengthen the security and resilience of \ncritical infrastructure, and these policies will further enable NCCIC's \nmission. EO 13636 supports more efficient sharing of cyber-threat \ninformation with the private sector and directs the National Institute \nof Standards and Technology to develop a Cybersecurity Framework to \nidentify and implement better security practices among critical \ninfrastructure sectors. EO 13636 directs DHS to establish a voluntary \nprogram to promote the adoption of the Cybersecurity Framework in \nconjunction with Sector-Specific Agencies and to work with industry to \nassist companies in implementing the framework.\n    EO 13636 also expands the DHS Enhanced Cybersecurity Services (ECS) \nprogram, key aspects of which are operated by the NCCIC. ECS is a \nvoluntary information-sharing program that assists critical \ninfrastructure owners and operators to improve protection of their \nsystems from unauthorized access, exploitation, or data exfiltration. \nDHS works with cybersecurity organizations from across the USG to gain \naccess to a broad range of cyber-threat information. ECS consists of \nthe operational processes and security oversight required to share \nsensitive and classified cyber-threat information with qualified \nCommercial Service Providers (CSPs) that will enable them to better \nprotect their customers who are critical infrastructure entities. CSPs \ncan deliver approved services to validated critical infrastructure \nentities through commercial relationships. The ECS program is not \ninvolved in establishing commercial relationships between CSPs and CI \nentities. ECS augments, but does not replace, entities' existing \ncybersecurity capabilities. The ECS information-sharing process \nprotects Critical Infrastructure (CI) entities against cyber threats \nthat could otherwise harm their systems. ECS program participation is \nvoluntary and designed to protect Government intelligence, corporate \ninformation security, and the privacy of participants, while enhancing \nthe security of critical infrastructure. Validated CI entities from all \n16 CI sectors are eligible to participate in the ECS program and \nreceive ECS services from an eligible CSP.\n    In addition, the Presidential Policy Directive directs the \nExecutive branch to strengthen our capability to understand and \nefficiently share information about how well critical infrastructure \nsystems are functioning and the consequences of potential failures. It \ncalls for a comprehensive research and development plan for critical \ninfrastructure to guide the Government's effort to enhance market-based \ninnovation. The strategic imperatives in PPD-21 also direct the NCCIC \nand the NICC to ``function in an integrated manner and serve as focal \npoints for critical infrastructure partners to obtain situational \nawareness and integrated, actionable information to protect the \nphysical and cyber aspects of critical infrastructure.'' As such, NPPD \nis enhancing the existing coordination of its two critical \ninfrastructure operations centers, the NCCIC and the NICC.\n                    continuing need for legislation\n    We continue to believe that carefully-crafted information-sharing \nprovisions, as part of a comprehensive suite of cybersecurity \nlegislation, are essential to improve the Nation's cybersecurity to an \nacceptable level, and we will continue to work with Congress to achieve \nthis.\n    The administration's legislative priorities for the 113th Congress \nbuild upon the President's 2011 Cybersecurity Legislative Proposal and \ntake into account 2 years of public and Congressional discourse about \nhow best to improve the Nation's cybersecurity. Congress should enact \nlegislation to incorporate privacy, confidentiality, and civil \nliberties safeguards into all aspects of cybersecurity; strengthen our \ncritical infrastructure's cybersecurity by further increasing \ninformation sharing and promoting the establishment and adoption of \nstandards for critical infrastructure; give law enforcement additional \ntools to fight crime in the digital age; and create a National Data \nBreach Reporting requirement.\n                               conclusion\n    Set within an environment characterized by a dangerous combination \nof known and unknown vulnerabilities, rapidly-evolving adversary \ncapabilities, and a lack of comprehensive threat and vulnerability \nawareness, the cybersecurity mission is truly a National one requiring \nbroad collaboration. DHS is committed to creating a safe, secure, and \nresilient cyber environment while promoting cybersecurity knowledge and \ninnovation and protecting privacy, confidentiality, civil rights, and \ncivil liberties in collaboration with its public, private, and \ninternational partners. Thank you for your continued support and \nattention to the critical issue of cybersecurity and I look forward to \nyour questions.\n\n    Mr. Meehan. [Off mike.]\n    One of us thinks we have to get technology as my button to \nwork.\n    Thank you, Ms. Stempfley, for your testimony. As I \nidentified at the outset, Mr. Zelvin joins in that testimony on \nbehalf of the Department of Homeland Security.\n    So now the Chairman recognizes Mr. Edwards, Inspector \nGeneral's Office of DHS, for your testimony.\n\nSTATEMENT OF CHARLES K. EDWARDS, ACTING INSPECTOR GENERAL, U.S. \n                DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Edwards. Good morning, Chairman Meehan, Ranking Member \nClarke, Ranking Member Thompson, and Members of the \nsubcommittee. Thank you for the opportunity to discuss DHS \nefforts to secure the Nation's industrial control systems. The \nmajority of information that I will provide is contained in our \nFebruary 2013 report, ``DHS Can Make Improvements to Secure \nIndustrial Control Systems.''\n    Industrial control systems, or ICS, are systems that manage \nand monitor the Nation's critical infrastructure and key \nresources, or CIKR. ICS are increasingly under attack by a \nvariety of malicious sources, ranking from hackers looking for \nattention and reputation to sophisticated nation states intent \non damaging equipment and facilities, disgruntled employees, or \ncompetitors.\n    Successful attacks on ICS can give malicious users direct \ncontrol of operational systems, creating the potential for \nlarge-scale power outages or man-made environmental disasters \nand can cause physical damage, loss of life, and other \ncascading effects.\n    DHS has strengthened the security of ICS by addressing the \nneed to share critical cybersecurity information, analysis \nvulnerabilities, verify emerging threats, and disseminate \nmitigation strategies. DHS has taken a number of actions to \nimprove ICS security and foster better partnership within \nFederal and private sectors.\n    For example, DHS has established the ICS-CERT Incident \nResponse Team, also known as the fly-away team, to support the \npublic and private sectors through on-site and remote incident \nresponse services on a variety of cyber threats. DHS has \nimproved the quality of its alerts and bulletins by including \nactionable information regarding vulnerabilities and \nrecommended mitigations and best practices for securing ICS. \nFinally, the Department has strengthened its outreach efforts \nwith the ICS community, including vendors, owners, operators, \nand academic community and other Federal agencies.\n    Although DHS has made improvements, more needs to be done \nto reduce the cybersecurity risks for the Nation's ICS. Many of \nthe private-sector partners we interviewed use portals such as \nthe Homeland Security Information Network, or HSIN, to retrieve \nadvisories, vulnerability information, and best practices. \nThere are 55 communities of interest on the HSIC Critical \nSectors portal intended to facilitate communication and \ncollaboration among all CIKR sectors and the Federal \nGovernment.\n    However, DHS does not have a consolidated summary overview \npage on the HSIN Critical Sectors portal that highlights new \ninformation and activities to ensure that ICS cybersecurity \ninformation is shared effectively. As a result, the content of \neach of the CIKR sectors must be searched individually for \npertinent and updated information. These searches can be time-\nconsuming for the stakeholders.\n    In addition, all the sector-specific agencies senior \nofficials that we interviewed expressed a need to be notified \nin advance when ICS-CERT is performing on-site or remote \ntechnical assistant assessments with private companies within \ntheir sectors. For example, these officials suggested that ICS-\nCERT publish a heads-up or a quick anonymous informational \nalert regarding an on-going investigative or pending event, \nsectors and devices affected, and whether a potential fix \nexists. Such notification would be helpful and would allow them \nto react more accordingly if other companies call them with \nquestions.\n    Overall, officials acknowledge that DHS had improved the \nquality of alerts and bulletins that address various cyber \ntopics. However, they expressed concern regarding the \ntimeliness of ICS-CERT's information sharing and \ncommunications. ICS-CERT management acknowledged that sector-\nspecific agencies, councils, and private sectors concerning \nregarding the sharing of active incidents and threats, such as \nidentified cyber intrusions and spear phishing e-mails.\n    However, proprietary information and on-going law \nenforcement investigations sometimes limit the amount of \ninformation ICS-CERT can disseminate. The report included two \nrecommendations and NPPD concurred with both.\n    Mr. Chairman, this concludes my prepared remarks, and I \nwould be happy to answer any questions that you or the Members \nmay have.\n    Thank you.\n    [The prepared statement of Mr. Edwards follows:]\n                Prepared Statement of Charles K. Edwards\n                              May 16, 2013\n    Good morning Chairman Meehan, Ranking Member Clarke, and Members of \nthe subcommittee: Thank you for the opportunity to discuss DHS' efforts \nto secure the Nation's industrial control systems. The majority of \ninformation that I will provide today is contained in our February 2013 \nreport, DHS Can Make Improvements to Secure Industrial Control Systems \n(OIG-13-39).\n    Industrial control systems (ICS) are systems that include \nsupervisory control and data acquisition, process control, and \ndistributed control that manage and monitor the Nation's critical \ninfrastructure and key resources (CIKR).\\1\\ ICS are an integral part of \nour Nation, and help facilitate operations in vital sectors. Beginning \nin 1990, companies began connecting their operational ICS with \nenterprise systems that are connected to the internet. This allowed \naccess to new and more efficient methods of communication, as well as \nmore robust data, and gain quicker time to market and interoperability. \nHowever, security for ICS was inherently weak because it allowed remote \ncontrol of processes and exposed ICS to cybersecurity risks that could \nbe exploited over the internet. As a result, ICS are increasingly under \nattack by a variety of malicious sources. These attacks range from \nhackers looking for attention and notoriety to sophisticated nation-\nstates intent on damaging equipment and facilities, disgruntled \nemployees, competitors, and even personnel who inadvertently bring \nmalware into the workplace by inserting an infected flash drive into a \ncomputer. A recent survey revealed that a majority of the companies in \nthe energy sector had experienced cyber attacks, and about 55 percent \nof these attacks targeted ICS. These attacks involved large-scale \ndenial-of-service and network infiltrations. Successful attacks on ICS \ncan give malicious users direct control of operational systems, \ncreating the potential for large-scale power outages or man-made \nenvironmental disasters and cause physical damage, loss of life, and \nother cascading effects that could disrupt services.\n---------------------------------------------------------------------------\n    \\1\\ There are 18 CIKR sectors: Agriculture and Food, Banking and \nFinance, Chemical, Commercial Facilities, Communications, Critical \nManufacturing, Dams, Defense Industrial Base, Emergency Services, \nEnergy, Government Facilities, Healthcare and Public Health, \nInformation Technology, National Monuments and Icons, Nuclear Reactors, \nMaterial and Waste, Postal and Shipping, Transportation Systems, and \nWater.\n---------------------------------------------------------------------------\n    Some recent cyber attacks have included the following:\n  <bullet> In February 2011, the media reported that hackers had stolen \n        proprietary information worth millions of dollars from the \n        networks of six energy companies in the United States and \n        Europe.\n  <bullet> In December 2011, a sophisticated threat actor targeted the \n        oil and natural gas subsector. Affected asset owners across the \n        sector voluntarily worked with DHS during the investigation.\n  <bullet> Throughout 2011, there were reports of spear-phishing via \n        email in the energy sector; no negative impacts occurred to the \n        companies' control processes and operations.\n  <bullet> In March 2012, an alert was issued regarding phone-based \n        social engineering attempts at two or more power distribution \n        companies. The callers attempted to direct the company \n        personnel to take action to correct a problem that would have \n        allowed the attacker to gain access to their ICS.\n  <bullet> In April 2012, media reported that a Canadian ICS \n        manufacturing company inadvertently planted a backdoor login \n        account in its own operating systems, which contain switches \n        and servers used in mission-critical communications networks \n        that operate power grids and railway and traffic control \n        systems. This account could have allowed attackers to access \n        the devices via the internet.\n    The Industrial Control Systems--Cyber Emergency Response Team's \n(ICS-CERT) operational capabilities focus on the private-sector CIKR \nICS and networks, which is essential to the Department's mission to \nprotect the Nation's critical infrastructure, particularly against \nemerging cyber threats. Additionally, ICS-CERT uses the Request Tracker \nTicketing System to capture analytical and status information regarding \nvulnerabilities and incidents. The ticketing system maintains the \nincident response team's remote technical assistance and on-site \nassessment status and reports. Tickets are color-coded based on age. \nThe ticketing system notifies the assigned personnel when the status of \na ticket is changed or further action is needed. Additionally, ICS-CERT \ncoordinates control systems-related security incidents and information \nsharing with Federal, State, and local agencies and organizations, as \nwell as private-sector constituents, including vendors, owners, and \noperators of ICS.\n    ICS-CERT exchanges information with stakeholders via the Homeland \nSecurity Information Network (HSIN)--Critical Sector. The Office of the \nChief Information Officer (OCIO) develops and maintains HSIN and serves \nas data governance steward for HSIN policy documents, including the \nHSIN Model Charter and HSIN Terms of Service. Although OCIO is the data \nsteward, the office is not responsible for maintaining the content that \nusers and communities of interest post to any element of HSIN.\\2\\ Each \ncommunity of interest sponsor is responsible for maintaining and \nsharing the content within the community of interest and through the \ncommunity of interest shared space.\\3\\ The administration and \ngovernance of the communities of interest, including creation of \nindividual sites within the community, is at the discretion of their \nsponsors. OCIO works in cooperation with each community of interest to \nenforce the rules in the charter and terms of services. OCIO conducts \nregular reviews of communities of interest to validate and justify its \npurpose, objectives, and operational need. National Protection and \nPrograms Directorate (NPPD) sponsors and manages the critical sector \ncommunities of interest.\n---------------------------------------------------------------------------\n    \\2\\ HSIN communities of interest are separate environments wherein \nusers involved in the same subject matter area or industry may post and \nview potentially relevant news and information and use collaborative \ntools.\n    \\3\\ The HSIN shared space allows authorized stakeholders and \ncontent contributors to publish finished products and relevant \ndocuments that: (1) Have appropriate markings providing sharing \npermissions at the document level, and (2) are targeted to an \nauthorized audience based on their credentials and related community of \ninterest and system-wide rules for sharing.\n---------------------------------------------------------------------------\n dhs' progress in improving the security of industrial control systems\n    We reported that Department needed to improve the security of ICS \nand information sharing to enhance program effectiveness. DHS has \nstrengthened the security of ICS by addressing the need to share \ncritical cybersecurity information, analyze vulnerabilities, verify \nemerging threats, and disseminate mitigation strategies. For example, \nDHS has taken the following actions to improve ICS security and foster \nbetter partnerships between the Federal and private sectors:\n  <bullet> Establishing ICS-CERT Incident Response Team, also known as \n        the fly-away teams, to support the public and private sectors \n        through on-site and remote incident response services on a \n        variety of cyber threats, ranging from general malicious code \n        infections to advanced persistent threat intrusions. \n        Additionally, in March 2012, NPPD released the Cyber Security \n        Evaluation Tool Version 4.1. The updated tool assists users in \n        identifying devices connected to their networks, as well as \n        external connections, by creating a diagram of their systems.\n  <bullet> Operating a malware lab that provides testing capabilities \n        to analyze vulnerabilities and malware threats to control \n        system environments. The team verifies vulnerabilities for \n        researchers and vendors, performs impact analysis, and provides \n        patch validation and testing prior to deployment to the asset-\n        owner community.\n  <bullet> Improving the quality of its alerts and bulletins by \n        including actionable information regarding vulnerabilities and \n        recommended mitigations and best practices for securing ICS.\n  <bullet> Providing products to the ICS community on a daily, weekly, \n        monthly, quarterly, and as-needed basis, through email, \n        website, and portal postings. These products help ICS-CERT to \n        improve the situational awareness of ICS and provide status \n        updates of its working groups, articles of interest, and \n        upcoming events and training.\n  <bullet> Implementing a virtual private network solution to allow \n        NPPD program officials to access program applications and \n        systems (e.g., the ICS-CERT ticketing system) located at the \n        Idaho National Laboratory (INL).\\4\\\n---------------------------------------------------------------------------\n    \\4\\ A virtual private network is a technology for using the \ninternet or another intermediate network to connect computers to \nisolated remote computer networks that would otherwise be inaccessible. \nUsers can access resources on remote networks, such as files, printers, \ndatabases, or internal websites.\n---------------------------------------------------------------------------\n  <bullet> Assisting in developing various roadmaps for the cross-\n        sector, dams, nuclear, water, and transportation. The road maps \n        provide vision and framework for mitigating cybersecurity risk \n        to the wide variety of systems critical to each sector's \n        operations.\n    Finally, the Department has strengthened its outreach efforts with \nthe ICS community, including vendors, owners/operators, academia, and \nother Federal agencies. These efforts include participating in the \nperiodic meetings with the Cross-Sector Cyber Security Working Group; \nGovernment Coordinating Council and Sector Coordinating Council; and \nvarious sector-specific groups.\n                            major challenges\n    Despite these actions, NPPD still faces challenges in reducing the \ncybersecurity risks for the Nation's ICS. Further, NPPD can improve its \nefforts to protect and secure control systems that are essential to the \nNation's security and economy. Specifically, ICS-CERT needs to \nconsolidate its information-sharing and communication efforts with \nSector-Specific Agencies and the private sector to ensure that these \nstakeholders are provided with potential ICS threats and \nvulnerabilities to mitigate security threats timely. In addition, DHS \nneeds to improve communications with Sector-Specific Agencies and the \nprivate sector by providing advanced notification of ICS-CERT's remote \ntechnical and on-site incident assessments.\nConsolidation of Multiple Information-Sharing Communities of Interest\n    Many of the private-sector partners we interviewed (e.g., owners/\noperators, regulators, and working groups) use the HSIN, ICS-CERT, and \nUnited States Computer Emergency Readiness Team (US-CERT) portals to \nretrieve advisories, vulnerability information, and best practices. \nThere are 55 communities of interest on the HSIN-Critical Sectors \nintended to facilitate communication and collaboration among all CIKR \nsectors and the Federal Government. However, DHS does not have a \nconsolidated summary overview page on HSIN-Critical Sectors that \nhighlights new information and activities to ensure that ICS \ncybersecurity information is shared effectively. As a result, the \ncontent for each of the CIKR sectors and must be searched individually \nfor pertinent and updated information. For example, the Dams, Emergency \nManagement, and Electricity and Oil and Natural Gas subsector \ncommunities of interest, which are used by companies that belong to \nmultiple sectors, have to be searched individually and may contain non-\ncybersecurity information, such as physical security, emergency \nresponse, and planning. These searches can be time-consuming for the \nstakeholders.\n    Additionally, each community of interest is arranged differently, \nmaking it more cumbersome for the users to retrieve useful information. \nFor example, some HSIN users told us that the various communities of \ninterest contain duplicate information. As a result, some Sector-\nSpecific Agencies want to build additional portals for their \nstakeholders to streamline the information DHS provides.\n    ICS-CERT officials acknowledged that existing communities of \ninterest could confuse owners/operators. To eliminate duplicate \ninformation from the communities of interest, ICS-CERT created a \nsubcommittee to address stakeholder concerns regarding the communities \nof interest. ICS-CERT officials said that ICS-CERT only contributed \ncontent to the communities of interest and does not have the \nresponsibility for site set up. However, NPPD plans to hold discussions \nwith OCIO to determine whether these communities of interest could be \nconsolidated to better serve stakeholder needs.\n    We recommended that the Under Secretary, NPPD collaborate with OCIO \nto streamline the HSIN portal to ensure that ICS cyber information is \nshared effectively.\nAdvance Notification of Remote Technical and On-site Assessments\n    All the Sector-Specific Agencies senior officials that we \ninterviewed expressed a need to be notified in advance when ICS-CERT is \nperforming on-site or remote technical assistance assessments with \nprivate companies within their sectors. For example, these officials \nsuggested that ICS-CERT publish a ``heads-up'' or ``quick anonymous'' \ninformational alert regarding an on-going investigative/pending event, \nsectors and devices affected, and whether a potential fix exists. The \nSector-Specific Agency officials told us that such notifications would \nbe helpful and would allow them to react more appropriately if other \ncompanies call them with questions. For example, according to Nuclear \nSector-Specific Agency officials, the Department's Domestic Nuclear \nDetection Office sends an email alert to State authorities and its \noffices regarding upcoming site visits.\n    DHS does not communicate timely the results of its remote technical \nand on-site assessments to the public. We interviewed officials from \nthree Sector-Specific Agencies, six Government and private-sector \ncouncils, and 23 private companies from the dams, energy, and nuclear \nsectors to evaluate whether ICS-CERT shared sufficient information and \ncommunicated effectively. Overall, these officials acknowledged that \nDHS had improved the quality of alerts and bulletins that addressed \nvarious cyber topics. However, they expressed concerns regarding the \ntimeliness of ICS-CERT's information sharing and communications. As a \nresult, the stakeholders are concerned that a great deal of time might \nelapse until stakeholders were made aware of the same or similar \nincident that could affect their systems.\n    Additionally, both Sector-Specific Agencies and private-sector \nofficials said that an advance notification would be helpful to \nincrease dialogue with ICS-CERT on an event or threat that has not been \nmade public. The private-sector officials suggested that advance \nnotification can allow them to assist ICS-CERT in developing solutions \nand mitigating strategies as well as determining whether an incident is \nisolated or systemic.\n    ICS-CERT management acknowledged the Sector-Specific Agencies', \ncouncils', and private sector's concerns regarding the sharing of \nactive incidents and threats, such as identified cyber intrusions and \nspear-phishing emails. Additionally, ICS-CERT management told us that \nthe private sector perceives that ICS-CERT has more useful information \navailable than it is willing to share. However, ICS-CERT management \nsaid that proprietary information and on-going law enforcement \ninvestigations limit the amount of information ICS-CERT can \ndisseminate. For example, there were instances in which the Federal \nBureau of Investigation was engaged in an on-going investigation and \nhad withheld sensitive law enforcement information. Additionally, the \nprotected critical infrastructure information between DHS and the \nprivate-sector owner prohibits ICS-CERT from sharing vulnerability and \nmalware assessment information.\n    We recommended that the Under Secretary, NPPD promote collaboration \nwith Sector-Specific Agencies and private-sector owners/operators by \ncommunicating preliminary technical and on-site assessment results to \naddress and mitigate potential security threats on ICS.\n    Mr. Chairman, this concludes my prepared statement. I appreciate \nyour time and attention and welcome any questions from you or Members \nof the subcommittee.\n\n    Mr. Meehan. Thank you, Mr. Edwards, for your testimony.\n    Before we go to the opportunity for my colleagues to \npresent their questions to you, I am pleased to be joined by \nthe Ranking Member of our committee, the gentlelady from New \nYork, and I recognize her now for opening comments that she may \nhave?\n    Ms. Clarke. Thank you very much, Mr. Chairman, and thank \nyou to the Ranking Member and my colleagues.\n    Mr. Chairman, I want to thank you once again for holding \nthis morning's hearing. After significant expansion of the \nDepartment of Homeland Security's cybersecurity mission and \nprograms beginning in fiscal year 2012, I am glad that this \nmorning we have had the opportunity to examine these programs \nand are now able to assess the progress of the Department in \ncarrying out the mission.\n    As you are aware, this is the subcommittee's third hearing \non cybersecurity in this Congress. First we held a hearing on \nthe threats in cyberspace through our critical infrastructure \nfrom state and non-state actors. Next we learned about the \nDHS--how DHS protects the privacy of our citizens in \ncyberspace. With the background in place, today we have heard \nfrom the witnesses about the Department and has the--about \nwhether the Department has people, programs, and resources in \nplace to successfully address the significant cyber threats to \nour critical infrastructure while protecting privacy.\n    It is high time that our subcommittee take a closer look at \nthese programs, some of which did not even exist just a few \nyears ago. The continuous diagnostics and Einstein programs in \nparticular have undergone rapid expansion, and I am pleased \nthat the Department is fulfilling its role as the protector of \nthe dot-gov domain with the resources to match.\n    But though these Federal network security programs get the \nmajority of the funding and attention, I believe the \nDepartment's responsibilities for protecting critical \ninfrastructure, most of which is found in the private sector, \nis equally important. For this reason, I am particularly \npleased that we have been joined this morning by Deputy \nInspector Charles Edwards and that he has discussed the recent \nwork done by the OIG to assess the progress that ICS-CERT has \nmade to brand itself as the cyber 9-1-1 for critical \ninfrastructure before, during, and after cyber incidents.\n    ICS-CERT, recently incorporated as an operational arm of \nthe NCCIC, has done great work in mitigating cyber risks to \ncritical infrastructure and it was important that we learned \nmore about this mission and the challenges that still remain to \nshare information with the private sector quickly and \nefficiently.\n    Finally, I want to register my concerns about the \ncontinuing drain of senior cybersecurity leadership at the \nDepartment, a trend that has gotten particularly bad in the \nlast 6 months, with the departures of the assistant secretary \nand the deputy under secretary. We have been hearing about the \ndifficulties DHS faces in attracting and retaining skilled \njunior and mid-level cyber employees for a long time, but \nthis--but what does it say about the Department's cyber \norganization when it cannot retain its senior leaders as well?\n    Rumors are circulating about the future replacements of \nthese losses, and I am sure DHS would like to make a splash \nwith these appointments, getting leaders who command respect in \ninformation security and critical infrastructure worlds. But \nmost of all, DHS needs to find leaders who believe in the \nmission, that will stay on-board as a steady hand on the wheel \nduring this period of immense expansion and evolution of our \ncybersecurity efforts.\n    As part of this process, I believe DHS needs to do some \nsoul searching and identify with why their senior officials \nhave been leaving. If changes need to be made to ensure future \nleaders will be more empowered to do their job, I expect that \nthe Department will do so. I hope to work with the Department \nin this endeavor to guarantee that vital cybersecurity mission \ngets the leadership it needs.\n    Once again, I would like to thank all of you for testifying \nbefore us this morning.\n    I yield back the balance of my time.\n    Mr. Meehan. I thank the Ranking Member for her opening \ncomments.\n    We are grateful, again, for your presence here today, of \nthis distinguished panel.\n    So I now recognize myself for 5 minutes of questioning.\n    Let me begin by sharing an observation that I believe we in \nCongress, and in fact, across the Governmental sector, aren't \ndoing a good enough job of really alerting the citizens in \ngeneral about the true nature and scope of the threat that we \nface. We often respond in the aftermath of an incident and \nspend time analyzing what we could have done better.\n    I believe the work that you are doing is not only vital to \nthe security of our Nation, but you have done some tremendous \nthings in the form of anticipating and sharing and \ncommunicating.\n    So please, if I can just ask Mr. Zelvin and Ms. Stempfley, \nquickly, what is your assessment of the true nature of the \nthreat that we face today in the world of cybersecurity?\n    Ms. Stempfley.\n    Ms. Stempfley. I had to figure the button out, too.\n    Thank you very much for the opportunity to answer that \nquestion. As we have all recognized, cyber pervades almost \nevery facet of our life--we do banking on-line, we do--I renew \nmy driver's license on-line, our workplace has gone entirely \non-line--and a recognition of that important part that the \ncyber landscape plays in this is certainly not something I \nthink is widely known. So I agree with your point.\n    We in the Department have been very focused on sharing \nactionable information, those threat indicators that can be put \nout there, whether it from a criminal source, whether it come \nfrom a hacktivist source, whether it comes from an intelligence \nsource--putting that in the hands of the people who can do the \nmost with it. I know Mr. Zelvin will give you very specific \nindications of that as he goes through his response to this \nquestion.\n    But we have to pair that with raising the overall \nunderstanding of the population of the role that cyber plays, \nand so some of the other programs that are outside the \ntechnology programs that the Office of Cybersecurity and \nCommunication has in things like the ``Stop, Think, Connect'' \ncampaign and other broad awareness campaigns will raise that--\nserves to raise that awareness so that consumers can understand \nwhat the impact is to them and will live up to some of their \nobligations, as well.\n    Mr. Meehan. Mr. Zelvin, it is consumers, and Ms. Stempfley \nfocused to some extent on the impact on the everyday American, \nbut it is much broader than that, is it not, with respect to \nthe very infrastructure that we have in this Nation, including \nour grids and other things of that nature?\n    Mr. Zelvin. It is, Mr. Chairman. When I look at the \nchallenge I look at the threats, I look at the victims, and I \nlook at the mitigation capabilities. So as you look at the \nthreats, it is as Ms. Stempfley said, it can affect the \nindividuals.\n    But there is also nation states. There are also criminal \nactors. There are nefarious actors and there are just people \nwho want to see if they can do it for the sake of doing it.\n    When you look at the victims, you have companies that are \nworth billions of dollars internationally. You have victims \nsuch as my aunt, who called me on a weekend and said, ``Why is \nDHS locking my computer and want $400 to unlock it?'' She was a \nvictim of something called ransomware. Some virus got on and \nshe couldn't unlock it.\n    So the victims are very sophisticated or they are an \nelderly woman who doesn't understand why her computer isn't \nworking.\n    As you look at the mitigation capabilities, they are also \nvaried. Some companies have magnificent capabilities, and \nprobably we need the Government to provide information and a \nwarning of what is happening and some suggestions on what to \ndo, and then they are off and running and can deal with the \nchallenges.\n    Other places, they have no capability. They are not sure \nwhat to do. They are very confused by the threat and they know \nit is a problem, but they are not really sure what to do.\n    In many cases they buy products from the commercial \nsector--anti-virus vendors--and hope that can be the solution. \nBut it many cases it won't as they are stealing personal \nidentifiable information, potentially financial information.\n    Mr. Meehan. Would you jump off of that point, because I \nthink it gets to the heart of what is so important about the \nwork you do in the NCCIC, and particularly the fact that we \nhave a moldable--or we have a broad range of capabilities, as \nyou identified, very sophisticated capacities that not only \nrival but probably work in concert with the capacities--the \nhighest level of capacities that we have in the Government \nsector, and I am talking about the banking sector, in some ways \nthe communication sector and others.\n    In other places we have systems that are dramatically \nbehind, and I am talking about things like water systems or \nother kinds of municipal authorities, but all of which today \nare tied to the internet, and therefore, the operating systems \nare capable of being influenced and attacked.\n    At some point, Mr. Edwards, you have done work into looking \nat that.\n    But, Mr. Zelvin, explain the important role that the NCCIC \nplays in being more or less a junction that is able to tie \ntogether the capacity to take the best of what we have and \nallow it to be available to support those industries which are \nlagging dramatically behind.\n    Mr. Zelvin. Mr. Chairman, as I look at the--you know, you \nmentioned what is it going to take for people to understand \nthis cyber challenge? I will tell you, there is a variety of \nexperiences, and those who have been attacked the most are \nobviously the most aware and the most prepared, and that, I \nthink are the financial services sector and the communications \nsector and the information technology sector. These are the \nfolks that are living and breathing attacks on a daily basis \nand they are becoming more sophisticated by the day.\n    There are other sectors, as you mentioned, that haven't had \nthese attacks. So what we do in the NCCIC is we look across the \n16 critical infrastructures and we try and raise the water to \nkeep all the boats at the same level, if you will.\n    So we highlight across the sectors. That is, what is \nhappening in one sector today could be happening in another \nsector tomorrow. So we want to increase the awareness.\n    We are also sharing those mitigation strategies. In some \ncases--in many cases--these are things that companies can do \nthemselves, so we just want to reinforce. There is a friction \nwithin the critical infrastructure because in many cases--I \napologize--the information technology and the security folks, \nthey are not part of the profit, so--and there is money that \nneeds to be brought into this solution.\n    So what we try to do is we tell those that are in the \nleadership position to really listen to these security \nprofessionals and really deal with these cyber practices \nbecause they can affect your core businesses.\n    I would also like to mention that we also work with State, \nlocal, and Tribal, territorial governments. We work with \ninternational partners. There are over 200 countries that we \ndeal with almost on a weekly basis.\n    So it is the critical infrastructure, it is our State, \nlocal, Tribal, territorial, it is our Federal Department's \nagencies, international, and as I said, the individuals. But \nthe cyber threat is literally global in nature and we are \ntrying to make sure we have awareness and help with the \nprevention mitigation across the board.\n    Mr. Meehan. Well, my time is expired but I look forward to \nfollowing up on some of that with the second line of questions.\n    Now the Chairman recognizes the ranking lady from--the \ngentlelady from New York, the Ranking Member, Ms. Clarke?\n    Ms. Clarke. Thank you, Mr. Chairman.\n    Ms. Stempfley, I wanted to delve into Einstein 3. DHS has \nrequested large funding increases to build out Einstein 3, \nwhich will help prevent intrusions into civilian Federal \nnetworks. While I am supportive of this program, I am concerned \nabout the progress of such a large initiative and want to make \nsure it is carried out properly to ensure that our Federal \nnetworks are secured and to keep the cost to the taxpayers \ndown.\n    A recent report by GCN Magazine raised concerns that \nEinstein may be over budget and behind in implementation. For \nthe record, can you give the subcommittee an update on \nEinstein, particularly Einstein 3? What is the schedule for \ndeploying it at all departments and agencies, and do you expect \nthere to be cost and time frame overruns?\n    Ms. Stempfley. Thank you, ma'am.\n    Einstein 3 is a part of a comprehensive set of capabilities \nfor perimeter protection known as the National Cybersecurity \nProtection System. Just about a year ago we transitioned \nEinstein 3 from being a consolidated, Government-provided \nhardware and data capability--classified capability to be \ndeployed at the internet service providers--to one that takes \nadvantage of the innovation that the internet service providers \ncan provide into this environment, so that classified \nGovernment information and countermeasures can be deployed in \nan environment where the ISPs, who are most knowledgeable of \ntheir own infrastructure and of the ability to transmit \ntraffic, can absorb that and innovate with the Government in \nthis environment.\n    We are pleased to have notified Congress, I believe 5 weeks \nago, of the award of the first of those contracts with \nCenturyLink, the first internet service provider, and we are in \nprocess of transitioning Federal departments onto that \ncapability.\n    An important piece of information here is that we \ntransition Federal departments who are using that service \nprovider. So we are not asking departments to move from \nwhichever internet service provider provides their connection; \nwe are employing this protection measure in place within that \nmechanism.\n    So we are targeting those departments who are--whose \nservice provider is CenturyLink. We are continuing to actively \nengage with the other four internet service providers for \ncontract award in those instances, and that has been \nnegotiation that is on-going. So we are very happy about that.\n    We are still on target to reach our final operational \ncapability in the end of 2015. This transition that we made a \nyear ago actually moved our final operational capability from \n2018 back to 2015, so we saw that as a very beneficial \ncapability for us to employ this protection across the entire \nFederal enterprise.\n    Ms. Clarke. Fabulous. With that efficiency in time is there \nan efficiency in cost, as well?\n    Ms. Stempfley. As it turned out in the analysis, the cost \nwas identical between the two transitions within a small \nmargin. It did not actually save us money but it also did not \ncost additional money over the life-cycle cost of the program.\n    Ms. Clarke. Very well. Thank you for that update.\n    Mr. Edwards, you released a report just yesterday detailing \nserious information security deficiencies at CBP. Is this--a \nlittle point of departure but I think it is critical when we \nlook at our vulnerabilities.\n    Some of the--what you outlined in your report is that there \nare some poor practices, including computers that were not \nlocked or not password protected, a failure to require that \nemployees sign in--or sign nondisclosure agreements for \nsensitive systems they received access to. Making matters \nworse, many of these issues had been previously identified by \nthe OIG. Your recommendations based on these findings were \ndirected to the CBP chief information officer and the DHS chief \ninformation officer but there is no role for the Office of \nCybersecurity Communications within NPPD to play to help the \nrest of the Department improve their cyber practices.\n    Could you give us a little more of a sense of what your \nobservations and what this level of vulnerability can mean to \nthe overall cyber environment that we find ourselves in?\n    Mr. Edwards. Thank you, ma'am.\n    The report that I released yesterday was in reference to \nthe CBP I.T. management letter. Part of the financial statement \naudit--we use KPMG to do our financial statement audits, and \npart of that, we also do the I.T. part of it, we look at the \nFISCAM functions. There are five controls that we look at. We \nlook at security management, access controls, integration \nmanagement, segregation of duties, and contingency planning.\n    So as we go through not only CBP but various different \ncomponents, we identified I.T. control weaknesses. Even though \nCBP has fixed some of those weaknesses in the previous year \nthat we identified, there are still additional controls and \nweaknesses that we have found that they need to address.\n    So as, you know, part of the password protection and people \nbeing able to get into the systems, we have found not only in \nCBP but other parts of--even when we did within one of the \ncomponents within NPPD we found almost a similar situation, so \nit is prominent throughout the Department.\n    So I think sending a guidance to the entire Department on \nbest practices and, you know, one would think instead of having \na password as ``newuser1'' one would change it as soon as they \nare able to log in, and then maintain that, as well. Not, you \nknow, quite often you find people, you know, writing the \nusername and password and leaving it under the keyboard and \nother places where people can find it.\n    So the--part of the review, what we did was we looked to, \nas the help desk we call up the component that we are doing the \naudit on and say, ``I am from the help desk. Can you give me \nyour username and password?'' and without hesitation people \ntend to just give that up.\n    Ms. Clarke. Mr. Chairman, I know that my time is lapsed \nhere. I just wanted to add that, you know, we can put all of \nthe new technologies we want in place but if cyber hygiene has \nnot become a practice, the vulnerabilities remain perilous to \nus.\n    So I want to thank you for your report.\n    I yield back the balance--yield back to you, Mr. Chairman.\n    Mr. Meehan. I thank the gentlelady, and I share that same \nobservation.\n    We are hearing--I know it is something you are talking \nabout across the sector and we have heard testimony that more \nthan 80 percent of our vulnerabilities could be addressed with \nbetter cyber hygiene. I think that is something--again, we talk \nabout this process of educating America and the role that they \ncan play with us. There is more sophisticated things and that \nis what you are dealing with, but we need the Nation to join us \nin battling the threat by doing better cyber hygiene.\n    Ms. Clarke. We start with our own agencies, right?\n    Mr. Meehan. We start with our own agencies, that is right, \nby setting the example.\n    I am very grateful for that testimony, and now the Chairman \nrecognizes the gentleman from Texas, Mr. Vela, for any \nquestions he may have.\n    Mr. Vela. Yes. Yes. On the issue of workforce, can you \nbegin by explaining to us how your different divisions \ninteract?\n    Ms. Stempfley. Thank you, sir.\n    In the Office of Cybersecurity and Communication we have \nfive divisions, and those divisions span responsibility from \nNational security emergency preparedness communications--that \nis the Office of Emergency Communications; the Office of \nStakeholder Engagement and Critical Infrastructure Resilience, \nwhich is principally responsible for our outreach efforts, for \nour engagement with critical infrastructure to raise their \nunderstanding at a macro level, which is obviously supportive \nof the operational role that the NCCIC plays; as well as our \nNetwork Security Deployment Division, which is responsible \nprimarily for the building and deployment of the--and operation \nof the National Cybersecurity Protection System; and finally, \nour Federal Network Resilience Division, which is focused on \nthe dot-gov protections. That is both in terms of direct \ninteraction with Federal departments and agencies and the \nbuilding of the capability that you discussed earlier, the \ncontinuous diagnostics and mitigation capability, which is \nfocused on the cyber hygiene for the Federal enterprise.\n    Those five divisions operate together under the Office of \nCybersecurity and Communications. You can see the mutually \nsupportive role that they pay.\n    For example, the communications infrastructure is moving to \nbeing I.P.-based. With an I.P.-based communications \ninfrastructure you bring with it particular risks and \nopportunities. The technology awareness mechanisms of that are \nshared, then with the Stakeholder Engagement Organization and \nthe threat information provided from the NCCIC is then \ndisseminated and distributed.\n    That data all support the requirements that go into the \nNational Security--excuse me, the Network Security Deployment \nDivision, and the Federal--and we want the Federal Government \nto be the best example of the right things to do within the \nFederal Network Resilience Organization. We realigned this \nstructure last November, so not quite a year ago. It has been a \nvery beneficial activity for the Office of Cybersecurity and \nCommunication.\n    Within the Department, the deputy secretary chairs a panel \nthat ensures that we are--excuse me--coordinating across the \nDepartment. There is both operational engagement on the NCCIC \nfloor from our Department colleagues for Secret Service, from \nCoast Guard, and others. We have policy conversations across \nthe Department to ensure that we are sharing. We have a strong \npartnership with the CIO so that those FISMA requirements that \nwe--the operational requirements that we publish in partnership \nwith OMB are coordinated with and shared with the CIO \norganization to understand what that might mean to a large \ndepartment that is informing back to us.\n    Mr. Vela. The Ranking Member mentioned--or referenced a \nproblem with retention of workforce, and are you seeing that in \neach of those five divisions, or--can you explain that?\n    Ms. Stempfley. Absolutely. It is a competitive landscape \nfor cybersecurity professionals. We are actively recruiting.\n    If you look at the growth in terms of civilians that we \nhave had in the Office of Cybersecurity and Communications in \nthe 3 years I have been here, we have been actively engaged in \nthis recruiting process. Mr. Zelvin shared earlier today with \nme a fact that, you know, for each announcement that we put out \nthere we get candidates applying in numbers close to 100.\n    The issues that we have in this competitive landscape are \nthat the Department of Homeland Security's authorities for \nmeeting the hiring needs are not commensurate with the other \nFederal departments' authorities, and so both in terms of pay \nand retention capabilities, we are competing against our own \ncolleagues in the Federal Government and continue to compete \nagainst our colleagues in the broad commercial landscape, as \nwell.\n    We have a phenomenal mission and we keep people in part \nbased on the mission responsibilities that we have. We do not \nhave an exorbitant attrition rate at the operational level, \ncertainly. People leave; they leave on, you know, based on \ntheir family and life desires. We don't see this, you know, \nexceptional attrition rate.\n    But we do see that strong competition.\n    Mr. Vela. So are you saying that you can't pay people \nenough, essentially?\n    Ms. Stempfley. That is part of the issues, yes, sir.\n    Mr. Vela. I noticed that your title is you are an acting \nassistant secretary. At the levels of leadership are there many \nspots that have not been permanently filled?\n    Ms. Stempfley. Within the Office of Cybersecurity and \nCommunication the acting assistant secretary is the only \nleadership position that has not been filled--or the assistant \nsecretary. I have full-time career leadership. I am permanently \nthe deputy assistant secretary so I am the full-time careerist \nin that position. At each of the division director level I have \nfull-time fill in, you know, all of those as career positions.\n    Mr. Meehan. I thank the gentleman for yielding back.\n    We now recognize the gentleman from Nevada, Mr. Horsford, \nfor his questions.\n    Mr. Horsford. Thank you, Mr. Chairman.\n    Appreciate very much this panel. You know, we have been \nmeeting, as one of the new Members on this committee, a lot of \nthe people in the private sector, and I want to commend the \nCenter on its collaboration with a number of key private-sector \nentities and sectors.\n    My question pertains to this collaboration with the private \nsector.\n    You mentioned in your testimony the work with the over \n6,400 private-sector firms that work with the Center, and \ninevitably some of those have to be competitors, of course. So \ncan you discuss the protocols and measures that you all have in \nplace to ensure that one company's sensitive data does not pass \non to another, particularly to a competitor, and what \nprocedures are in place should such an incident occur?\n    Mr. Zelvin. Yes. Thank you, Congressman.\n    Last year alone, as Ms. Stempfley said, we had 190,000 \nincidents reported and we put out almost 8,000 reports. This \nyear we are going to exceed that just in--by May about 68 \npercent.\n    So when we get information there is a variety of ways a \nbusiness can report. They can tell us that it is okay to say it \nis their company, and that is not an often occasion; they can \nask us to anonymize, and we have this thing called traffic \nlight protocol, and it is literally just an agreement between \nfriends that we will not share. When I first saw it I was \nsomewhat skeptical but it actually works, and we have a variety \nof ways of quantifying using a stop light protocol--red, \nyellow, green, so on and so forth, and it is actually an \neffective means.\n    We have statutory capabilities under PII, Protected \nInfrastructure Information--I think I have the acronym right. \nBut there is a statutory basis that we can anonymize \ninformation, and let's say, you know, you work for a financial \nsector. I will just refer to you as ``financial sector seven,'' \nor ``FIN7,'' or ``FIN8.'' What is important is not the identity \nof the company but the ability to port across cross-sector what \nis happening and, more importantly, what do you do about it.\n    So we have folks on the floor at the NCCIC, so we have NSA, \nwe have FBI, we have Secret Service, we have Cybercom. We also \nhave all the information sharing and analysis centers of the \nfinancial services, communications, information technology, and \nalso folks from individual companies that have full access to \nthe floor even when we are at Top Secret or above \nclassification. They have full access to all our computer \nsystems, both the highly classified all the way down to below.\n    So as you have these folks on board we are very cognizant \nof the competitor aspect, so we have abilities to put a label \nthat anonymizes it that is either done through agreement or \nthrough statutory. In the agreement, why do--you know, why \nwouldn't we share? Well No. 1, I don't really need the \ninformation; the second thing is I don't want to betray your \ntrust because if I do you will never talk to me again.\n    So, you know, we are very cognizant of it and we are very \nsuccessful at it, as well.\n    Mr. Horsford. So my other part of my question is, it seems \nlike some sectors are better at this than others, so how \nconcentrated are certain sectors in working with the centers \nand do you see gaps? If so, what can we as Congress do to help \nfacilitate bringing the sectors who aren't doing their part, \nyou know, into the resources that you all have available?\n    Mr. Zelvin. Yes, sir. Who has really focused on meeting the \nchallenges really depends on their experience, as I mentioned, \nin cybersecurity and the attacks. There are certain sectors \nthat have had a large number of attacks; there are others that \nhaven't yet. It is all of our challenge to go out to them and \nsay, ``Hey, this is really what others are facing, these are \nthe things that you could be facing, and these----''\n    Mr. Horsford. If I could be more specific----\n    Mr. Zelvin. Sir.\n    Mr. Horsford. So these people come into my office every day \nand my job is to, you know, encourage them to participate. You \nall have great capacity among Federal agencies, but as I have \nheard it, as the Chairman and the Ranking Member have educated \nus, the vulnerability is on the private-sector side and the \nprivate sector isn't always doing its part, and there are key \nsectors that seem to be completely kind of disengaged. So what \ndo you need from us as Congress specifically to get those \nsectors to be more involved?\n    Mr. Zelvin. In my view it is the continued dialogue and the \ncontinued conversation that we are having. I think, as I look--\nyou know, as I have briefed senior leaders, as I have briefed \nstaff, you know, people generally understand there is a problem \nbut they don't understand what to do about it, and when you \ntalk about the problem they don't really--they know there is \nsomething wrong but they really have trouble quantifying what \nis it.\n    The other thing I will tell you--and I say this often--the \nlexicon in cyber is not English, so if I say ``phishing,'' if I \nsay ``D-DOS,'' if I say ``Trojan''--when I say ``phishing'' \nmost people go to a lake someplace and think about, you know, \nmaybe catching a fish but that is not when I am speaking of.\n    I have often said also is that if I told you there was a \nCategory 4 hurricane that hit the Gulf Coast you would go, \n``Oh, that is bad.'' Category 1? It is bad, but 4 is worse.\n    If I told you there was an 8.0 earthquake on the West Coast \nyou would automatically go, ``That is incredibly bad.'' 1.0? \nMost Californians probably wouldn't do anything.\n    What is that in cyber? How do we get that imagery? How do \nwe get the awareness across to the public of, ``Boy, this is \nsomething that is bad but we could probably be okay,'' or, \n``This is catastrophic and we need you to do these measures \nsuch as leave, you know, other precautions.''\n    So we are still working that and I am hopeful, but we are \nnot there yet.\n    Mr. Horsford. Thank you, Mr. Chairman.\n    Mr. Meehan. I thank the gentleman. I certainly, you know, \none of the aspects are the ISACs and other things that can be \npresent, and I think the gentleman's questioning was right on \ntarget about those that are engaged and those we have to do a \nbetter job of attracting.\n    It is important to appreciate the vital role that you play \nand the interplay among our Governmental agencies at the outset \nbefore we get down to dealing with the various private-sector \nindustries that are part of it, so I want to ask you to go for \na moment off of this important observations, and it comes from \nGeneral Alexander, who is the head of the NSA, and I use it in \nhis words, and he says, ``I see the Department of Homeland \nSecurity as the entry point for working with industry,'' and \nthere is great reasons for it: Transparency, having everybody \ndoing exactly the right thing together to work as a team.\n    The FBI, NSA, Cyber Command--the FBI would lead law \nenforcement and the attributions; NSA will work with foreign \nintelligence; Cyber Command are defending the Nation. But they \nhave a civilian agency, by his own testimony, at the core of \nthe ability for us to have a communications infrastructure that \nworks across the Governmental sectors first and then \nsimultaneously work effectively in real time with our civilian \nsectors.\n    So please give me your observations with regards to \nsomebody as significant as General Alexander looking at DHS as \nthe center point for the engagement of our approach to \ncybersecurity.\n    Mr. Zelvin. Thank you, Mr. Chairman.\n    I agree with the general's assessment so much so I joined \nthe Department. DHS is purely that civilian entity, and when \nfolks come to us they know--and there is important other roles \nin Government, but within DHS we are really about that \nprotection, prevention, mitigation, response, and recovery. We \nreally do want to help understand the problem not only \ntechnically but through the tactics, techniques, and \nprocedures, and then work through those mitigations, and then \nshare that information, as I said, with the partners I have \nmentioned--State, local, critical infrastructure, \ninternational, other Federal departments and agencies.\n    So when folks come to us--and it has been interesting. A \nnumber of private-sector partners have come to us because they \nsee us as that place in Government where they can have a \ndiscussion where it is purely technical, there is not concerns \npotentially of being asked a lot more questions that will lead \nto other things and it is important for Government to do.\n    As you look at vulnerabilities in cyberspace, there are \nthings that have the potential for malicious activity but \nhaven't quite matured to that point yet, and I look at things \nlike have happened to a number of companies in that we discover \na vulnerability that if somebody did something it could be \ncatastrophic, but they haven't done it yet. Those are really \nthe areas that we want to get ahead of.\n    We don't always want to be responding. We don't always want \nto be catching up to our adversaries. We want to get ahead of \nthose.\n    For companies it can be often uncomfortable to say, ``We \ndiscovered a problem,'' and they don't want to be attributed--\nthey don't want their competitors to say, ``See, look. They are \nhaving yet another problem.'' So they come to us and we have \nthe ability to provide the anonymity, work through the \ntechnical solutions, and then get it across the Nation and \nacross the world so people can understand the threat and \nmitigate it without the fear of additional questions about who \ndid it and where did they do it and how.\n    Mr. Meehan. Effectively, you are a civilian agency so it \nremoves some of the concern that legitimately people have \noutside that we are having private sector share either back and \nforth with our more sophisticated Governmental agencies like \nthe NSA or FBI.\n    Mr. Zelvin. That is correct, sir. It is absolutely a \ncivilian organization and I don't have the challenges that some \nof my partners do in that I am not being pushed for things like \nattribution; I am not being pushed for bringing prosecution. \nThere are other important entities that do that; that is not my \nrole. My role is just to understand the problem and come up \nwith the solutions.\n    Mr. Meehan. Let me jump into one other piece, because we \nhave done a good job of identifying the important role we place \nvis-a-vis the other Governmental--critical Governmental \nagencies, and of course, that extends down through the entire \nGovernmental structure. But at the same time, we have \nrelationships with the private sector.\n    Now, those looking from the outside can get lost in forest, \nbut there has been a lot of thought into how we are organized \nand I am impressed by it. Explain quickly: We have 16 different \nsectors--17 different sectors in which industries are \norganized, and they have their own sector communication \ncoordinating councils in which they themselves look at the \nunique nature of threats, such as something that may go \nuniquely to banks, the denial of services as an example.\n    Within those coordinating councils some--and this goes to \nMr. Horsford's line of questioning--some have created what we \ncall the ISAACs, these information sector analysis coordinating \nteams--very sophisticated for their--and they are housed with \nyou. But my recollection is we have only got about four that \nare in there. They are some of the best, but we have got a lot \nof agencies or private-sector entities that may be lagging.\n    Can you give me your observations with regard to how it is \nthat, you know, we are effectively organized in that way but \nwhat we can do to begin to attract the collaboration of all of \nthe other entities?\n    Mr. Zelvin. Yes, Mr. Chairman.\n    We deal with all of the critical infrastructures. We are \nworking across the board. But I will tell you, as I look across \nthe financial services sector, and specifically the Financial \nServices Information Sharing and Analysis Center, the FS-ISAC, \nthey have done an absolutely extraordinary job helping us work \nthrough the recent distributed denial of services hacks that \nhave been going against the financial institutions.\n    So the Financial Services ISAC has not only been able to \ncoordinate with Government, but also among itself. They provide \nextraordinary information not only with each other but also \nwith Government. Some of the best information I get from the \ndistributed denial-of-services comes from the private sector, \nand it is not only the sharing with us but also sharing within \neach other.\n    The Communications ISAC, the Information Technology ISAC \nhave similar experiences. I will also tell you, the Multi-State \nISAC, so the sharing between all the States and the possessions \nand the territories--that information mechanism is very \neffective.\n    There are others that we need to build up to that capacity, \nbut I would tell you, I don't see that as a negative; I see it \nas a positive. We have learned a lot since these distributed \ndenial-of-services attacks, and also the malware attacks that \nhave affected Saudis and also in Qatar.\n    This has changed the dynamic in cybersecurity just in the \nlast few months. So ideas that were really well-thought-out \nearlier are really being developed and we need to catch back up \nwith the others as we stay focused on the financial services \nsector, the comms, and----\n    Mr. Meehan. You mean you are learning things with financial \nservices that could apply to other sectors.\n    Mr. Zelvin. That is exactly right, sir. I often tell folks \nthat we need to share this across because the financial \nservices sector needs power, they need water, they need \ntransportation, they need health. They say, ``Why would we \nshare with you? Why would you tell DHS?'' Well, because we have \nthe ability that is unique in that we can share with these \nother sectors and we can make them aware of the challenges and \nwe can share the mitigations, so why would you rebuild that \ncapacity when it already exists?\n    Mr. Meehan. Well, thank you.\n    My time is expired and I now recognize the gentlelady from \nNew York for her follow-up questions.\n    Ms. Clarke. Let me thank you, Mr. Chairman, and acknowledge \nthat we have been joined by our colleague on the Homeland \nSecurity Committee, the gentlelady from Texas, Ms. Jackson Lee, \nand ask for unanimous consent that she be authorized to sit and \nquestion the witnesses at today's hearing.\n    Mr. Meehan. Pleased to do so. Unanimous consent, the \ngentlelady will be recognized in order, and I thank her for \ncoming today.\n    Ms. Clarke. Thank you very much, Mr. Chairman.\n    I want to question each of you, just get your perspective \non the dichotomy between the Enhanced Cybersecurity Services \nand Einstein. I support the expansion of the Enhanced \nCybersecurity Services program to make sure that our critical \ninfrastructure companies can benefit from U.S. Government \nintelligence on cyber threats. However, in the privacy impact \nassessment the Department states that Federal agencies as well \nas critical infrastructure may use ECS while the Einstein \nintrusion prevention capabilities are still being built out.\n    My question is: Doesn't it seem a bit backwards or \nredundant, and how is it that you could build a cutting-edge \ncybersecurity program and have it available to the private \nsector before the Government itself adopts it? What is it about \nECS that will make it available much more quickly than Einstein \n3?\n    Ms. Stempfley. Thank you, ma'am.\n    The Enhanced Cybersecurity Services is, as you point out, a \ncutting-edge capability in that it is the first time we have \nbeen able to provide effectively classified and sensitive \ncountermeasures and indicators to commercial entities through a \ntrusted cybersecurity provider, I think is very important. So \nwe are very excited about this opportunity and engagement in \nboth growing the number of service providers and the market \nthat it generates with critical infrastructure partners.\n    It provides, as you point out, in the privacy impact \nassessment, protection against--with two countermeasures: \nDomain name service and e-mail protection. Those are not in the \ntraffic flow kinds of protection, which is the requirement for \nEinstein 3, and so there is a fairly important distinction \nthere.\n    While we will work to enhance the Enhanced Cybersecurity \nServices, enabling it to keep up with the threat environment \nand to provide new countermeasures into that capability, we are \ncertainly in progress in that environment. We will reach that \nin a much more rapid manner in the Einstein 3 capability \nbecause its baseline requirement is to provide that in a real-\ntime capability inflow.\n    That is a very technical way of describing--a technical way \nof describing it, the difference being inflow means you are \nactually affecting through the pipe as it is going on; out of \nline effectively means it gets stored, processed, and then \nforwarded on.\n    Mr. Zelvin. Ma'am, I will tell you, there is some--I have a \ntruly exciting job, and one of the really exciting parts is as \nyou look at that dot-gov domain and the security awareness that \nI have, it is unlike any of others--so you have the dot-com, \nthe dot-gov, and the dot-mil.\n    So right now on the dot-gov I have extraordinary awareness \nof the traffic that is going on and we are watching that in \nalmost a real-time basis in my center at the NCCIC. I have met \nwith the Defense Department and we are building an awareness of \nthe dot-mil similar to what we have on the dot-gov. So between \nthe two of us we will have really strong awareness of what is \ngoing on.\n    The dot-com will remain a challenge, but DHS has that dot-\ngov responsibility. We are able to watch it, as I said, on a \nnear real-time basis, and as we get these new enhancements, \nwhat we are able to do now is just to be able to see there is \nmalicious activity and warn. What we will able to be doing here \nshortly is just not warn but actually mitigate and investigate \nand analyze.\n    Because right now it is sort of like you know there is \nsomething bad in the mail but you let it get to the mailbox. \nWell, now we are going to be able to stop that and do \nappropriate measures to make sure that that bad delivery isn't \nmade.\n    Mr. Edwards. I will just agree with both Larry and Bobbie \non this.\n    Ms. Clarke. Very well.\n    So is it anticipated that at some point the ECS will be \nphased out or become obsolete, or is there a unique capability \nwithin that instrument that is compatible or can partner with \nEinstein 3?\n    Ms. Stempfley. Certainly. The ECS is intended to be a \nprogram for that information sharing and protection for the \ncritical infrastructure. It has very, very limited report back \nto Government, obviously. Only, ``Did that indicator work? Is \nthat a valuable piece of information for protection measures?''\n    We would anticipate that to continue and that we would \nemploy more countermeasures as we go through the legal, \nprivacy, and other considerations for employment of those \ncountermeasures in the unique situation of critical \ninfrastructure.\n    E3, and E3 Accelerated in particular, and its wide set of \ncapabilities for the Federal enterprise we anticipate existing, \nas well. The specific countermeasures and which one would come \nforward into the Government space or the critical \ninfrastructure space is really based on the very different \nlegal models that are appropriate for us in that space.\n    Mr. Meehan. I thank the Ranking Members.\n    The Chairman now recognizes the gentlelady, Ms. Jackson \nLee, for any questions she may have.\n    Ms. Jackson Lee. Let me thank, first of all, the Chairman \nand the Ranking Member for holding the hearing and your \ncourtesies of allowing me to come and to ask questions for \nsomething that I think is crucial for the entire Homeland \nSecurity Committee.\n    Let me start out--and I am going to just offer for you to \nanswer the questions who can answer it, and I will then ask the \nparticular person if no one jumps in. The CERT teams that we \nhave--this is enormously important, this whole idea of \ncommunication, the whole idea of reacting to the cyber threat--\nwith respect to the CERT systems, do we have the capacity to \nhave a particularly defined CERT for each of the industries? I \nthink of oil and gas; I think of the health-care industry, \nwhich is massive.\n    That is my first question: Do we--are they defined so \nspecifically that they focus on the needs of a particular \nindustry?\n    Madam Secretary.\n    Ms. Stempfley. Ma'am, if I may take a----\n    Ms. Jackson Lee. Yes. Thank you.\n    Ms. Stempfley [continuing]. A first crack at your question, \nthe technologies that are in use across these industries are \nvery similar, and because of that the organization of our cyber \nemergency response teams or computer emergency readiness teams \nare oriented to be useful to all of the sectors, versus a \nparticular emergency readiness team focused on any one sector. \nSo you see the information technology infrastructure largely \ncovered by the US-CERT, then the operational technology control \nsystems community operated by the Industrial Control Systems \nCERT.\n    So the infrastructures in the oil and natural gas, or in \ntransportation, or in those mechanisms are largely produced by \nthe same companies and in the same environment. This has proven \nto be one of the most effective and efficient organization \nmodels.\n    Ms. Jackson Lee. Let me follow it with two questions, and \nmaybe I will have time to make a comment. Thank you for that.\n    We all understand that finding a problem in computer \nsecurity or cybersecurity is like finding a needle in a \nhaystack, and so have we developed the sophistication to be \nable to target where the problem is, to target where there is \nactivity?\n    My other question is on the Einstein 3 I notice that there \nis certainly a need for skilled individuals, and my question \nis: Do we as the Government have the capacity to bring people \nin laterally? It speaks to my issue of the STEM and \ndiversifying. STEM education is great but it starts at \nkindergarten. If we need people right now, do we have the \nability to cross-train them in the Government, which adds to \nthe diversity and the skills that we need?\n    I will--those are the two questions I will pose.\n    Mr. Zelvin. Congresswoman, if I can maybe finish your first \nquestion and get to the second and----\n    Ms. Jackson Lee. Yes.\n    Mr. Zelvin [continuing]. Ask Ms. Stempfley to do the third. \nSo on the first question on the specific CERTs for each of the \nsectors, I will tell you that when we operate in a sector we do \nit in intimate partnership with the sector-specific agency and \nthe sector-specific coordination councils. So if there is an \nenergy problem we are with the Department of Energy; if it is \noil and natural gas, Department of TSA; Finance; Treasury; so \non and so forth. We are fully partnered.\n    So we bring the technical skills, the ability to understand \nthe virtual and I.T. environment. They bring the experience and \nwealth of knowledge within----\n    Ms. Jackson Lee. Do we have the capacity to target if there \nis activity that is in essence piercing our cyber framework \ninvolving our proprietary information? If somebody is attacking \nour system, you have that capacity?\n    Mr. Zelvin. We have the--some capacity. We do not have \nabsolute capacity.\n    Ms. Jackson Lee. What would you need to get absolute \ncapacity?\n    Mr. Zelvin. Extraordinary intelligence and information. So, \nyou know, in many cases there is vulnerability. So there was a \nmistake made and then found, and so there are things you do to \ncorrect that mistake.\n    There are attacks. There are people who are purposely \ntrying to do something you do not wish them to do. In many \ncases and not all--in many cases you are there reacting to the \nchallenge and then building that technical mitigation to \nprevent.\n    However, there are times they are are going to be--you \nknow, we have to be good every time; they have to be good just \nsome of the time. So I would never say that we are ever going \nto get to that place where we will be able to protect \neverything, but we have a great deal of information but it \ndoesn't mean that we don't have vulnerabilities.\n    I would ask Ms. Stempfley to follow up.\n    Ms. Stempfley. We want to certainly thank Members of this \ncommittee and others for supporting the resource request that \nthe Department has had over a number of years. You have seen \nthe build-out of the capabilities in the National Cybersecurity \nand Communications Integration Center, which has been directly \nto your capacity question. We operate every day in that center, \nsharing information as a part of it.\n    There is a responsibility the private sector has for \nadoption of best practices and adoption of cybersecurity \nprinciples, and we continue to work with them for further \nmovement in that area.\n    Your final question was on hiring and, in particular, is \nthere--if I understood your question correctly----\n    Ms. Jackson Lee. Cross-training.\n    Ms. Stempfley. Right. So is there an ability for lateral \nhiring, I believe is what you said. One of the things that I \nthink is universally recognized is that, given the importance \nof cybersecurity and the need for cybersecurity professionals \nin this area, we--all of the Federal enterprise and our \ncommercial partners are engaged in trying to build the \ncapabilities to ensure we have that.\n    The Secretary chartered, through the Homeland Security \nAdvisory Council, a cyber skills study that looked at the \nDepartment itself. The Department also has important \nresponsibilities under the National Initiative for \nCybersecurity Education, which continue to engage raising that \nlateral mechanism, that cross-skills.\n    We certainly have to focus not only on, as you point out, \nSTEM starting young--I am raising several kids who I am trying \nto direct into the technical workforce, as well--but to ensure \nthat we have the capacity at a lateral level.\n    We do this cross-training support in the Office of \nCybersecurity and Communications. When we have an incident the \nNCCIC can call on individuals from across the SNC, can call on \nindividuals from across the Department. One of the findings out \nof the Cyber Skills Task Force was the creation of a cyber \nsurge capacity within the Federal Government and the Department \nspecifically, to address your question.\n    Ms. Jackson Lee. I would like to follow up with you.\n    I thank the Chairman and Ranking Member for their \ncourtesies. Thank you very much.\n    Mr. Meehan. I thank the gentlelady for her attendance here \nand for her questions.\n    I just have one--a couple of closing questions based on \nyour testimony here today.\n    Mr. Edwards, you identified something which goes to the \nreality that while we are dealing with a lot of these issues \nand the need for collaboration across sectors in the Government \nand, simultaneously, with the private sector, one thing you \nfocused on that is the reality of this threat is speed. It is \nhappening in real time and there is a need for us to be \nresponsive in real time.\n    Now, you have looked critically at the challenges that we \nface, so the first issue is, as you stated, sometimes \ninformation has gotten to our partners in the private sector \nbut we have got to do a better job of organizing it so it \nallows them to get to the heart of what they need to know. The \nsecond thing is that we have got to try to find ways to be able \nto coordinate with our partners more in the sense of: ``Hey, we \nare seeing something in your systems and we are going onto \nit.''\n    So how do we both maximize our ability to get the \ninformation that people need to know across sectors, not just \nin sectors? Then how do you tell people--when you are not even \nsure what you are looking yourself, where do you find the right \nbalance of telling somebody you might be looking at something \nin their systems versus creating an alarm that may not be \nrealized because you don't know what you have yet?\n    Mr. Edwards. Thank you, sir.\n    The Department has done a good job in advancing \ncybersecurity. One of the recommendations that we made was when \nyou are passing out this information through--whether it is \nHISN, and now they are going to move to HISN-3--is to--for the \nentities to be able to share that information, you know, and \nalso not to drill down to get to a particular question they are \ntrying to answer. So I think HISN-3 is going to help towards \nthat.\n    But also the communication part of it. You know, there is \nexcellent collaboration between the private sectors and the \npublic sectors.\n    But among the folks that we interviewed, quite often we \nfound is a lot of this is also based on relationships, and the \nDepartment has senior leadership positions where people from \nthe private sector pick up the phone and establish a \nrelationship to somebody by name and now that person has moved \non, they don't know who to contact. So rather than establishing \nrelationship based on individuals, it needs to be based on \nprocesses and procedures, and I think the Department is moving \ntowards that.\n    But also, there is--private sector does a really good job \nin handling best practices. Larry's team, you know, by the \nreorganization and putting ICS and US-CERT and ISAC and C3O-I, \nall of them at one level is moving toward that. But you also \nfind information and trend analysis that the CERT team is going \nto help towards that.\n    Mr. Meehan. Well, I thank you.\n    Let me just ask Mr. Zelvin and Ms. Stempfley, how about the \nprivate-sector companies themselves sharing information with \nthe Government? What kinds of challenges do we have in that \narea?\n    Mr. Zelvin. Thank you, Mr. Chairman.\n    The biggest challenge, I will tell you, is a lack of \nclarity, of understanding what information can be shared. So it \nis quite often that we will meet with private sector entities \nand we are--we believe we have the ability to share information \nbut there is anxiety. There is absolute determination not to \nviolate law, regulatory guidance.\n    Mr. Meehan. Is this information coming from you to them or \nfrom them to you?\n    Mr. Zelvin. From them to me, sir. There is also, you know, \nlack of clarity as to what I can share with them but, you know, \nas we have looked across Government I have been given the \nthumbs-up from leadership and also those who look at what we \nare sharing in--across Government and says, ``No, this is \nappropriate and this is okay.''\n    But that lack of clarity of what information can be shared \nis--still exists and there is anxiety, so----\n    Mr. Meehan. What is the anxiety related to? Things like \nliability protection or otherwise?\n    Mr. Zelvin. It is, sir. The ability to, as I said, that \nthey are not breaking law, that they are not breaking \nregulatory compliance. They are just not sure so they err on \nthe side of caution.\n    As you mentioned, Mr. Chairman, speed is of the essence, so \nas the folks review all this data it is taking up precious \ntime. We have, in our--many of our products and what we are \nstarting to receive from the private sector and just recently \nthis week an international partner is machine-readable \ninformation. That is wonderful because it is starting to take \nthe humans out of the information exchange between us. What \nwould be even better someday would be that machine-to-machine \nreal-time information sharing.\n    But I will tell you, the technical challenge is not, in my \nopinion, as great as the policy challenge. We first have to \ndefine what is it that we are sharing, and then we can design \nthe machines to share it.\n    Mr. Meehan. Well, with the tremendous scope of information, \nultimately it is going to have to get to machine-to-machine \nbecause of the computing capacity that could go through \nsomething in hundredths of a second that would take days for \nhumans to be able to analyze.\n    Mr. Zelvin. Mr. Chairman, I agree. Right now there is a \ngreat deal of time spent preparing the information, sending the \ninformation, understanding the information, and then making the \ninformation actionable. We need to compress that loop of \ndecision-making as small as we can get. I don't know if we will \never get to zero but we sure as heck can do a lot better than \nwe are now.\n    Mr. Meehan. Okay.\n    Ms. Stempfley.\n    Ms. Stempfley. Sir, one of the important things that the \nI.G. recognized and Mr. Zelvin spoke to is that this \ninformation sharing is in part based on trust, and you have to \nhave a sense that the information will be used in the best \ninterest of all parties as we go forward. That trust used to be \nperson-to-person. We have moved it from person-to-person to \norganization-to-organization and we will continue to do so.\n    One of the important ways that we are moving forward in \nthis model is to communicate with our private-sector partners \nin ways that are most beneficial to them, which means that we \nhave to be able and willing to ingest that information in the \nmethod that is most appropriate from our private-sector \npartner, and we must be able to produce our indicators, our \nalerts in methods that are appropriate without a--with a \nrecognition that it may not be identical. We talk about the \nfinancial sector and the financial sector ISAC being one of our \nmature ISACs, and there being other sectors who are not at that \nlevel yet.\n    So providing a piece of information to a high, capable \norganization may prove for it to be not as useful to an \norganization that isn't ready to ingest that. So we have had a \nreal focus, not only in the NCCIC but across the entire Office \nof Cybersecurity and Communications, to release this \ninformation in a multitude of platforms and in a multitude of \nformats. So this machine-consumable output is formatted in a \nway that can be consumed by these different entities.\n    This two-way dialogue helps to build that trust, which is a \npart of what we have to overcome is that sort of initial \ndistrust that comes in any relationship.\n    Mr. Meehan. Well, I thank you for the good work that each \nof you is doing, and on behalf of all of your entities, for not \nonly creating the framework for this sharing of communication \nbut by virtue of the collaboration that you are doing, \nenhancing that trust and enhancing our ability to protect our \nhome front from the serious threat. We opened this hearing with \ndiscussing the very real concern about cybersecurity here in \nthe Nation.\n    Is there any closing thought that you--any of you have \nbefore we close the record this morning?\n    Ms. Stempfley. If I may, I want to thank you again for this \nhearing. I think it is--the topic is one of absolute import for \nus as a Nation and we are grateful for your attention and your \ntime here.\n    I hope that you heard the commitment the Department has to \nthis important mission and to ensure that we account for those \nmechanisms that are so vital: That inextricable tie between \nprivacy, civil rights and civil liberties, and cybersecurity; \nthe need for adoption of security principles across our \ncritical infrastructure partners for information sharing.\n    We talked about some of the important needs for hiring \nauthorities for some of the programs that I know you are \nsupportive of in Einstein. Our law enforcement colleagues in \nthe Department continue to seek tools they need to fight crimes \nin the digital age, and that National breach reporting \nrequirements that I know you are discussing.\n    So thank you so much for your time and attention on this \nmatter, as well.\n    Mr. Meehan. Thank you.\n    Mr. Zelvin. Mr. Chairman and Ranking Member, I would just \nalso like to thank you for having us today. Really appreciate \nthe opportunity to talk to you.\n    You, your colleagues, your staff, and their colleagues are \nwelcome at the NCCIC any time. We would welcome the opportunity \nto show you what the great men and women within the NCCIC, \nwithin CC&C and DHS are doing.\n    I served 26 years in uniform in the Defense Department and \nI will tell you, the people that I work with at DHS every day \nare as good as fine as anyone I served with in uniform. Their \npassion and their patriotism are just as high as those I served \nwith in uniform.\n    I would also like to say that our partnership with our \nclosest colleagues, both in the FBI and NSA, is critical. So it \nis truly a unity-of-effort approach, and that integration \ncontinues to grow and we look forward to the opportunity of \nhaving it grow not only within Government but also private \nsector and international.\n    So thank you.\n    Mr. Meehan. Thank you.\n    Mr. Edwards.\n    Mr. Edwards. Well, we live in a virtual world so, you know, \nDHS has matured and it is improving and it is moving in the \nright direction, but much work still needs to be done. The \nthreat is not only going to be coming from nation states, but \nfrom hackers, but also the threat within. We have to be mindful \nof that.\n    I hope I can come back and issue a report and say the \nDepartment has done perfectly everything right and there are no \nfindings and no recommendations. That is what I hope I can do, \nbut still there is much work to be done.\n    Thank you.\n    Mr. Meehan. Well, we would all love to be able to do that, \nbut that is the important responsibility we have on oversight \nand we thank you for the good work that you are all doing to \ntry to aspire to that standard.\n    So I thank all of you for your testimony. The Members of \nthe committee may have additional questions, and if they do we \nwill ask you to respond in writing in the appropriate time.\n    So without objection, the subcommittee stands adjourned. \nThank you.\n    [Whereupon, at 10:32 a.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"