b"<html>\n<title> - OVERSIGHT OF EXECUTIVE ORDER 13636 AND DEVELOPMENT OF THE CYBERSECURITY FRAMEWORK</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n               OVERSIGHT OF EXECUTIVE ORDER 13636 AND \n                DEVELOPMENT OF THE CYBERSECURITY \n                FRAMEWORK\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n                       INFRASTRUCTURE PROTECTION,\n                       AND SECURITY TECHNOLOGIES\n\n                                 OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 18, 2013\n\n                               __________\n\n                           Serial No. 113-27\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n86-034 PDF                    WASHINGTON : 2014\n_____________________________________________________________________________\n For sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov Phone: toll free (856) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washngton, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O'Rourke, Texas\nSteven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii\nLou Barletta, Pennsylvania           Filemon Vela, Texas\nChris Stewart, Utah                  Steven A. Horsford, Nevada\nRichard Hudson, North Carolina       Eric Swalwell, California\nSteve Daines, Montana\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\nMark Sanford, South Carolina\n                       Greg Hill, Chief of Staff\n          Michael Geffroy, Deputy Chief of Staff/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                 Patrick Meehan, Pennsylvania, Chairman\nMike Rogers, Alabama                 Yvette D. Clarke, New York\nTom Marino, Pennsylvania             William R. Keating, Massachusetts\nJason Chaffetz, Utah                 Filemon Vela, Texas\nSteve Daines, Montana                Steven A. Horsford, Nevada\nScott Perry, Pennsylvania            Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (ex             (ex officio)\n    officio)\n               Alex Manning, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Patrick Meehan, a Representative in Congress From \n  the State of Pennsylvania, and Chairman, Subcommittee on \n  Emergency Preparedness, Response, and Communications:\n  Oral Statement.................................................     1\n  Slides.........................................................     3\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Emergency Preparedness, Response, and Communications:\n  Oral Statement.................................................     8\n  Prepared Statement.............................................    10\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security..............................................    11\n\n                               Witnesses\n\nMr. Robert Kolasky, Director, Implementation Task Force, National \n  Protection and Programs Directorate, U.S. Department of \n  Homeland Security:\n  Oral Statement.................................................    13\n  Joint Prepared Statement.......................................    15\nMr. Charles H. Romine, PhD, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology, \n  U.S. Department of Commerce:\n  Oral Statement.................................................    19\n  Joint Prepared Statement.......................................    21\nMr. Eric A. Fischer, PhD, Senior Specialist, Science and \n  Technology, Congressional Research Service, Library of \n  Congress:\n  Oral Statement.................................................    23\n  Joint Prepared Statement.......................................    25\n\n\nOVERSIGHT OF EXECUTIVE ORDER 13636 AND DEVELOPMENT OF THE CYBERSECURITY \n                               FRAMEWORK\n\n                              ----------                              \n\n\n                        Thursday, July 18, 2013\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n Subcommittee on Cybersecurity, Infrastructure Protection, \n                                 and Security Technologies,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:05 a.m., in \nRoom 311, Cannon House Office Building, Hon. Patrick Meehan \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Meehan, Marino, Clarke, Keating, \nand Vela.\n    Mr. Meehan. The Committee on Homeland Security, \nSubcommittee on Cybersecurity, Infrastructure Protection, and \nSecurity Technologies will come to order.\n    Subcommittee is meeting today to examine the implementation \nof Executive Order 13636 and the administration's cybersecurity \nframework, and I recognize myself now for an opening statement.\n    I would like to welcome everybody to today's hearing, which \ncontinues our subcommittee's efforts to provide oversight over \nthe President's Cybersecurity Executive Order 13636. The focus \nof the Executive Order is to provide protection for our \nNation's critical infrastructure sectors from cyber threats. \nThese sectors include our energy and nuclear facilities, our \nNation's transportation systems, our defense industrial base, \nand financial services, among others.\n    Today we will focus on the cybersecurity framework, under \nwhich the National Institute for Standards and Technology or \nNIST, as it is often referred to, has the responsibility of \nworking with stakeholders to develop.\n    The framework is expected to be completed and released by \nOctober 30. On July 1, NIST released an outline of that \nframework, which will be the basis of the committee's \nquestioning today.\n    So far NIST has held three workshops to gather input from \nindustry, academia, other stakeholders, and a fourth is \nexpected in September, I believe, in Dallas, Texes.\n    I believe that the outline of NIST's framework provides an \nimportant step to increasing our Nation's awareness and ability \nto protect our networks from crippling cyber attacks.\n    In fact, I believe that the three are many mature actors in \nboth Government and the private sector working in great \ncoordination currently--including those at the Department of \nHomeland Security--to shield our systems from cyber threats.\n    It is, however, those outliers--the ones without the \nawareness, those with insufficient resources--who can present \nimmense vulnerabilities to entire networks.\n    It is this concern that our subcommittee seems to have \nallayed. We must find answers to the question of: How do we \nincentivize participation without creating counterproductive, \nonerous standards and regulations?\n    Adopting the NIST framework would result in a positive \nexercise for owners and operators of critical infrastructure. \nHowever, I have concerns that a self-assessment may not be \nsufficient to incentivize action to bolster cyber defenses in \nall cases.\n    Our committee has held over 200 meetings with stakeholders \nand one of the common themes emanating from the discussions is \nthat they are only as strong as their weakest links. I believe \nan analysis of the incentives included in this framework is in \norder.\n    I look forward to hearing from the panel today on ways we \ncan assist both the public and private sector to increase their \nhygiene with limited resources.\n    Providing incentives for organizations to share information \nand best practices is further complicated by the absence of \nliability protections. In the Executive Order, our goal should \nbe to encourage that information sharing, and I have questions \nabout the ability of regulators to reform use--require use of \nthe framework, turning this into burdensome check-the-box rules \nand regulations.\n    Ultimately, I believe it is the consensus of the committee \nthat Congress must pass legislation in order to address many of \nthese outstanding issues.\n    Existing structures within DHS must be authorized by \nCongress to continue functioning. Liability protections, \ninformation-sharing provisions, and industry-led incentives can \nonly be fully enacted by statute, not exclusively by \nPresidential Directive.\n    I look forward to working with the committee, with our \npanel, and DHS to craft legislation that will address these \nissues.\n    I thank the panel for their participation today, and I look \nforward to hearing from your testimony.\n    [The information follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Meehan. The Chairman now recognizes the Ranking \nMinority Member of the subcommittee, the gentlelady from New \nYork, Ms. Clarke, for any statement that she may have.\n    Ms. Clarke. Thank you very much, Mr. Chairman.\n    Welcome to our panelists this morning.\n    Our country's reliance on cyber systems cover the \nwaterfront; everything from power plants to pipelines and \nhospitals to highways, have increased cyber connections \ndramatically and our infrastructure is more physically and \ndigitally interconnected than ever.\n    Yet for all of the advantages interconnectivity offers our \nNation's critical infrastructure, it is also increasingly \nvulnerable to attack from an array of cyber threats.\n    It is vital that we as a country take action to strengthen \nour National policy on critical infrastructure security and \nresilience and includes measures to strengthen cybersecurity.\n    Because the majority of our critical infrastructure is \nowned and operated by private companies, the public and private \nsectors have a shared responsibility to reduce the threats to \ncritical infrastructure through a stronger partnership.\n    The current Federal legislative framework for cybersecurity \nis complex with more than 50 statutes currently addressing \nvarious aspects of it.\n    However, we can all agree that the current framework is not \nsufficient to address the growing concerns about the security \nof cyberspace in the United States and no major cybersecurity \nlegislation has been enacted since 2002, although the Executive \nbranch has taken several notable actions.\n    The Federal role in protection of privately-held critical \ninfrastructure has been one of the most contentious issues in \nthe debate about cybersecurity legislation.\n    There appears to be a broad agreement that additional \nactions are needed to address the security risks, NCI, but \nthere is considerable disagreement about how much, if any, \nadditional Federal regulation is required.\n    So in February of this year, the President acted through an \nextraordinary order of directives an Executive Order on \ncybersecurity and a Presidential Policy Directive on critical \ninfrastructure security and resilience that will likely become \nNational and global references for cybersecurity policymaking.\n    Under the EO, the Secretary of Commerce is tasked to direct \nthe director of NIST to develop a framework of reducing cyber \nrisks to critical infrastructure.\n    The framework will consist of standards, methodologies, \nprocedures, and processes that align policy, business, and \ntechnological approaches to cyber--to address cyber risks.\n    The Department of Homeland Security in coordination with \nsector-specific agencies will then establish a voluntary \nprogram to support the adoption of the cybersecurity framework \nby owners and operators of critical infrastructure and any \nother interested entities.\n    It is important that the United States set a positive \nexample regarding the essential role that global standards play \nfor both industry and Government. This framework presents an \nimportant opportunity to develop a product that many other \ncountries can replicate and use in their policy environments.\n    The United States could encourage global acceptance of this \nframework by seeking comments and support from our allies \nduring its development. This adoption would be beneficial by \ncreating consistent and cohesive approaches across these \ngeographies as well as a commitment to the global \nstandardization process.\n    A long-standing concern of mine is how we go about \naddressing cyber workforce considerations and how they will be \nincluded in the development of the framework we will be talking \nabout today.\n    Our National cybersecurity workforce must be trained and be \nable to maintain the skills necessary to understand the \nchanging operating environment. They must also be able to \nunderstand the threats, vulnerabilities to the environment, and \nmost importantly, they must be skilled at practices to combat \nthose threats and vulnerabilities.\n    I am hoping that you, Mr. Chairman, and I can work together \non this important need.\n    We also have a need of improvement in the fundamental \nknowledge of cybersecurity. New solutions and approaches have \nbeen recognized for well over a decade and those discoveries \nwere a factor in the passage of the Cyber Security Research and \nDevelopment Act in 2002.\n    However, the law focuses on cybersecurity R&D by NSF and \nNIST. The Homeland Security Act of 2002 in contrast does not \nspecifically mention cybersecurity R&D, but DHS and several \nother Departmental agencies make significant investments in it.\n    About 60 percent of reported funding by agencies in \ncybersecurity and information assurance is defense-related and \nwe need to direct some of this R&D in the civilian arena.\n    I understand that you, Mr. Chairman, have some language \nalong this line, and I hope we can, together, work on this \nissue.\n    What we all want for a cybersecurity framework is something \nthat is flexible, repeatable, performance-based, includes a \nstrong privacy and civil liberties protections, and something \nthat is cost-effective.\n    After all, the President is attempting to help the \nprivately-held owners and operators of the Nation's critical \ninfrastructure to identify, assess, and manage cybersecurity-\nrelated risks while protecting business confidentiality and \nindividual privacy and civil liberties.\n    In short, we need to regain sovereignty over our National \nand local assets that keep our small businesses running, our \ncity and State governments providing services to citizens, our \nfactories humming, and our essential services protected.\n    I look forward to testimony today about the progress that \nis being made because of the President's leadership on \ncybersecurity, and I hope that Congress can learn some lessons \nfrom the process he has set in motion.\n    I just want to add that I recently received this copy of \nthe incentives study, Mr. Kolasky, and I understand that this \nis in response to the Executive Order.\n    It was issued May 21, and it would be great if we engaged \nin information sharing as well if we are going to demand it \nfrom those who are tasked to give guidance to.\n    With that, Mr. Chairman, I yield back.\n    [The statement of Ranking Member Clarke follows:]\n              Statement of Ranking Member Yvette D. Clarke\n                             July 18, 2013\n    Our country's reliance on cyber systems covers the waterfront, \neverything from power plants to pipelines, and hospitals to highways \nhave increased cyber connections dramatically, and our infrastructure \nis more physically and digitally interconnected than ever. Yet for all \nthe advantages interconnectivity offers, our Nation's critical \ninfrastructure is also increasingly vulnerable to attack from an array \nof cyber threats.\n    It is vital that we, as a country, take action to strengthen our \nNational policy on critical infrastructure security and resilience, and \nincludes measures to strengthen cybersecurity. Because the majority of \nour critical infrastructure is owned and operated by private companies, \nthe public and private sectors have a shared responsibility to reduce \nthe risks to critical infrastructure through a stronger partnership.\n    The current Federal legislative framework for cybersecurity is \ncomplex, with more than 50 statutes currently addressing various \naspects of it. However, we can all agree that the current framework is \nnot sufficient to address the growing concerns about the security of \ncyber space in the United States, and no major cybersecurity \nlegislation has been enacted since 2002, although the Executive branch \nhas taken several notable actions.\n    The Federal role in protection of privately-held Critical \nInfrastructure has been one of the most contentious issues in the \ndebate about cybersecurity legislation. There appears to be broad \nagreement that additional actions are needed to address the \ncybersecurity risks to CI but there is considerable disagreement about \nhow much, if any, additional Federal regulation is required.\n    So, in February of this year, the President acted through an \nextraordinary pair of directives, an Executive Order on Cybersecurity \nand a Presidential Policy Directive on Critical Infrastructure Security \nand Resilience, that will likely become National and global references \nfor cybersecurity policymaking. Under the EO, the Secretary of Commerce \nis tasked to direct the Director of NIST to develop a framework for \nreducing cyber risks to critical infrastructure. The Framework will \nconsist of standards, methodologies, procedures, and processes that \nalign policy, business, and technological approaches to address cyber \nrisks.\n    The Department of Homeland Security, in coordination with sector-\nspecific agencies, will then establish a voluntary program to support \nthe adoption of the Cybersecurity Framework by owners and operators of \ncritical infrastructure and any other interested entities.\n    It is important that the United States set a positive example \nregarding the essential role that global standards play for both \nindustry and Government. This framework presents an important \nopportunity to develop a product that many other countries can \nreplicate and use in their policy environments. The United States could \nencourage global acceptance of this framework by seeking comments and \nsupport from our allies during its development. This adoption would be \nbeneficial by creating consistent and cohesive approaches across those \ngeographies as well as a commitment to the global standardization \nprocess.\n    A long-standing concern of mine is how we go about addressing Cyber \nWorkforce considerations and how they will be they included in the \ndevelopment of the Framework we will be talking about today. Our \nNational cybersecurity workforce must be trained and be able to \nmaintain the skills necessary to understand the changing operating \nenvironment. They must also be able to understand the threats and \nvulnerabilities to that environment, and most importantly, they must be \nskilled at practices to combat those threats and vulnerabilities. I am \nhoping that the Chairman and I can work together on this important \nneed.\n    We also have a need for improvements in the fundamental knowledge \nof cybersecurity. New solutions and approaches have been recognized for \nwell over a decade and these discoveries were a factor in the passage \nof the Cybersecurity Research and Development Act in 2002. However, \nthat law focuses on cybersecurity R&D by NSF and NIST. The Homeland \nSecurity Act of 2002, in contrast, does not specifically mention \ncybersecurity R&D, but DHS and several other Departmental agencies make \nsignificant investments in it. About 60% of reported funding by \nagencies in cybersecurity and information assurance is defense-related, \nand we need to direct some of this R&D in the civilian arena. I \nunderstand the Chairman has some language along this line, and I hope \nwe can work together on this issue too.\n    What we all want from a Cybersecurity Framework is something that \nis flexible, repeatable, performance-based, includes strong privacy and \ncivil liberties protections, and something that is cost-effective. \nAfter all, the President is attempting to help the privately-held \nowners and operators of the Nation's critical infrastructure to \nidentify, assess, and manage cybersecurity-related risk while \nprotecting business confidentiality and individual privacy and civil \nliberties.\n    In short we need to regain sovereignty over our National and local \nassets that keep our small businesses running, our city and State \ngovernments providing services to citizens, our factories humming, and \nour essential services protected. I look forward to the testimony today \nto hear about the progress that is being made because of the \nPresident's leadership on cybersecurity, and I hope that Congress can \nlearn some lessons from the process he has set into motion.\n\n    Mr. Meehan. I thank the gentlelady for her comments and \nother Members of the committee are reminded that opening \nstatements may be submitted for the record.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                             July 18, 2013\n    Several years ago, this committee passed the legislation that \nbecame the DHS' Chemical Facility Anti-Terrorism Standards (CFATS) \nprogram. CFATS was one of this committee's first attempts to \nproactively explore how to make this country safer by engaging the \nprivate sector. We knew that no private facility wanted to become the \ntarget of terrorists. But we also knew that the private sector does not \noften view the Government as a partner.\n    We needed to create a structure that permitted Government and the \nprivate sector to work together without fear of penalty or reprisal. I \nbelieve we created such a system. Today, we are here to discuss another \ninstance in which the private sector is being asked to cooperate with \nthe Government to safeguard the American people. While the potential \ndanger posed by a terrorist attack on a chemical facility is easy to \nunderstand, the threat posed by an attack on the cyber network of a \nfacility is difficult to envision.\n    But let's be clear--cyber attacks that cause large-scale system \nfailures among the businesses and organization that we use every day \nwould not only cause inconvenience, for some people, such system \nfailures could be life-threatening.\n    While something in our history and culture may not allow us to \nadmit it easily, we need to acknowledge that we rely on the everyday \npresence of power plants, hospitals, manufacturing plants, mass transit \nand subway systems, airports, and the system of electronic commerce.\n    And in our current world, none of these systems can exist without a \ncomputer network that is linked to many other computer networks. Our \nNational and individual interests depend upon the protection of these \nnetworks and the security of the information in them.\n    Government and the private sector must work together to assure that \nthe owners and operators of these facilities are able to safeguard \ntheir operations and assets from the risk of cyber attack.\n    Also, we must be sure that if attacked by a cyber terrorist, these \nfacilities are able to quickly determine the damage, recover from the \ninjury and move forward.\n    The cybersecurity Executive Order attempts to achieve these goals. \nNeedless to say, I would prefer that this Congress take up legislation \nto address the many cybersecurity threats facing the critical \ninfrastructure of this Nation. However, this Congress seems to have a \ndifficult time engaging in the legislative process. Thus, I look \nforward to the implementation of Executive Order 13636, which directs \nFederal agencies to coordinate the development and implentation of \nrisk-based standards.\n\n    Mr. Meehan. We are very pleased to have a distinguished \npanel before us today, and we thank each of you for the work \nthat you are doing on behalf of our Nation and your efforts to \nassure that we take every possible step to protect our cyber \ninfrastructure.\n    We are going to be joined today first by Mr. Robert Kolasky \nwho serves as the director of the Department of Homeland \nSecurity's Integrated Task Force that was put together to \nimplement the Presidential Policy Directive 21 on Critical \nInfrastructure Security and Resilience as well as the \nPresident's Executive Order on Critical Infrastructure Cyber \nSecurity.\n    Mr. Kolasky has served in many roles throughout DHS since \njoining the Federal Government in 2002, and I thank you for \nyour service.\n    We will be joined by Dr. Charles Romine, the director of \nInformation Technology Laboratory, one of six research \nlaboratories within the National Institute of Standards and \nTechnology.\n    Dr. Romine oversees research programs designed to promote \nU.S. innovation and industrial competitiveness by developing \nand disseminating standards, measurements, and testing for \ninteroperability, security, usability, and reliability of \ninformation systems.\n    Thank you, Dr. Romine.\n    We are joined by Dr. Eric Fischer. He is the senior \nspecialist in science and technology at the Congressional \nResearch Service. In this role, he provides expert written and \nconsultation support to Congress on a broad range of issues in \nscience and technology policy including cybersecurity, \nenvironmental issues, and research and development.\n    He has authored more than 30 CRS reports--and I thank you \nfor that great work. They are a big help to us as we try to \nnegotiate our way through the thicket of issues to increase our \nunderstanding--and more than 100 analytical memoranda for \nCongressional offices on the subjects I just mentioned.\n    The witnesses' full written statements will appear in the \nrecord, and so I ask that you use your time as best you can to \nhelp us to hear what is important in your testimony.\n    I will now recognize Mr. Kolasky for 5 minutes to testify.\n    Thank you, Mr. Kolasky.\n\n  STATEMENT OF ROBERT KOLASKY, DIRECTOR, IMPLEMENTATION TASK \n   FORCE, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. \n                DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Kolasky. Good morning, Chairman Meehan, Ranking Member \nClarke, and distinguished Members of the committee. I want to \nthank you for your support of the Department, particularly in \nour mission to safeguard and secure the Nation's critical \ninfrastructure.\n    I am pleased to be here before you to discuss the \nadministration's role and DHS's role in implementing PPD 21 on \nCritical Infrastructure Security Resilience and Executive Order \n13636, Critical Infrastructure Cyber Security.\n    As you know, DHS supports critical infrastructure owners \nand operators in preparing for, preventing, protecting against, \nmitigating from, responding to, and recovering from all \nhazardous events including cyber incidents, natural disasters, \nand terrorist attacks.\n    To achieve this, DHS works with public and private-sector \npartners to identify and promote effective solutions for \nsecurity and resilience that address the risk facing the \nNation's critical infrastructure.\n    As you mentioned, recognizing the need for collaborative \nsolutions to confront these risks and promote a more secure and \nresiliant critical infrastructure, President Obama issued \nExecutive Order and the Presidential Policy on Critical \nInfrastructure Security and Resilience in February of this \nyear.\n    These two directives aimed to enhance the security and \nresilience of the Nation's critical structure to maintain a \ncyber environment that encourages efficiency, innovation, and \neconomic prosperity while promoting safety, security, business \nconfidentiality, privacy, and civil liberties.\n    Promoting security resilience is a collaborative effort. It \ninvolves participation from the private sector, owners and \noperators, State, local, and Tribal territorial governments as \nwell.\n    To accomplish this collaborative effort, DHS stood up the \nintegrated task force to implement the EO and PPD and the \nintegrated task force has developed a consultative process for \nthe whole Federal Government to work with the private sector \nand State and local and Tribal territorial governments as well \nas nonprofits and academic communities.\n    At the integrated task force, we have developed nine \nseparate working groups and have conducted more than 100 \nworking sessions involving 1,100 attendees to date. \nRepresentatives from DHS have also conducted more than 100 \nbriefings on our effort to nearly 10,000 stakeholders since \nFebruary 2013.\n    In addition, DHS has worked with our colleagues at the \nDepartment of Commerce's National Institute of Standards and \nTechnology to utilize this consultative process in support of \nthe development of cybersecurity framework, which NIST is \nleading the effort on.\n    We have accomplished much over the past 150 days, and I \nwould like to talk about that and I am eager to take questions \nrelated to that.\n    Among the things that we have delivered, as Ranking Member \nClarke referenced, an incentives report which analyzes \npotential incentives that can be used to promote to the \nadoption of the cybersecurity framework, a description of \ncritical infrastructure functional relationships, instructions \non producing unclassified cyber threat reports from all sources \nof information and making that information available to \ncritical infrastructure partners, procedures for the expansion \nof the enhanced cybersecurity service program within DHS, which \nis intended to share cyber threat information with \nappropriately cleared private-sector cybersecurity providers \nacross all critical infrastructure sectors, recommendations on \nthe feasibility, security benefits, and merits of incorporating \nsecurity standards into acquisition planning and contract \nadministration, a process for expediting security clearances to \nthose in the private sector with the essential need to know \nabout cyber threat information, and a report outlining how well \nthe current public/private partnership model that is documented \nin the National Infrastructure Protection Plan is working and \nrecommendations for enhancements to that model.\n    In addition, we have conducted an evaluation of and are \nidentifying critical infrastructure entities where a \ncybersecurity incident has the potential to cause National or \nregionally catastrophic incidents.\n    While we have made significant progress to date, there is \nmuch work still to be done this year. DHS will be focusing its \nefforts on the following steps throughout the rest of the year.\n    Updating the National infrastructure protection plan to \nreflect new policies, a change in the risk environment, and \nlessons learned working in collaboration across the public and \nprivate sector to manage infrastructure risks.\n    Enhancing near-real-time situational awareness for critical \ninfrastructure, developing a draft of the National Critical \nInfrastructure Security and Resilience Research and Development \nPlan and collaborating with our colleagues at NIST on the \ncybersecurity framework.\n    It is important to note that the EO and PPD work within \ncurrent authorities. They do not grant new regulatory authority \nor establish additional incentives for participation in a \nvoluntary program.\n    The administration continues to believe that a \ncomprehensive suite of legislation is necessary to implement \nthe full ranges of steps necessary to build a strong public/\nprivate partnership and we hope to continue to work with \nCongress to achieve this.\n    Among our legislative priorities are: Facilitating \ncybersecurity for information sharing between the Government \nand the private sector while maintaining privacy and civil \nliberties protections and reinforcing the appropriate roles of \nintelligence and non-intelligence agencies.\n    Incentivizing the adoption of best practices and standards \nfor critical infrastructure by complementing the process set \nforth in the Executive Order, updating Federal agency network \nsecurity laws and codifying DHS' cybersecurity \nresponsibilities, giving law enforcement the tools to fight \ncrime in the digital age, and creating a new National data \nbreach reporting requirement.\n    I will end my statements by saying that although we are \ndoing much within the EO and PPD, this is just a start and we \nhope to continue to work with the owners and operators in State \nand local and Tribal territorial governments to make progress \nthis year and in the future so that we all have confidence in \nthe security and the resiliency of our critical infrastructure \nand key networks.\n    Thank you for the opportunity to discuss the Department's \nrole in improving critical infrastructure security and \nresilience, and I look forward to the dialogue.\n    [The prepared statement of Mr. Kolasky follows:]\n                  Prepared Statement of Robert Kolasky\n                             July 18, 2013\n                              introduction\n    Good morning Chairman Meehan, Ranking Member Clarke, and \ndistinguished Members of the committee. Let me begin by thanking you \nfor your support of the Department of Homeland Security (DHS), \nparticularly in its mission to safeguard and secure the Nation's \ncritical infrastructure. I am pleased to appear before you to discuss \nthe Department's role in implementing Executive Order (EO) 13636, \nImproving Critical Infrastructure Cybersecurity, and Presidential \nPolicy Directive (PPD) 21, Critical Infrastructure Security and \nResilience.\n    DHS supports critical infrastructure owners and operators in \npreparing for, preventing, protecting against, mitigating from, \nresponding to, and recovering from all-hazards events, including cyber \nincidents, terrorist attacks, and natural disasters. These activities \npromote the safety and security of the American public and ensure the \nprovision of essential services and functions, such as energy and \ncommunications. To achieve this end, DHS works with public and private-\nsector partners to identify and promote effective solutions for \nsecurity and resilience that address the risks facing the Nation's \ncritical infrastructure.\n    While this increased connectivity has led to significant \ntransformations and advances across our country--and around the world--\nit also has increased the importance and complexity of our shared risk. \nOur daily life, economic vitality, and National security depend on \ncyberspace. A vast array of interdependent IT networks, systems, \nservices, and resources are critical to communication, travel, powering \nour homes, running our economy, and obtaining Government services. No \ncountry, industry, community, or individual is immune to cyber risks.\n    Critical infrastructure is the backbone of our country's National \nand economic security. It includes power plants, chemical facilities, \ncommunications networks, bridges, highways, and stadiums, as well as \nthe Federal buildings where millions of Americans work and visit each \nday. DHS coordinates the National protection, prevention, mitigation, \nand recovery from cyber incidents and works regularly with business \nowners and operators to take steps to strengthen their facilities and \ncommunities. The Department also conducts on-site risk assessments of \ncritical infrastructure and shares risk and threat information with \nState, local, and private-sector partners.\n    Protecting critical infrastructure against growing and evolving \ncyber threats requires a layered approach. DHS actively collaborates \nwith public and private-sector partners every day to improve the \nsecurity and resilience of critical infrastructure while responding to \nand mitigating the impacts of attempted disruptions to the Nation's \ncritical cyber and communications networks and to reduce adverse \nimpacts on critical network systems.\n    Beyond evolving cybersecurity risks, the Nation's critical \ninfrastructure is potentially affected by more frequent and severe \nweather events, by sustained under-investment in the integrity of aging \nand degrading infrastructure, and by an evolving terrorist threat.\n    Recognizing the need for collaborative solutions to confront this \nchanging risk paradigm and promote a more secure and resilient critical \ninfrastructure, President Obama issued EO 13636 and PPD-21. These two \ndirectives aim to ``enhance the security and resilience of the Nation's \ncritical infrastructure and to maintain a cyber environment that \nencourages efficiency, innovation, and economic prosperity while \npromoting safety, security, business confidentiality, privacy, and \ncivil liberties.''\n    Taken together, these two policy documents are intended to achieve \nthe following:\n  <bullet> Encourage the adoption of effective measures across all \n        critical infrastructure sectors to improve security and \n        resiliency and reduce risk from cyber attacks to essential \n        functions and services by publishing a Cybersecurity Framework \n        (the Framework) that will provide owners and operators with a \n        prioritized, flexible, repeatable, performance-based, and cost-\n        effective set of validated security controls based upon \n        industry best practices.\n  <bullet> Enhance timely, relevant, and accurate information sharing \n        on significant risks by implementing a program to develop and \n        rapidly share unclassified information with critical \n        infrastructure owners and operators, enabling the adoption of \n        effective mitigations to prevent or to reduce the consequences \n        of significant incidents.\n  <bullet> Align responsibilities of public and private partners to \n        efficiently allocate risk reduction responsibilities by \n        conducting an analysis of the existing critical infrastructure \n        public-private partnership model and recommending options for \n        improving the effectiveness of the partnership in managing both \n        the physical and cyber risks.\n  <bullet> Promote innovation in novel risk-reduction solutions by \n        developing a National Critical Infrastructure Security and \n        Resilience Research and Development (R&D) Plan to identify \n        priorities and guide R&D requirements and investments toward \n        those solutions that will help assure the provision of \n        essential functions and services over time.\n  <bullet> Ensure that privacy, civil rights, and civil liberties are \n        protected as a foundational part of all risk management efforts \n        by conducting an assessment of the privacy, civil rights, and \n        civil liberties implications of all EO 13636 and PPD-21 \n        programs and recommending revisions to proposed initiatives as \n        required.\n    Working in partnership with the Federal interagency, DHS \nestablished an Integrated Task Force to:\n  <bullet> Lead the Department's implementation of PPD-21 and EO 13636, \n        including coordination with the Department of Commerce's \n        National Institute of Standards and Technology, on the \n        Cybersecurity Framework;\n  <bullet> Serve as the focal point for collaboration with industry;\n  <bullet> Involve key stakeholders from all levels of government; and\n  <bullet> Prioritize tasks, plan implementation, and coordinate \n        principal offices of responsibility.\n    The Integrated Task Force is further charged with ensuring the \nproduction of various deliverables as mandated under EO 13636 and PPD-\n21. These deliverables, however, are not an end in themselves; rather, \neach deliverable is intended to contribute to future efforts that will \npromote the security and resilience of the Nation's critical \ninfrastructure.\n                          consultative process\n    Promoting security and resilience is a collaborative endeavor \nrequiring effort and investment from both the Federal Government and \nprivate sector, as well as State, local, Tribal, and territorial \npartners. Thus, to implement EO 13636 and PPD-21, the Federal \nGovernment has actively sought the collaboration, input and engagement \nof our partners. The Integrated Task Force has developed a \n``consultative process'' pursuant to EO 13636, to work within the \nFederal Government to collaborate with State, local, Tribal, and \nterritorial government officials as well as private-sector owners and \noperators of critical infrastructure and the non-profit and academic \ncommunities. The consultative process is based on the following \nprinciples:\n  <bullet> Seek out opportunities across the whole community;\n  <bullet> Be systematic, transparent, and repeatable;\n  <bullet> Focus on appropriate and meaningful multi-directional \n        communications and collaboration;\n  <bullet> Establish protocols to ensure that progress reports, current \n        direction, and current messaging are broadly shared and \n        understood;\n  <bullet> Document activities to track participation across the whole \n        community;\n  <bullet> Identify and engage the full range of stakeholders across \n        the critical infrastructure and cybersecurity community;\n  <bullet> Utilize established partnership organizations and regimes;\n  <bullet> Promote innovative approaches to maximize opportunities for \n        input from stakeholders across the whole community;\n  <bullet> Ensure that privacy and civil liberties protections are \n        incorporated into the tasks by coordinating with appropriate \n        senior Federal agency officials;\n  <bullet> Foster development of an enduring engagement process that \n        can be used in other cyber and critical infrastructure security \n        and resilience efforts.\n    Using those principles, the Integrated Task Force developed nine \nseparate working groups and has conducted more than 100 working \nsessions involving 1,100 attendees, to date. Representatives from DHS \nhave also conducted more than 100 briefings on our efforts to nearly \n10,000 stakeholders since February 2013. Outside of the established \nIntegrated Task Force working groups, the cyber and critical \ninfrastructure communities are being engaged through working sessions, \nconferences, meetings, and virtual collaboration methods such as the \nHomeland Security Information Network, IdeaScale, and webinars. The \nformat and style of engagement varies according to the needs of the \ncommunity engaged and the purpose for engagement. The venue and \nmechanism for engagement is also determined by the outcomes sought and \nthe nature of the constituency involved. In addition, DHS has worked \nwith the Department of Commerce's National Institute of Standards and \nTechnology (NIST) to utilize the consultative process in support of the \ndevelopment of the Framework.\n                       status of current efforts\n    We have accomplished much over the past 150 days using the \nConsultative Process to engage whole community stakeholders. The \nSecretary has already submitted several EO 13636 and PPD-21 \ndeliverables to the White House, to include:\n  <bullet> An Incentives Report, which analyzes potential Government \n        incentives that could be used to promote the adoption of the \n        Framework;\n  <bullet> A description of critical infrastructure functional \n        relationships, which illustrates the Federal Government's \n        current organizational structure to deliver risk management \n        support to stakeholders and make it easier for them to \n        collaborate with the Government;\n  <bullet> Instructions on producing unclassified cyber threat reports \n        from all sources of information, including intelligence, to \n        improve the ability of critical infrastructure partners to \n        prevent and respond to significant threats;\n  <bullet> Procedures for expansion of the Enhanced Cybersecurity \n        Services (ECS) program to all critical infrastructure sectors. \n        The ECS program promotes cyber threat information sharing \n        between Government and the private sector, which helps critical \n        infrastructure entities protect themselves against cyber \n        threats to the systems upon which so many Americans rely. DHS \n        will share with appropriately cleared private sector \n        cybersecurity providers the same threat indicators that we rely \n        on to protect the .gov domain. Those providers will then be \n        free to contract with critical infrastructure entities and \n        provide cybersecurity services comparable to those provided to \n        the U.S. Government;\n  <bullet> Recommendations on feasibility, security benefits, and \n        merits of incorporating security standards into acquisition \n        planning and contract administration, addressing what steps can \n        be taken to make existing procurement requirements related to \n        cybersecurity consistent;\n  <bullet> A process for expediting security clearances to those in the \n        private sector with an essential ``need to know'' regarding \n        Classified cybersecurity risk information. This processing is \n        intended only for those who need access to Classified \n        information. While it is important to ensure that our private-\n        sector partners who have a valid need for access to Classified \n        information receive appropriate security clearances, we believe \n        that most information sharing can be conducted at the \n        Unclassified level; and\n  <bullet> A report outlining how well the current critical \n        infrastructure public-private partnership model as articulated \n        in the National Infrastructure Protection Plan (NIPP) is \n        working toward promoting the security and resilience of the \n        Nation's critical infrastructure, and recommendations to \n        strengthen those partnerships.\n  <bullet> In addition, we have conducted an initial evaluation of and \n        are identifying critical infrastructure entities which would \n        reasonably result in catastrophic consequences from a \n        cybersecurity incident. While we are incorporating lessons from \n        this analysis in developing a repeatable system of critical \n        infrastructure assessments, the results from this preliminary \n        evaluation identified a relatively small list of U.S. critical \n        infrastructure that if impacted by a cybersecurity incident \n        could cause catastrophic consequence to our National security, \n        economic security, public health, and safety.\n                             moving forward\n    While we have made significant progress to date, there is much work \nstill to be done this year to fulfill the vision set forth in EO 13636 \nand PPD-21. To that end, DHS will be focusing its efforts on the \nfollowing steps via the Integrated Task Force:\n  <bullet> Updating the NIPP to reflect new policies, a change in the \n        risk environment, and lessons learned working in collaboration \n        across the public and private sectors to manage infrastructure \n        risk;\n  <bullet> Enhancing near-real-time situational awareness for critical \n        infrastructure, with a particular focus on multi-directional \n        information sharing and understanding of interdependencies \n        between physical and cyber systems and critical infrastructure \n        sectors;\n  <bullet> Developing a draft of the National Critical Infrastructure \n        Security and Resilience Research and Development Plan; and\n  <bullet> Collaborating with NIST on the Cybersecurity Framework.\n    DHS is developing the Performance Goals described in EO 13636 for \nthe Framework collaboratively with critical infrastructure owners and \noperators using the Consultative Process. By framing the importance of \ncyber risk in a business context, the Performance Goals will encourage \nadoption of the Framework. The goals complement the Framework which \nwill outline what businesses should do to manage cyber risk. In turn, \nthe specific standards and controls suggested under the Framework will \nexplain how businesses should manage cyber risk.\n    Through the Performance Goals, critical infrastructure owners and \noperators will be able to adopt a common approach to evaluating the \neffectiveness of risk management investments based upon business \noutcomes. While DHS will not require nor evaluate the adoption of the \nPerformance Goals among critical infrastructure owners and operators, \nthe Goals will encourage businesses to frame cybersecurity risk in the \ncontext of economic sustainability, and thereby facilitate strategic \nplanning and investment to identify changing risks and implement \nmeasurably effective solutions.\n    The Framework will also serve as a basis for a DHS Voluntary \nProgram, which will result in on-going collaboration with industry to \npromote market-based solutions to higher levels of cybersecurity.\n                      cyber legislative priorities\n    It is important to note that EO 13636 directs Federal agencies to \nwork within current authorities and increase voluntary cooperation with \nthe private sector to provide better protection for computer systems \ncritical to our National and economic security. We continue to believe \nthat a comprehensive suite of legislation is necessary to implement the \nfull range of steps needed to build a strong public-private \npartnership, and we will continue to work with Congress to achieve \nthis.\n    Consistent with the proposal that the administration transmitted \nlast Congress, legislation should:\n  <bullet> Facilitate cybersecurity information sharing between the \n        Government and the private sector as well as among private-\n        sector companies. We believe that such sharing can occur in \n        ways that uphold privacy and civil liberties protections, \n        expand upon existing best practices from industry leaders in \n        this area, reinforce the appropriate roles of intelligence and \n        non-intelligence agencies, and include targeted liability \n        protections;\n  <bullet> Incentivize the adoption of best practices and standards for \n        critical infrastructure by complementing the process set forth \n        under the Executive Order;\n  <bullet> Give law enforcement the tools to fight crime in the digital \n        age;\n  <bullet> Update Federal agency network security laws, and codify DHS' \n        cybersecurity responsibilities; and\n  <bullet> Create a National Data Breach Reporting requirement.\n    In each of these legislative areas, we want to incorporate robust \nprivacy and civil liberties safeguards. The administration stands ready \nto work with Congress to pass important cybersecurity legislation.\n                               conclusion\n    Critical infrastructure security and resilience to cyber incidents \nand other risks is an on-going capability development effort rather \nthan an end-state to be achieved on a given date, or via a defined \ndeliverable. All partners in this National effort will need to continue \nto contribute to its progress over time. The implementation of EO 13636 \nand PPD-21 is a key step in achieving these desired outcomes; progress \nwill require sustained effort by both public and private partners, and \na recognition of the rapidly evolving risk environment. The desired \nend-state of the critical infrastructure partnership model is an \nenvironment in which public and private partners work in a networked \nmanner to effectively and efficiently share information and allocate \nrisk-reduction responsibilities. If achieved, this result will maximize \nthe comparative advantage of each and reduce duplication or under-\ninvestment, resulting in collaborative solutions to reduce the \nlikelihood of the highest-consequence incidents.\n    Thank you for the opportunity to discuss the Department's role in \nimproving critical infrastructure security and resilience. I look \nforward to any questions you may have.\n\n    Mr. Meehan. Thank you, Mr. Kolasky. That is a--you got a \nlot on your agenda. That is a big report, and I know we will be \nlooking forward to talking with you about some of that.\n    Dr. Romine. The Chairman now recognizes you for your 5 \nminutes of testimony. Thank you.\n\n  STATEMENT OF CHARLES H. ROMINE, PH D, DIRECTOR, INFORMATION \n  TECHNOLOGY LABORATORY, NATIONAL INSTITUTE OF STANDARDS AND \n            TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE\n\n    Mr. Romine. Thank you, Chairman Meehan, Ranking Member \nClarke, and Members of the subcommittee. Thank you very much \nfor the opportunity to testify today.\n    As directed in the Executive Order, NIST is working with \nindustry to develop the cybersecurity framework to improve the \ncybersecurity of critical infrastructures and working with the \nDepartment of Homeland Security to establish performance goals.\n    Our partnership with industry and with DHS is driving much \nof our effort. Earlier this year, we signed a memorandum \nagreement with DHS to ensure that our work on the framework and \nalso with cybersecurity standards best practices and metrics is \nfully integrated with information sharing, threat analysis, \nresponse, and operational work of DHS.\n    We believe this will enable a more holistic approach to \naddressing the complex challenges that we face. The framework \nis an important element in addressing the challenges of \nimproving the cybersecurity of our critical infrastructure.\n    A NIST-coordinated and industry-led framework will draw on \nstandards and best practices that industry already develops and \nuses. NIST is ensuring that the process is open and transparent \nto all stakeholders and will ensure a robust technical \nunderpinning to the framework.\n    This approach will significantly bolster the relevance of \nthe resulting framework to industry making it more appealing \nfor industry to adopt. This multi-stakeholder approach \nleverages the respective strengths of the public and private \nsectors and helps to develop solutions in which both sides will \nbe invested.\n    The approach does not dictate solutions to industry but \nrather facilitates industry coming together to develop and \noffer solutions that the private sector is best positioned to \nembrace.\n    I would also like to note that this is not a new or novel \napproach for NIST. We have used very similar approaches in the \nrecent past to address other pressing National priorities.\n    For example, NIST's work in the area of cloud computing \ntechnologies enabled us to develop important definitions and \narchitectures and is now enabling broad Federal Government \ndeployment of secure cloud computing technologies. The lessons \nlearned from this experience and others are informing how we \nare planning for and structuring our current effort.\n    NIST's initial steps toward implementing the Executive \nOrder included issuing a request for information or RFI this \npast February to gather relevant input from industry and other \nstakeholders and asking stakeholders to participate in the \ncybersecurity framework process.\n    The responses to the RFI, a total of 244, were posted on \nNIST's website. Those responding ranged from individuals to \nlarge corporations and trade associations and they provided \ncomments as brief as a few sentences on specific topics as well \nas so comprehensive that they ran over 100 pages. We published \nan analysis of these comments in May.\n    NIST is also engaging with stakeholders through a series of \nworkshops and events to ensure that we can cover the breadth of \nconsiderations that will be needed to make this National \npriority a success. Our first such session held in April \ninitiated the process of identifying existing resources and \ngaps and prioritized the issues to be addressed as part of the \nframework.\n    At the end of May, a second workshop at Carnegie Mellon \nUniversity brought together a broad cross-section of \nparticipants representing critical infrastructure owners and \noperators, industry associations, standards developing \norganizations, individual companies, and Government agencies.\n    This 3-day working session using the analysis of the RFI \ncomments as input was designed to identify and achieve \nconsensus on the standards, guidelines, and practices that will \nbe used in the framework.\n    Last week, NIST held its third workshop to present initial \nconsiderations for the framework. This workshop had a \nparticular emphasis on issues that have been identified from \nthe initial work including the specific needs of different \nsectors.\n    During the workshop, NIST gained consensus on several \nelements that the framework will include. At 8 months, we will \nhave a preliminary framework that builds on these elements. \nAfter a year-long effort, once we have developed an initial \nframework, there will still be much to do.\n    For example, we will work with specific sectors and DHS to \nbuild strong voluntary programs for specific critical \ninfrastructure areas. Their work will then inform the needs of \ncritical infrastructure and the next versions of the framework.\n    The goal at the end of this process will be for industry \nitself to take ownership and update the cyber secure framework \nensuring that the framework will continue to evolve as needed.\n    We have made significant progress, but we have a lot of \nwork still ahead of us, and I look forward to working with this \ncommittee and others to help us address these pressing \nchallenges.\n    I will be pleased to answer any questions you may have for \nme. Thank you.\n    [The prepared statement of Mr. Romine follows:]\n                Prepared Statement of Charles H. Romine\n                             July 18, 2013\n                              introduction\n    Chairman Meehan, Ranking Member Clarke, Members of the \nsubcommittee, I am Chuck Romine, director of the Information Technology \nLaboratory of the National Institute of Standards and Technology \n(NIST), a non-regulatory bureau within the U.S. Department of Commerce. \nThank you for this opportunity to testify today on NIST's role under \nExecutive Order 13636, ``Improving Critical Infrastructure \nCybersecurity'' and our responsibility to develop a framework for \nreducing cyber risks to critical infrastructure.\n                   the role of nist in cybersecurity\n    NIST's mission is to promote U.S. innovation and industrial \ncompetitiveness by advancing measurement science, standards, and \ntechnology in ways that enhance economic security and improve our \nquality of life. Our work in addressing technical challenges related to \nNational priorities has ranged from projects related to the Smart Grid \nand electronic health records to atomic clocks, advanced nanomaterials, \nand computer chips.\n    In the area of cybersecurity, we have worked with Federal agencies, \nindustry, and academia since 1972 starting with the development of the \nData Encryption Standard. Our role to research, develop, and deploy \ninformation security standards and technology to protect information \nsystems against threats to the confidentiality, integrity, and \navailability of information and services, was strengthened through the \nComputer Security Act of 1987 and reaffirmed through the Federal \nInformation Security Management Act of 2002.\n    Consistent with this mission, NIST actively engages with industry, \nacademia, and other parts of the Federal Government including the \nintelligence community, and elements of the law enforcement and \nNational security communities, coordinating and prioritizing \ncybersecurity research, standards development, standards conformance \ndemonstration, and cybersecurity education and outreach.\n    Our broader work in the areas of information security, trusted \nnetworks, and software quality is applicable to a wide variety of \nusers, from small and medium enterprises to large private and public \norganizations including agencies of the Federal Government and \ncompanies involved with critical infrastructure.\n      executive order 13636, ``improving critical infrastructure \n                            cybersecurity''\n    On February 13, 2013, the President signed Executive Order 13636, \n``Improving Critical Infrastructure Cybersecurity,'' which gave NIST \nthe responsibility to develop a framework to reduce cyber risks to \ncritical infrastructure (the Cybersecurity Framework). As directed in \nthe Executive Order, NIST, working with industry, will develop the \nCybersecurity Framework and the Department of Homeland Security (DHS) \nwill establish performance goals. DHS, in coordination with sector-\nspecific agencies, will then support the adoption of the Cybersecurity \nFramework by owners and operators of critical infrastructure and other \ninterested entities, through a voluntary program.\n    Our partnership with DHS will drive much of our effort. Earlier \nthis year, we signed a Memorandum of Agreement with DHS to ensure that \nour work on the Cybersecurity Framework, and also with cybersecurity \nstandards, best practices, and metrics, is fully integrated with the \ninformation sharing, threat analysis, response, and operational work of \nDHS. We believe this will enable a more holistic approach to addressing \nthe complex challenges we face.\n    A Cybersecurity Framework is an important element in addressing the \nchallenges of improving the cybersecurity of our critical \ninfrastructure. A NIST-coordinated and industry-led Framework will draw \non standards and best practices that industry already develops and \nuses. NIST is ensuring that the process is open and transparent to all \nstakeholders, and will ensure a robust technical underpinning to the \nFramework. This approach will significantly bolster the relevance of \nthe resulting Framework to industry, making it more appealing for \nindustry to adopt.\n    This multi-stakeholder approach leverages the respective strengths \nof the public and private sectors, and helps develop solutions in which \nboth sides will be invested. The approach does not dictate solutions to \nindustry, but rather facilitates industry coming together to offer and \ndevelop solutions that the private sector is best positioned to \nembrace.\n    I would also like to note that this is not a new or novel approach \nfor NIST. We have utilized very similar approaches in the recent past \nto address other pressing National priorities. For example, NIST's work \nin the area of cloud computing technologies enabled us to develop \nimportant definitions and architectures, and is now enabling broad \nFederal Government deployment of secure cloud computing technologies. \nThe lessons learned from this experience and others are informing how \nwe are planning for and structuring our current effort.\n                 developing the cybersecurity framework\n    The Cybersecurity Framework will consist of standards, \nmethodologies, procedures, and processes that align policy, business, \nand technological approaches to address cyber risks for critical \ninfrastructure. Once the final Framework is established, the Department \nof Homeland Security (DHS), in coordination with sector-specific \nagencies, will then support the adoption of the Cybersecurity Framework \nby owners and operators of critical infrastructure and other interested \nentities through a voluntary program. Regulatory agencies will also \nreview the Cybersecurity Framework to determine if current \ncybersecurity requirements are sufficient, and propose new actions to \nensure consistency.\n    This approach reflects both the need for enhancing the security of \nour critical infrastructure and the reality that the bulk of critical \ninfrastructure is owned and operated by the private sector. Any efforts \nto better protect critical infrastructure need to be supported and \nimplemented by the owners and operators of this infrastructure. It also \nreflects the reality that many in the private sector are already doing \nthe right things to protect their systems and should not be diverted \nfrom those efforts through new requirements.\n             current status of the cybersecurity framework\n    Underlying all of this work, NIST sees its role in developing the \nCybersecurity Framework as partnering with industry and other \nstakeholders to help them develop the Framework. NIST's unique \ntechnical expertise in various aspects of cybersecurity-related \nresearch and technology development, and our established track record \nof working with a broad cross-section of industry and Government \nagencies in the development of standards and best practices, positions \nus very well to address this significant National challenge in a timely \nand effective manner.\n    NIST's initial steps towards implementing the Executive Order \nincluded issuing a Request for Information (RFI) this past February to \ngather relevant input from industry and other stakeholders, and asking \nstakeholders to participate in the Cybersecurity Framework process. \nGiven the diversity of sectors in critical infrastructure, the initial \nefforts are designed help identify existing cross-sector security \nstandards and guidelines that are immediately applicable or likely to \nbe applicable to critical infrastructure.\n    The responses to the RFI--a total of 244--were posted on NIST's \nwebsite. Those responding ranged from individuals to large corporations \nand trade associations and they provided comments as brief as a few \nsentences on specific topics, as well as so comprehensive that they ran \nover a hundred pages. We published an analysis of these comments in \nMay.\n    NIST is also engaging with stakeholders through a series of \nworkshops and events to ensure that we can cover the breadth of \nconsiderations that will be needed to make this National priority a \nsuccess. Our first such session--held in April--initiated the process \nof identifying existing resources and gaps, and prioritized the issues \nto be addressed as part of the Framework.\n    At the end of May, a second workshop at Carnegie Mellon University \nbrought together a broad cross-section of participants representing \ncritical infrastructure owners and operators, industry associations, \nstandards-developing organizations, individual companies, and \nGovernment agencies. This 3-day working session, using the analysis of \nthe RFI comments as input, was designed to identify and achieve \nconsensus on the standards, guidelines, and practices that will be used \nin the Framework.\n    Based on the responses to the RFI, conclusions from the workshops, \nand NIST analyses, the preliminary Framework is designed and intended:\n  <bullet> To be an adaptable, flexible, and scalable tool for \n        voluntary use;\n  <bullet> To assist in assessing, measuring, evaluating, and improving \n        an organization's readiness to deal with cybersecurity risks;\n  <bullet> To be actionable across an organization;\n  <bullet> To be prioritized, flexible, repeatable, performance-based, \n        and cost-effective;\n  <bullet> To rely on standards, guidelines, and practices that align \n        with policy, business, and technological approaches to \n        cybersecurity;\n  <bullet> To complement rather than to conflict with current \n        regulatory authorities;\n  <bullet> To promote, rather than to constrain, technological \n        innovation in this dynamic arena;\n  <bullet> To focus on outcomes;\n  <bullet> To raise awareness and appreciation for the challenges of \n        cybersecurity but also the means for understanding and managing \n        the related risks;\n  <bullet> To be built upon international standards and other \n        standards, best practices and guidelines that are used \n        globally.\n    Last week, NIST held its third workshop to present initial \nconsiderations for the Framework. This workshop had a particular \nemphasis on issues that have been identified from the initial work--\nincluding the specific needs of different sectors. During the workshop, \nNIST gained consensus on the elements of the Framework that include:\n  <bullet> A section for senior executives and others on using this \n        Framework to evaluate an organization's preparation for \n        potential cybersecurity-related impacts on their assets and on \n        the organizations ability to deliver products and services. By \n        using this Framework, senior executives can manage \n        cybersecurity risks within their enterprise's broader risks and \n        business plans and operations.\n  <bullet> A User's Guide to help organizations understand how to apply \n        the Framework.\n  <bullet> Core Sections to address:\n    <bullet> Five major cybersecurity functions and their categories, \n            subcategories, and informative references;\n    <bullet> Three Framework Implementation Levels associated with an \n            organization's cybersecurity functions and how well that \n            organization implements the Framework.\n    <bullet> A compendium of informative references, existing \n            standards, guidelines, and practices to assist with \n            specific implementation.\n    At 8 months, we will have a preliminary Framework that builds on \nthese elements. In a year's time, once we have developed an initial \nFramework, there will still be much to do. For example, we will work \nwith specific sectors to build strong voluntary programs for specific \ncritical infrastructure areas. Their work will then inform the needs of \ncritical infrastructure and the next versions of the Framework. The \ngoal at the end of this process will be for industry itself to take \n``ownership'' and update the Cybersecurity Framework--ensuring that the \nFramework will continue to evolve as needed.\n                               conclusion\n    The cybersecurity challenge facing critical infrastructure is \ngreater than it ever has been. The President's Executive Order reflects \nthis reality, and lays out an ambitious agenda founded on active \ncollaboration between the public and private sectors. NIST is mindful \nof the weighty responsibilities with which we have been charged by \nPresident Obama, and we are committed to listening to, and working \nactively with, critical infrastructure owners and operators to develop \na Cybersecurity Framework.\n    The approach to the Cybersecurity Framework set out in the \nExecutive Order will allow industry to protect our Nation from the \ngrowing cybersecurity threat while enhancing America's ability to \ninnovate and compete in a global market. It also helps grow the market \nfor secure, interoperable, innovative products to be used by consumers \nanywhere.\n    Thank you for the opportunity to present NIST's views regarding \ncritical infrastructure cybersecurity security challenges. I appreciate \nthe committee holding this hearing. We have a lot of work ahead of us, \nand I look forward to working with this committee and others to help us \naddress these pressing challenges. I will be pleased to answer any \nquestions you may have.\n\n    Mr. Meehan. Thank you, Dr. Romine.\n    The Chairman now recognizes Dr. Fischer for 5 minutes of \ntestimony.\n    Dr. Fischer.\n\nSTATEMENT OF ERIC A. FISCHER, PH D, SENIOR SPECIALIST, SCIENCE \n  AND TECHNOLOGY, CONGRESSIONAL RESEARCH SERVICE, LIBRARY OF \n                            CONGRESS\n\n    Mr. Fischer. Good morning, Chairman Meehan, Ranking Member \nClarke, and distinguished Members of the subcommittee. On \nbehalf of the Congressional Research Service, thank you for the \nopportunity to testify today.\n    Over the past several years, evidence has grown that U.S. \ncritical infrastructure is vulnerable to potentially damaging \ncyber attacks. Calls for action have come from many corridors. \nThe 111th and 112th Congresses considered but did not enact \nlegislation to address those vulnerabilities.\n    Last year, the Obama administration announced that it was \nin developing Executive Order, which as you heard was--as, you \nknow, was released in February of this year.\n    Five goals in the order have received the most public \nattention. They are No. 1, expanded information sharing \nincluding Classified information between the Government and the \nprivate sector.\n    No. 2, identification of critical infrastructure for which \nsuccessful cyber attacks could have catastrophic impacts.\n    No. 3, a voluntary framework of cybersecurity standards and \nbest practices for critical infrastructure developed with the \nprivate sector.\n    No. 4, incentives for voluntary adoption of that framework.\n    No. 5, review of regulatory requirements on cybersecurity \nand recommendations on how to improve them.\n    The order called for fulfillment of its information-sharing \nrequirements and certain others by mid-June of this year and \nfor the high-risk critical infrastructure to be designated by \nmid-July.\n    The framework is to be finalized by next February along \nwith the report addressing privacy and civil liberties \nprotections. The review of regulatory requirements is to be \ncompleted in two stages with gaps to be identified by next \nMarch and the problematic requirements by February 2016.\n    The administration issued Presidential Policy Directive 21 \nalong with the Executive Order. The Directive makes \ncybersecurity an integral component of critical infrastructure \nsecurity and resilience.\n    Generally, reaction to the Executive Order and Directive \nfrom stakeholders has been positive. Criticisms have tended to \nfall into five categories: Whether the Order does anything new, \nthe implementation time table, adoption of the framework, the \ncritical infrastructure designation process, and the Order's \ninfluence on Congressional action. For all five categories, \narguments have been made on both sides.\n    One criticism of the Order was also raised against some of \nthe legislative proposals in the 112th Congress that it would \nresult in increased industry regulation that would be both \nineffective and burdensome.\n    Such critics say that even a voluntary framework can become \nmandatory in practice. An alternative view is that voluntary \napproaches have not been particularly effective in this area \nand regulation appears to be working in sectors such as \nelectric power. Others believe that voluntary approaches can be \neffective without causing undue burdens.\n    Some argue that it will be better for this Congress to wait \nuntil the Order is fully implemented before considering \nlegislation. Others believe, however, that the Order merely \nclarifies what changes are needed to current law.\n    It may be too early to determine how at least some of those \nconcerns above will be addressed, let alone whether the \nresponses will satisfy critics. Overall, however, response from \nthe private sector appears to be cautiously optimistic.\n    With respect to current legislation, the Cybersecurity \nEnhancement Act, H.R. 756, would require a triennial strategic \nplan for cybersecurity R&D. It would be prepared using an \ninteragency process similar to that established under the High \nPerformance Computing Act of 1991 and related laws.\n    PPD 21 also requires a periodic R&D plan, but it would \nfocus specifically on critical infrastructure and cover \nphysical as well as a cybersecurity.\n    It would also be quadrennial rather than triennial, and it \nwould be led by the Secretary of Homeland Security rather than \nthe Office of Science and Technology Policy.\n    CISPA, H.R. 624, would permit sharing of classified \ninformation with private-sector critical infrastructure \nentities. Under the bill, procedures would be established by \nthe Director of National Intelligence. The Executive Order in \ncontrast puts the Secretary of Homeland Security in the lead.\n    CISPA also requires that the establishment of new \nprocedures relating to privacy and civil liberties; whereas the \nOrder requires agencies to apply protections consistent with \nestablished principles.\n    Finally, I should mention that CISPA would address one of \nthe perceived gaps in current law. It would explicitly permit \ninformation sharing between private entities and would provide \nliability protections. Significant debate has centered on the \nscope of those changes and the potential impacts on privacy and \ncivil liberties.\n    That concludes my testimony. Once again, thank you for \nasking me to appear before you today.\n    [The prepared statement of Mr. Fischer follows:]\n                 Prepared Statement of Eric A. Fischer\n                             July 18, 2013\n    Chairman Meehan, Ranking Member Clarke, and distinguished Members \nof the subcommittee:\n    Thank you for the opportunity to discuss Executive Order 13636, \nImproving Critical Infrastructure Cybersecurity, with you today. In my \ntestimony, I will provide some background on the development of the \nOrder and describe its major provisions, including the roles it \nproposes for the private sector and reaction to it by those \nstakeholders, as well as its relationship to Congressional legislation \nand the new Obama administration policy directive on critical \ninfrastructure.\n                   development of the executive order\n    Both the George W. Bush administration and the Obama administration \nhave made improvements to the cybersecurity of critical infrastructure \na priority. The Bush administration created the Comprehensive National \nCybersecurity Initiative (the CNCI) in 2008 via a Classified \nPresidential Directive.\\1\\ The Obama administration performed an \ninteragency review of Federal cybersecurity initiatives in 2009, \nculminating in the release of its Cyberspace Policy Review\\2\\ and the \ncreation of the White House position of Cybersecurity Coordinator.\n---------------------------------------------------------------------------\n    \\1\\ National Security Presidential Directive 54/Homeland Security \nPresidential Directive 23 (NSPD-54/HSPD-23).\n    \\2\\ The White House, Cyberspace Policy Review, May 29, 2009, http:/\n/www.whitehouse.gov/assets/documents/\nCyberspace_Policy_Review_final.pdf; The White House, ``Cyberspace \nPolicy Review [Supporting Documents],'' May 2009, http://\nwww.whitehouse.gov/cyberreview/documents/.\n---------------------------------------------------------------------------\n    Both those efforts and a number of reports from agencies, think \ntanks, and other groups identified gaps in Federal efforts. Both the \n111th and 112th Congresses considered legislative proposals to close \nthose gaps, but none were enacted. In the absence of enacted \nlegislation, the Obama administration began drafting a cybersecurity \nExecutive Order in 2012. The development involved a lengthy interagency \nprocess, with both agencies and stakeholders in the private sector \nproviding input.\n    The White House released Executive Order 13636 on February 12, \n2013, along with a new policy directive on critical infrastructure. \nRelevant legislation is also being developed by the 113th Congress. \nFour bills with cybersecurity provisions (H.R. 624, H.R. 756, H.R. 967, \nand H.R. 1163) that were introduced in the month after the release of \nthe Executive Order passed the House in April, and additional bills in \nthe House and the Senate are reportedly being drafted.\n                  requirements in the executive order\n    The Order uses existing statutory and Constitutional authority to:\n  <bullet> Expand information sharing and collaboration between the \n        Government and the private sector, including sharing Classified \n        information by broadening a program developed for the defense \n        industrial base to other critical-infrastructure sectors;\n  <bullet> Develop a voluntary framework of cybersecurity standards and \n        best practices for protecting critical infrastructure, through \n        a public/private effort;\n  <bullet> Establish a consultative process for improving critical-\n        infrastructure cybersecurity;\n  <bullet> Identify critical infrastructure with especially high \n        priority for protection, using the consultative process;\n  <bullet> Establish a program with incentives for voluntary adoption \n        of the framework by critical-infrastructure owners and \n        operators;\n  <bullet> Review cybersecurity regulatory requirements to determine if \n        they are sufficient and appropriate; and\n  <bullet> Incorporate privacy and civil liberties protections in \n        activities under the Order.\n    The information-sharing and framework provisions in particular have \nreceived significant public attention.\nInformation Sharing\n    The Order formalizes a previously existing program, now called \nEnhanced Cybersecurity Services, in the Department of Homeland Security \n(DHS), for providing classified threat information to eligible critical \ninfrastructure companies and to their eligible internet, network, \ncommunications, and cybersecurity service providers (known jointly as \ncommercial service providers or CSPs). The program developed out of a \npilot involving the Department of Defense and companies in the defense \nindustrial base, which is one of the 16 recognized critical-\ninfrastructure sectors.\n    The Order also requires the Secretary of Homeland Security, the \nAttorney General, and the Director of National Intelligence to expedite \ndissemination to targeted entities of unclassified and, where \nauthorized, classified threat indicators. Additionally, the Secretary \nof Homeland Security is to expedite processing of security clearances \nto appropriate critical-infrastructure personnel and expand programs to \nplace relevant private-sector experts in Federal agencies on a \ntemporary basis.\nCybersecurity Framework\n    Executive Order 13636 requires the National Institute of Standards \nand Technology (NIST) to lead the development of a Cybersecurity \nFramework that uses an open, consultative process to identify cross-\nsector, voluntary consensus standards and business best practices that \ncan reduce cybersecurity risks to critical infrastructure. The \nframework is to be technology-neutral. It must identify areas for \nimprovement and be reviewed and updated as necessary.\n    The Secretary of Homeland Security is required to set performance \ngoals for the framework, establish a voluntary program to support its \nadoption, and coordinate establishment of incentives for adoption. The \nsector-specific agencies must coordinate review of the framework and \ndevelopment of sector-specific guidance, and report annually to the \nPresident on participation by critical-infrastructure sectors. Agencies \nwith regulatory responsibilities for critical infrastructure are \nrequired to engage in consultative review of the framework, determine \nwhether existing cybersecurity requirements are adequate, report to the \nPresident whether the agencies have authority to establish requirements \nthat sufficiently address the risks, propose additional authority where \nrequired, and identify and recommend remedies for ineffective, \nconflicting, or excessively burdensome cybersecurity requirements.\n    The development of the framework is arguably the most innovative \nand labor-intensive requirement in the Executive Order. It builds on \nthe involvement of NIST in the development of cybersecurity technical \nstandards \\3\\ and its statutory responsibilities to work with both \nGovernment and private entities on various aspects of standards and \ntechnology.\\4\\\n---------------------------------------------------------------------------\n    \\3\\ See, e.g., National Institute of Standards and Technology, \n``Computer Security Resource Center,'' February 20, 2013, http://\ncsrc.nist.gov/.\n    \\4\\ 15 U.S.C. \x06272.\n---------------------------------------------------------------------------\n    None of the major legislative proposals in the 111th and 112th \nCongresses had proposed using NIST to coordinate an effort led by the \nprivate sector to develop a framework for cybersecurity, such as is \nenvisioned by the Executive Order. Hundreds of entities have been \ninvolved in NIST's efforts to date, beginning with a Request for \nInformation in February and including public workshops in April, May, \nand July of 2013.\\5\\ An additional workshop is planned for September.\n---------------------------------------------------------------------------\n    \\5\\ National Institute of Standards and Technology, ``Cybersecurity \nFramework,'' July 2, 2013, http://www.nist.gov/itl/cyberframework.cfm.\n---------------------------------------------------------------------------\nOther Requirements\n    Acquisition and Contracting. The Secretary of Defense and the \nAdministrator of General Services must make recommendations to the \nPresident on incorporating security standards in acquisition and \ncontracting processes, including harmonization of cybersecurity \nrequirements.\n    Consultative Process. The Secretary of Homeland Security is \nrequired to establish a broad consultative process to coordinate \nimprovements in the cybersecurity of critical infrastructure.\n    Cybersecurity Workforce. The Secretary of Homeland Security is \nrequired to coordinate technical assistance to critical-infrastructure \nregulatory agencies on development of their cybersecurity workforce and \nprograms.\n    High-Risk Critical Infrastructure. The Order requires the Secretary \nof Homeland Security to use consistent and objective criteria, the \nconsultative process established under the Order, and information from \nrelevant stakeholders to identify and update annually a list of \ncritical infrastructure for which a cyber attack could have \ncatastrophic regional or National impact, but not including commercial \ninformation technology products or consumer information technology \nservices. The Secretary must confidentially notify owners and operators \nof critical infrastructure that is so identified of its designation and \nprovide a process to request reconsideration.\n    Privacy and Civil Liberties. The Order requires agencies to ensure \nincorporation of privacy and civil liberties protections in agency \nactivities under the Order, including protection from disclosure of \ninformation submitted by private entities, as permitted by law. The DHS \nChief Privacy Officer and Officer for Civil Rights and Civil Liberties \nmust assess risks to privacy and civil liberties of DHS activities \nunder the Order and recommend methods of mitigation to the Secretary in \na public report. Agency privacy and civil liberties officials must \nprovide assessments of agency activities to DHS.\nImplementation Deliverables and Deadlines\n    The Order contains several requirements with deadlines, and other \nrequirements with no associated dates. In March 2013, DHS announced \nthat it had formed a task force with eight working groups focused on \nthe various deliverables for which it is responsible.\\6\\ There are 12 \ndeliverables with specific associated dates:\n---------------------------------------------------------------------------\n    \\6\\ Department of Homeland Security, ``Integrated Task Force,'' \nMarch 18, 2013, http://www.dhs.gov/sites/default/files/publications/EO-\nPPD%20Fact%20Sheet%2018March13.pdf.\n---------------------------------------------------------------------------\n            June 12, 2013\n  <bullet> Instructions for producing unclassified threat reports \n        (Secretary of Homeland Security, Attorney General, Director of \n        National Intelligence) (Sec. 4(a)).\n  <bullet> Procedures for expansion of the Enhanced Cybersecurity \n        Services Program (Secretary of Homeland Security) (Sec. 4(c)).\n  <bullet> Recommendations to the President on incentives to \n        participate in the framework (Secretaries of Homeland Security, \n        Commerce, and the Treasury) (Sec. 8(d)).\n  <bullet> Recommendations to the President on acquisitions and \n        contracts (Secretary of Defense, Administrator of General \n        Services) (Sec 8(e)).\n            July 12, 2013\n  <bullet> Designation of critical infrastructure at greatest risk \n        (Secretary of Homeland Security) (Sec. 9(a)).\n            October 10, 2013\n  <bullet> Publication of preliminary Cybersecurity Framework (Director \n        of the National Institute of Standards and Technology) (Sec. \n        7(e)).\n            February 12, 2014\n  <bullet> Report on privacy and civil liberties, preceded by \n        consultations (Chief Privacy Officer and Officer for Civil \n        Rights and Civil Liberties of DHS) (Sec. 5(b)).\n  <bullet> Publication of final Cybersecurity Framework (Director of \n        the National Institute of Standards and Technology) (Sec. \n        7(e)).\n            May 13, 2014\n  <bullet> Reports to the President on review of regulatory \n        requirements (agencies with regulatory responsibilities for \n        critical infrastructure) (Sec. 10(a)).\n  <bullet> Proposed additional risk mitigation actions (agencies with \n        regulatory responsibilities for critical infrastructure) (Sec. \n        10(b)).\n            February 12, 2016\n  <bullet> Reports to the Office of Management and Budget on \n        ineffective, conflicting, or burdensome requirements (agencies \n        with regulatory responsibilities for critical infrastructure) \n        (Sec. 10(c)).\n\n    The Order also includes more than 20 actions for which no specific \ndate is provided. While many of the activities under the Order are in \nthe process of development, some provisions may already have had some \neffect. For example, the provision on expedited security clearances was \napparently used in responses to a cyber attack this past spring on \nseveral banks, to facilitate communication by the FBI with the \nbanks.\\7\\\n---------------------------------------------------------------------------\n    \\7\\ Joseph Menn, ``FBI Says More Cooperation with Banks Key to \nProbe of Cyber Attacks,'' Reuters, May 13, 2013, http://\nwww.reuters.com/article/2013/05/13/us-cyber-summit-fbi-banks-\nidUSBRE94C0XH20130513.\n---------------------------------------------------------------------------\n    relationship of the executive order to the presidential policy \n                               directive\n    Presidential Policy Directive 21 (PPD 21),\\8\\ Critical \nInfrastructure Security and Resilience, on protection of critical \ninfrastructure, was released in tandem with Executive Order 13636. PPD \n21 supersedes Homeland Security Presidential Directive 7 (HSPD 7), \nCritical Infrastructure Identification, Prioritization, and Protection, \nreleased December 17, 2003. PPD 21 includes cybersecurity broadly as a \nneed to be addressed along with physical security. It seeks to \nstrengthen both the cyber- and physical security and resilience of \ncritical infrastructure by:\n---------------------------------------------------------------------------\n    \\8\\ The White House, ``Critical Infrastructure Security and \nResilience,'' Presidential Policy Directive 21, February 12, 2013, \nhttp://www.whitehouse.gov/the-press-office/2013/02/12/presidential-\npolicy-directive-critical-infrastructure-security-and-resil.\n---------------------------------------------------------------------------\n  <bullet> clarifying functional relationships among Federal agencies, \n        including the establishment of separate DHS operational centers \n        for physical and cyber-infrastructure;\n  <bullet> identifying baseline requirements for information sharing, \n        to facilitate timely and efficient information exchange between \n        Government and critical-infrastructure entities while \n        respecting privacy and civil liberties;\n  <bullet> applying integration and analysis capabilities in DHS to \n        prioritize and manage risks and impacts, recommend preventive \n        and responsive actions, and support incident management and \n        restoration efforts for critical infrastructure; and\n  <bullet> organizing research and development (R&D) to enable secure \n        and resilient critical infrastructure, enhance impact-modeling \n        capabilities, and support strategic DHS guidance.\nImplementation Deliverables and Deadlines\n            June 12, 2013\n  <bullet> Description of functional relationships within DHS and \n        across other Federal agencies relating to critical \n        infrastructure security and resilience (Secretary of Homeland \n        Security).\n            July 12, 2013\n  <bullet> Analysis of public-private partnership models with \n        recommended improvements (Secretary of Homeland Security).\n            August 11, 2013\n  <bullet> Convening of experts to identify baseline information and \n        intelligence exchange requirements (Secretary of Homeland \n        Security).\n            October 10, 2013\n  <bullet> Demonstration of ``near-real-time'' situational-awareness \n        capability for critical infrastructure (Secretary of Homeland \n        Security).\n  <bullet> Updated National Infrastructure Protection Plan that \n        addresses implementation of the directive (Secretary of \n        Homeland Security).\n            February 12, 2015\n  <bullet> First quadrennial National Critical Infrastructure Security \n        and Resilience R&D Plan (Secretary of Homeland Security).\\9\\\n---------------------------------------------------------------------------\n    \\9\\ PPD 7 gave primary responsibility for coordinating R&D to the \nOffice of Science and Technology Policy.\n\n    In addition to DHS, the Directive describes specific \nresponsibilities for the Departments of Commerce, Interior, Justice, \nand State, the intelligence community, the General Services \nAdministration, the Federal Communications Commission, the sector-\nspecific agencies, and all Federal departments and agencies.\\10\\\n---------------------------------------------------------------------------\n    \\10\\ PPD 7 did not describe specific responsibilities of the \nintelligence community, the General Services Administration, or the \nFederal Communications Commission.\n---------------------------------------------------------------------------\n relationship of the executive order to the cyber intelligence sharing \n       and protection act (cispa, h.r. 624) and other legislation\n    A number of observers, both in the Federal Government and the \nprivate sector, have stated that Executive Order 13636 is not \nsufficient to protect U.S. critical infrastructure from cyber threats, \nand that legislation is needed. In 2011, the White House proposed \nlegislation with provisions on personnel authorities, criminal \npenalties, data breach notification, authorities of the Department of \nHomeland Security (DHS), a regulatory framework for cybersecurity of \ncritical infrastructure, and reform of the Federal Information Security \nManagement Act (FISMA). Related provisions also appeared in bills \nintroduced in recent Congresses. Both the White House proposal and \nseveral bills have contained incentives for information sharing by the \nprivate sector with the Federal Government and other private entities, \nincluding protection from legal liability and exemption from provisions \nin the Freedom of Information Act.\n    At a hearing before the Senate Committee on Homeland Security and \nGovernmental Affairs in September 2012, Secretary of Homeland Security \nJanet Napolitano stated that in addition to the Executive Order, there \nwere at least three things for which legislation would be necessary: \nPersonnel authorities, liability protections, and criminal penalties \n(S. Hrg. 112-639, p. 23). A number of private-sector entities have also \nstated that liability and disclosure protections are needed to \nencourage private-sector information sharing.\n    Among the cybersecurity bills that have been introduced in the \n113th Congress, H.R. 624, the Cyber Intelligence Sharing and Protection \nAct (CISPA), which passed the House in April, addresses information \nsharing. Some provisions in CISPA, as in the Executive Order, would \nprovide for expedited security clearances and sharing of classified \ninformation by the Federal Government with the private sector. The bill \nwould additionally permit entities providing cybersecurity services to \nthemselves or others (which the bill calls cybersecurity providers) to \nobtain and share threat information for purposes of protection, \nnotwithstanding any other provision of law.\n    CISPA would also make such entities and those they protect exempt \nfrom liability for good-faith use of cybersecurity systems to obtain or \nshare threat information and decisions based on such information.\n    In the Senate, the Committee on Commerce, Science, and \nTransportation is reportedly drafting a bill that would provide a \nlegislative basis for NIST's role in developing and updating the \nframework in the Executive Order.\\11\\ The draft bill would also \nreportedly require a Federal cybersecurity research and development \nplan, as would H.R. 756, the Cybersecurity Enhancement Act of 2013, \nwhich passed the House in April. PPD-21 requires an R&D plan that \naddresses security and resiliency for critical infrastructure, \nincluding cybersecurity.\n---------------------------------------------------------------------------\n    \\11\\ John Eggerton, ``Rockefeller, Thune Circulate Cybersecurity \nDraft,'' Broadcasting & Cable, July 12, 2013, http://\nwww.broadcastingcable.com/article/494447-Rockefeller_Thune_- \nCirculate_Cybersecurity_Draft.php.\n---------------------------------------------------------------------------\n            private-sector reactions to the executive order\n    Given the absence of enacted comprehensive cybersecurity \nlegislation, some security observers contend that the Executive Order \nis a necessary step in securing vital assets against cyber threats. \nSome observers, however, have raised concerns.\\12\\ Common themes by \nsuch critics include the following claims:\n---------------------------------------------------------------------------\n    \\12\\ See, for example, Paul Rosenzweig and David Inserra, Obama's \nCybersecurity Executive Order Falls Short, Issue Brief No. 3852, \nFebruary 14, 2013, http://www.heritage.org/research/reports/2013/02/\nobama-s-cybersecurity-executive-order-falls-short; Dave Frymier, ``The \nCyber Security Executive Order Is Not Enough,'' Innovation Insights: \nWired.com, March 1, 2013, http://www.wired.com/insights/2013/03/the-\ncyber-security-executive-order-is-not-enough/.\n\n  <bullet> The Order offers little more than do existing processes. \n        Such critics point out that, for example, the Enhanced \n        Cybersecurity Services program was in place before the release \n        of the Order, and that a variety of efforts have been underway \n        to develop and adopt voluntary standards and best practices in \n        cybersecurity for many years. Proponents of the Order argue \n        that it lays out and clarifies Obama administration goals, \n        requires specific deliverables and time lines, and that the \n        framework and other provisions are in fact new with the \n        Executive Order.\n  <bullet> The Order could make enactment of legislation less likely. \n        These critics express concern that Congress might decide to \n        wait until the major provisions of the Order have been fully \n        implemented before considering legislation. Proponents state \n        that immediate action was necessary in the absence of \n        legislation, and that changes in current law are necessary no \n        matter how successful the Executive Order might be, to provide \n        liability protections for information sharing and to meet other \n        needs.\n  <bullet> The process for developing the framework is either too slow \n        or too rushed. Some observers believe that some actions to \n        protect critical infrastructure are well-established and should \n        be taken immediately, given the nature and extent of the \n        current threat. They state that the year-long process to \n        develop the framework may delay implementation of needed \n        security measures\\13\\ and creates unnecessary and unacceptable \n        risks. Others counter that widespread adoption of the framework \n        requires consensus, which takes time to achieve, and that the \n        1-year time frame may be insufficient, given that the process \n        for developing and updating consensus standards often takes \n        several years. Some also state that the framework process does \n        not preclude entities from adopting established security \n        measures immediately.\n---------------------------------------------------------------------------\n    \\13\\ For example, some suppliers to the Federal Government have \nreportedly called for suspension of procurement rulemaking relating to \ncybersecurity until the framework has been published (Aliya Sternstein, \n``Contractors Ask GSA to Freeze Cyber-Related Regulations,'' Nextgov, \nMay 17, 2013, http://www.nextgov.com/cybersecurity/2013/05/contractors-\nask-gsa-freeze-cyber-related-regulations/63244/\n?oref=nextgov_cybersecurity).\n---------------------------------------------------------------------------\n  <bullet> The framework risks becoming a form of de facto regulation, \n        or alternatively, its voluntary nature makes it insufficiently \n        enforceable. Another concern of some is that it could lead to \n        Government intrusiveness into private-sector activities, for \n        example through increased regulation under existing statutory \n        authority,\\14\\ while others contend that voluntary measures \n        have a poor history of success. Some others, however, have \n        argued that changes in the business environment--such as the \n        advent of continuous monitoring, more powerful analytical \n        tools, and a better prepared workforce--improve the likelihood \n        that a voluntary approach can be successful.\\15\\\n---------------------------------------------------------------------------\n    \\14\\ For example, some believe that the framework, while voluntary, \n``could develop in such a way that companies will be forced to adopt \nprescriptive standards due to the fact that information on program \nadoption for `high-risk' industries may be made public. More \nconcerning, this could be done without a review process and could be \nused to leverage [sic] in ways that may not be beneficial to lowering \noverall risk'' (Testimony of David E. Kepler, Senate Committee on \nHomeland Security and Governmental Affairs and Senate Committee on \nCommerce, Science, and Transportation, ``The Cybersecurity Partnership \nBetween the Private Sector and Our Government: Protecting Our National \nand Economic Security,'' hearing, March 7, 2013, http://\nwww.hsgac.senate.gov/hearings/the-cybersecurity-partnership-between-\nthe-private-sector-and-our-government-protecting-our-national-and-\neconomic-security).\n    \\15\\ CRS Report R42984, The 2013 Cybersecurity Executive Order: \nOverview and Considerations for Congress, by Eric A. Fischer et al.; \nMike McConnell et al., The Cybersecurity Executive Order (Booz Allen \nHamilton, April 26, 2013), http://www.boozallen.com/media/file/BA13-\n051CybersecurityEOVP.pdf.\n---------------------------------------------------------------------------\n  <bullet> The Order could lead to overclassification or \n        underclassification of high-risk critical infrastructure by \n        DHS. Some observers have expressed concern that the requirement \n        in the Order for DHS to designate high-risk critical \n        infrastructure may be insufficiently clear and could lead to \n        either harmfully expansive designations or inappropriate \n        exclusions of entities.\\16\\ This might be particularly a \n        problem if the criteria are not sufficiently validated.\\17\\\n---------------------------------------------------------------------------\n    \\16\\ Testimony of Roger Mayer, House Committee on Energy and \nCommerce, ``Cyber Threats and Security Solutions,'' hearing, May 21, \n2013, http://energycommerce.house.gov/hearing/cyber-threats-and-\nsecurity-solutions.\n    \\17\\ The Government Accountability Office (GAO) expressed similar \nconcerns about DHS's National Critical Infrastructure Prioritization \nProgram (NCIPP) list of highest-priority U.S. infrastructure \n(Government Accountability Office, Critical Infrastructure Protection: \nDHS List of Priority Assets Needs to Be Validated and Reported to \nCongress, GAO-13-296, March 2013, http://www.gao.gov/assets/660/\n653300.pdf). The relationship between the NCIPP list and that under the \nExecutive Order has raised some concerns. There appear to be some \ndifferences between the lists that have resulted in some disagreements \nwith the private sector (see, for example, Testimony of Dave McCurdy, \nHouse Committee on Energy and Commerce, Cyber Threats and Security \nSolutions, hearing, May 21, 2013, http://energycommerce.house.gov/\nhearing/cyber-threats-and-security-solutions).\n\n    It appears to be too early in the development of the components of \nthe Executive Order to determine how the concerns described above will \nbe addressed and whether the responses will satisfy critics and \nskeptics. Overall, however, response to the Order from the private \nsector--including critical-infrastructure entities, trade associations, \n---------------------------------------------------------------------------\nand cybersecurity practitioners--appears to be cautiously optimistic.\n\n    Mr. Meehan. Well, thank you Dr. Fischer.\n    I thank each of the panelists for your opening statements.\n    Now I recognize myself for 5 minutes of questions.\n    Dr. Romine, let me just start with you because the focus of \nour hearing today is NIST and the work that has been done, and \nI know you gave a little bit of an opening with regard to some \nof the progress, but give me a sense as to where you are by \nvirtue of the three separate meetings that have been done and \nwhat you expect will be the next most critical steps moving \ninto the meetings in Dallas next month.\n    Mr. Romine. Thank you for the question. I am actually quite \nexcited by the progress that we have made and the response that \nwe have gotten from the private sector.\n    One of the concerns that you always have when you begin an \nissue like this is ensuring that you get a good participation \nand a vigorous discussion with the private sector if you are \ngoing to establish a voluntary program with the framework as \nthe backbone.\n    I am really gratified in two ways. We have gotten vigorous \ndiscussions and vigorous debate and we have achieved over the \ncourse of a relatively short time a lot of consensus on the \noverall structure of the framework. We are going to take that, \nthe consensus that we have received in San Diego just last week \non elements of it and establish a pretty solid draft framework \nin preparation for the meeting in Dallas.\n    As you know, the deliverable will be immediately after or \njust a short time after the Dallas----\n    Mr. Meehan. What do you think the essence of that \ndeliverable is going to be? What was going to come out at the \nconclusion of this process?\n    Mr. Romine. So I think there are a few key elements to the \nframework that have to be there. One is an executive summary \nthat is digestible by the very senior leadership of \ncorporations, companies, the owners and operators of the \ncritical infrastructure.\n    This is something that they are going to have to integrate \ninto their business decision process, and so we have to convey \nenough information in a way that is digestible to them so that \nthey----\n    Mr. Meehan. I guess--who and how? That is part of what a \nlot of this is--you know, the questions become--we often talk \nabout the weakest link, but there is also the--when you talk \nabout business and other kinds of, you know, public and \nprivate-sector entities that it is an endless process of who \nmay or may not be included.\n    Who do we think this is targeted to, you know, to be \nreceived by, and what kind of activity are we expecting them to \nundertake as a result of the creation of the standards?\n    Mr. Romine. Well, I think the goal is for all of the \ncritical infrastructure sectors that have been identified \nthrough the DHS process and are going to be responsive to the \nadoption of this voluntary framework and that includes \ncompanies at various levels of both sophistication and various \nlevels of import in terms of the critical infrastructure.\n    So there are going to be some very major corporations who \nalready have a lot of mature business processes in place and \ncybersecurity risk assessment in place to adopt the framework \nbecause they may be the most critical of the critical \ninfrastructures and I am sure Mr. Kolasky----\n    Mr. Meehan. Mr. Kolasky, let me jump onto that with you in \nterms of the identification of this most critical \ninfrastructure because this is one of the pieces as well, and \nwhile I know you can't talk with specificity about that at this \npoint in time because my understanding is that it will be \nsomething that will be more or less protected information, but \nwhere do you come off of the work that is being done in here \nand how will the identification of specific sectors uniquely \nvulnerable relate to what is being done and how about those \nthat are not identified as the most vulnerable but will still \nbe out there in commerce?\n    Mr. Kolasky. Sure. Thank you, Chairman Meehan.\n    First and foremost, to do the work to identify the critical \ninfrastructure where cybersecurity incident could cause \ncatastrophe, we had to work with all of the 16 critical \ninfrastructure sectors and we set up a process to do so.\n    In doing so, we identified the critical functions that each \nof those infrastructure produce. That and analytic work done in \ncollaboration with industry is very helpful for understanding \nthe overall scope of critical infrastructure in a relationship \nwith cybersecurity which will help the framework adoption.\n    In terms of the actual critical infrastructure that we have \nidentified or are in the process of identifying, it is a \nrelatively small list. It is a list where we think a \ncybersecurity incident can cause public safety or significant \neconomic damage or National security implications, we plan to \nwork with those industries, those entities, those businesses--\n--\n    Mr. Meehan. Are many or most of those industries already \npretty far along in terms of their commitment to cybersecurity \nor are you concerned about some real outliers?\n    Mr. Kolasky. I think it is fair to say that we are \nconfident that they are very well along with cybersecurity. \nMost of those entities we have on-going relationships with and \nwe plan to continue those on-going relationships. We will work \nwith them to identify risk management approaches and provide \nFederal resources to support them, but we are confident that \nthey have taken a cybersecurity problem very seriously and that \nthey have gone a long way in mitigating their vulnerabilities.\n    Mr. Meehan. Okay.\n    Well, thank you.\n    My time is expired, but I know we are going to have an \nopportunity to ask a series of questions, so I look forward to \nexploring it further.\n    The Chairman now recognizes the gentlelady from New York, \nMs. Clarke.\n    Ms. Clarke. Thank you--thank you very much, Mr. Chairman.\n    The privacy and the civil liberties protections established \nin the Executive Order process are to be consistent with the \nfair information practice principles including the principle of \ndata minimization.\n    What steps are being taken to ensure that once a final \nframework is in place personally identifiable information that \nis irrelevant and unnecessary to accomplish a specified \ncybersecurity purpose will not be collected?\n    I want to extend that question to all of the panelists.\n    Mr. Romine. Well, I can certainly start on the development \non the framework through the workshops. I will give a specific \nexample in San Diego. We had a separate breakout section \nspecifically devoted to privacy and civil liberties issues \nwhere we got the chance to engage with a broad cross-section of \nstakeholders and received their input on the importance and \nsome of the techniques that are already being used by these \nindustries to ensure protection of privacy and civil liberties.\n    That was led by my laboratory's senior advisor for privacy, \na position that I am committed to. I think that is an important \nposition for an information technology laboratory to have. So I \nam very proud of that.\n    We also at NIST have the information security and privacy \nadvisory board or ISPAB, a Federal advisory committee that we \nkeep apprised of our activities that are relevant in that space \nand so we engage with them and we are hoping to engage with the \nprivacy and civil liberties board that has been recently \nreconstituted as well. It is baked into many of the discussions \nthat we have during the framework development.\n    Ms. Clarke. Do either of you have----\n    Mr. Kolasky. Sure. I would just add that across the EO, the \nPPD as part of the integrated task force, we have stood up an \nassessments working group particularly thinking of privacy and \ncivil liberties assessments for all of the work that is going \non with the EO PPD.\n    We did this at the front end of the work and these members \nhave been sitting on our working groups and working in \ncollaboration across the interagency because we very much want \nto bake privacy and civil liberties into all the work we are \ndoing rather than review and assess at the end of it.\n    Ms. Clarke. Very well. Let me move on to my second question \nthen.\n    Section 5(a) of the Executive Order requires agencies to \ncoordinate their activities with their senior privacy and civil \nliberties officials. Are senior privacy and civil liberties \nofficials at each agency, being NIST and DHS--excuse me--are \nthese civil liberty officials at each agency given the \nopportunity to provide substantive policy recommendations \nduring the development of the phase of the framework? Can you \nexpand on their role in the process?\n    Mr. Kolasky. As I was just talking about with the \nassessments working group, very much so. This is a \ncollaboration across the senior civil liberties and privacy \nofficials.\n    It has been a great opportunity in some of the departments \nand agencies. Traditionally these folks haven't worked on \ncritical infrastructure issues.\n    It has created a community practice and they been given an \nopportunity in addition, you know, with all our work we are \nbriefing the advocacy community and other interested parties \nregularly on what is going on.\n    Ms. Clarke. Very well.\n    Mr. Romine. I would say within the Department of Commerce, \nthe privacy and civil liberties officer at NIST is our chief \ninformation officer. He is down the hall from me. I get the \nopportunity to talk with him on a regular basis about \neverything that our laboratory is doing including this effort.\n    At the Department of Commerce, as you know, it is the \nSecretary of Commerce who was directed by the President to \ndirect the director of NIST under the Executive Order to \nundertake this framework development and they are certainly \naware of all of the actions that we are taking.\n    They are at the Secretary's level--they have the Privacy \nand Civil Liberties Office and they are certainly aware as \nwell.\n    Ms. Clarke. Very well.\n    Let me ask Mr. Kolasky, Presidential Policy Directive 21 \nwhich accompanied the Executive Order requires an evaluation of \nexisting public-private partnership model and recommendations \nfor improving public/private collaboration.\n    Can you characterize for the committee the current status \nof the public/private partnership model and what steps are \nbeing considered to improve the model?\n    Mr. Kolasky. Sure, yes, ma'am. First of all, we delivered \nthis report last week and I think the good news is we really do \nbelieve that the model has been established over the last 15 \nyears to work on critical infrastructure security and \nresilience is working and has the potential to work to solve \ntough critical infrastructure security and resilience issues.\n    I think the process that we have been undergoing over the \nlast 6 months is a great demonstration of that. There were \nimprovements that can be made but the key is to understand that \nwe have been able to collaborate with the private sector \nthrough these processes and work with State and local and \nTribal territorial governments.\n    The reason I think we can do that is there is a shared \nsense of purpose. We have improved communications. We are \nworking toward joint priorities and things like that. That all \nleads to trust. Nothing is more important to trust that \nindustry and Government and at different levels of government \ncan come together to work on these issues.\n    In terms of recommendations going forward, we--as I said, \nalthough it is working we think there are some enhancements \nthat can be made. We would like to move from more of a process-\nfocused and outcome-focused partnership.\n    We would like to use the partnership to set joint National \npriorities, and I think that is an important step. We would \nlike to explore how to promote regional networks and bring some \nof the good work down to the regional level, and finally we \nwould like to look at new methods to unleash innovation through \npublic and private programs.\n    Ms. Clarke. Thank you all very much. I yield back, Mr. \nChairman.\n    Mr. Meehan. I thank the gentlelady.\n    The Chairman now recognizes the distinguished gentleman \nfrom Pennsylvania, the former United States attorney, from the \nmiddle District of Pennsylvania, Congressman Marino.\n    Mr. Marino.\n    Mr. Marino. Thank you, Chairman.\n    Good morning, gentlemen, and I apologize for being late and \nnot hearing all of the opening statements. I am trying to \njuggle three and four things as my colleagues know that we do.\n    I have a concern following up on my colleague across the \naisle as far as security but from a different perspective. We \nhave certainly seen where this administration has a series of \nbungles concerning IRS, Benghazi, Fast and Furious, but the \nPresident happens to come up with, ``I didn't know about it,'' \n``I don't know anything about it,'' and usually there is a low-\nlevel person that gets blamed for it--who is still on the \npayroll as a matter of fact.\n    So what can you do, what can be done if the President is \ngoing to take the responsibility for this to make sure that we \ndon't have Snowdens running around gathering critical \ninformation about what we are doing and those involved and then \nsharing it with our enemies?\n    Mr. Kolasky, perhaps you could start with this.\n    Mr. Kolasky. Sure. Thank you, Congressman, and thank you \nfor the question.\n    As you know, this is an important issue that whatever we do \nwe need to protect the security of the information that we are \nproviding and that we are collecting.\n    The security approaches within the Executive Order relate \nto information sharing and we are thinking of it in two \ndifferent ways; one of which is we are working to separate \nClassified information from Unclassified information and focus \non getting Unclassified information on how to mitigate cyber \nvulnerabilities based on cyber threats out as efficiently and \nquickly as possible in an actual manner to help industry take \naction to mitigate those threats.\n    That is a very important step. This doesn't have to be done \nat a Classified level in a lot of places and if we can improve \nthose processes, that will help very much.\n    The second side to promote the protection of Classified \ninformation, we have made improvements in our enhanced \ncybersecurity service program and made that available to a \nlimited number of commercial service providers to promote the \nairing of information we have about cyber threat indicators and \nthese are particular cyber threat indicators.\n    They are things like malware and email language and we want \nto make sure that is available but we want to make sure that \nsecurity is protected in doing so and finally we want to make \nsure that anyone that gets a security clearance in Government \nhas undergone proper vetting.\n    Mr. Marino. Thank you.\n    Doctor, please.\n    Mr. Romine. Congressman, from the standpoint of the \nframework, I think your question really relates principally to \nthe idea of risk mitigation strategies for the insider threat.\n    So that has been a source of on-going discussion, but as a \npart of a more general discussion among owners and operators of \ncritical infrastructure to ensure the, sort of, full risk \nmanagement approach for cybersecurity and that includes both \nthe insider threat as well as Congresswoman Clarke's concerns \nabout protection of privacy and civil liberties.\n    Mr. Marino. Doctor.\n    Mr. Fischer. Thank you, Mr. Marino. I would just like to \nadd that I would say that a lot of experts believe that it \nwould--it is basically impossible to prevent any, you know, \ninsider threat from being successful----\n    Mr. Marino. As a prosecutor, I am aware it is basically--it \nis impossible to prevent anything, but it does happen, but it \njust seems that it is happening ad nauseam with this \nadministration.\n    Mr. Fischer. Right. So the question then becomes, what are \nthe levels at which that kind of problem can be tolerated, and \nhow does it relate to the potential benefits of what is being \ndone.\n    So for example, with respect to the information sharing, \nyou know, one of the things that DHS has been doing with the \nenhanced cybersecurity services program is to focus--if I \nunderstand correctly--on what they call cybersecurity service \nor commercial service providers which have to do with the \ninternet service providers and that sort of thing rather than \nopening up the dissemination of this threat information to all \nsorts of critical infrastructure entities, and so the critical \ninfrastructure entities work through these CSPs.\n    So to the extent that that sort of thing is successful, the \nidea of narrowing the vulnerabilities to specific areas may be \nuseful.\n    Mr. Marino. Thank you.\n    I have another question, but perhaps we will have another \nround, and so I yield back.\n    Mr. Meehan. I thank the gentleman.\n    The Chairman now recognizes the distinguished gentleman \nfrom Texas, Mr. Vela.\n    Mr. Vela. Thank you for your testimony today.\n    Dr. Romine, Executive Order 13636 specifically provides \nthat the cybersecurity framework and protection against cyber \nthreats should include physical threats; not just computer \nviruses and hacking.\n    The White House Strategic National Risk Assessment includes \nnatural electromagnetic pulse from a geomagnetic super-storm as \nan example of a physical threats to critical infrastructures.\n    Does the cybersecurity framework as you envision it include \nthreats not only from computer viruses and hacking but physical \nthreats especially from EMP?\n    Mr. Romine. I would say yes in general although EMP is not \nspotlighted as much as just the overall risk assessment that \neach of these owners and operators is going to be involved in.\n    When we talk about a cybersecurity and protection of \ncritical infrastructure, we are keenly aware of the cyber \nphysical systems nature of many of these infrastructures that \nthe information systems are not in fact independent but rather \noften interact with physical or other kinds of systems.\n    So the risk assessment approach that we are taking or the \nrisk management approach that we are taking in the framework is \nintended to encompass the impact or the risks holistically \nrather than just with regard to viruses and other kinds of \ncyber threats, traditional cyber threats.\n    Mr. Vela. Dr. Fischer, what additional challenges are \nimposed globally in terms of privacy protection and the sharing \nof personally identifiable information across borders?\n    Mr. Fischer. Sir, Mr. Vela, could I clarify? You say what \nchallenges to with respect to the Executive Order and----\n    Mr. Vela. Yes, no it is: What additional challenges are \nimposed globally in terms of privacy protection and the sharing \nof personal identifiable information across borders?\n    Mr. Fischer. I see, okay.\n    Yes, well, two quick things I can say to that. First of \nall, there obviously--the work is being done within the United \nStates is done in the context, international context and there \nis quite a network of international agreements.\n    There is no, currently, no global cybersecurity treaty. \nSome people have tried to--tried to draft such a thing, but it \nhasn't been adopted, and there are a lot of bilateral \nagreements which often would be the vehicles in which these \nsorts of concerns would, I think, be addressed.\n    With respect to specific--or specific questions or with \nrespect to privacy and civil liberties, I would say that is \noutside of my expertise, but we do have experts on our \ncybersecurity team within CRS who deal specifically with those \nissues and we would be happy to talk with you about that or \nanswer questions for the record.\n    Mr. Vela. Okay. I guess we will wait for another day on \nthose.\n    For the whole panel, what are examples of effective risk-\nbased approach in the framework?\n    Mr. Romine. So one of the exciting things that we have had \nin the workshops is seeing the representatives of various \nindustries talking with each other about the approaches that \nthey take and the effectiveness of those approaches.\n    One of those approaches involves something that in the \nenergy sector is called the C2M2 which essentially regardless \nof that, the expansion of that, the idea is to have a, sort of, \nset of maturity levels associated with specific functions.\n    If you take a look at the framework outline that we \nprovided in San Diego and some of the consensus that we \nreceived, that model seems to be very attractive to the vast \nmajority of the participants and the critical infrastructures.\n    So that kind of risk assessment--NIST has a very strong \nhistory in risk-based management of cybersecurity through the \nFederal Information Security Management Act or FISMA, \nactivities.\n    We have had special publications that are quite influential \nin this space with regard to the private sector and have been \nadopted widely by the public sector and have been adopted \nwidely by the private sector as well because of their \neffectiveness.\n    Mr. Kolasky. I would just add one of the things I have \nobserved through the process is an example of what works is if \ncorporate leadership gets involved in the process and we have \nheard that repeatedly that you have to produce a framework that \nresonates at the board level and resonates as the CEO level and \nin doing so, that will help organizations make risk management \ndecisions.\n    Mr. Fischer. I don't believe I would have anything to add \nit to those comments at this point. Thank you, sir.\n    Mr. Vela. I yield back.\n    Mr. Meehan. I thank the gentleman from Texas.\n    I recognize myself now for 5 minutes of follow-up \nquestions.\n    One of the issues that we have been dealing with throughout \nthe concept of not only the creation of the NIST standards but \nas the underlying concept of voluntary adoption of those \nstandards and it permeates the language in the report, I mean \nin the Executive Order that these are voluntary.\n    But at the same time we are creating a framework, and I \nwould like to explore the extent to which people begin to see \nthis framework as a basis for further activity, not the least \nof which could become further activity in which that framework \nis used as the basis for other regulatory agencies to say that \nthey are now authorized to begin to create required adherence \nto certain of these standards.\n    I would like the panel to individually address your \nperception of what voluntariness means and where you believe \nand to the extent certainly, Mr. Kolasky and Dr. Romine, to the \nextent that you are dealing with NIST, where you believe this \ngoes to and what you believe the intention is with regard to \nwhether these will ultimately be utilized in some way to become \nrequirements.\n    Because I am aware of a number of shalls in the Executive \nOrder and, you know, the shall-proposed, prioritized, risk-\nbased, coordinated actions, you know, if the current regulatory \nrequirements are deemed to be insufficient.\n    So please, Dr. Romine, first.\n    Mr. Romine. I can start with that. NIST has a long history \nof developing in coordination with industry guidelines and best \npractices and ultimately industry-led standards that do govern \nthe industry in a purely voluntary way, and that has been very \neffective in the past, and we expect it to be effective in the \nfuture with the Executive Order and the framework.\n    The only way that works is vigorous participation on the \npart of the private sector so that they have buy-in and a stake \nin the outcome of the framework itself.\n    So I think with that understanding and the fact that we \nbelieve that we have that vigorous participation, I am not as \nconcerned about this being a, sort of, a hidden way of getting \nregulatory authority. I really think the voluntary nature of it \nis quite explicit and quite transparent and we expect it to \ncontinue to be that way.\n    Mr. Meehan. Mr. Kolasky, what is your impression of this \nfrom DHS?\n    Mr. Kolasky. Sure. First principle of ours as we \nparticipated in this is for the framework to be successful and \nin the attached assessments--incentives it has to make sense \nfor businesses to make business decisions.\n    Businesses make rational decisions and they have to see \nthat this is in their business interest and because of that, as \nDr. Romine just referred to, it is very important to listen to \nbusinesses and we have taken that obligation----\n    Mr. Meehan. I mean, you don't question--and I often talk to \nbusinesses. Businesses will say we are way ahead of the \nGovernment in many ways because we appreciate that the exposure \nthat we have to our business--so we are asking you, what are \nyou doing to help us, and then I get that part. What I am \nconcerned about is when we begin to get to a point where some \nbusinesses say hey, we think we are doing something and we \nstart to get Washington coming in and creating a requirement.\n    Mr. Kolasky. Right. That is why the voluntary nature of \nthis is so important. If we can create confidence in the \nmarketplace that businesses are doing something, if we can \noffer information to continue to incentivize them to do \nsomething, then I don't think Government needs to get involved \nin that kind of manner that you are talking about.\n    So it is really important for us to set up a framework that \ngives the market confidence so businesses can do business with \neach other and with the Government is that they are taking----\n    Mr. Meehan. So to the extent said that you speak for \nDepartment of Homeland Security and you are allowed to discuss \nit as a matter of policies, it is your perception that the \nDepartment is looking at this as a voluntary program?\n    Mr. Kolasky. I can speak with certainty that the Department \nis looking at this----\n    Mr. Meehan. Dr. Fischer, you have had the ability to see \nthese kinds of things not just in this particular area with \ncyber, but in the broader spectrum with other agencies in which \nthere have been standards that have been utilized, Department \nof Defense, EPA, other kinds of things and in your own \ntestimony you discussed the different pieces of this issue. \nWould you articulate more fully your sense as to whether or not \nthese kinds of the voluntary standards may or have been \nutilized in other situations to become regulations and \nrequirements?\n    Mr. Fischer. So there are a few points I think might be \nuseful to make here.\n    No. 1 is that we have been asked particularly in the last \nCongress by a number of Congressional offices about the \nquestion of what the current regulatory capabilities or powers \nare of the Federal Government with respect to cybersecurity.\n    Our answer had to be that there--except for cases in which \nthey are explicitly laid out and clear--where there are such \nregulations such as a width of the electric power sector--it is \ndifficult to say because until the agency actually tries to \ncreate a regulations, one doesn't know what is really going to \nhappen because the regulatory process is a separate process. It \ninvolves industry and other stakeholders in----\n    Mr. Meehan. But do you believe as it stands right now and I \nam sorry to cut you off and please go forward if you can, but I \ndo want to ask this question. Do you believe that the way the \nExecutive Order is written right now as it moves in it opens \nthe door to the ability of agencies to say, in our \ninterpretation and it may be a particular agency that may look \nin just say, in our interpretation, there is an opportunity \nhere for us to use this as a basis to ask for, you know, more \ncyber protection in a particular area?\n    Mr. Fischer. Certainly the Executive Order explicitly \nrequires that agencies make recommendations with respect to \nwhere the gaps are. So to the extent that those gaps would be I \nguess fillable under current law, then it is clear that \nagencies could in fact attempt to create regulations in those \nareas.\n    To the extent that they are not as capable under current \nlaw, then that is the interpretation, then they would have to \ncome to Congress for additional authority.\n    Mr. Meehan. Well, this is where they have to come to \nCongress for additional authority to do what? To do rulemaking \nof regulations because as I see this they are talking about----\n    Mr. Fischer. Well, to be able to--right--so if for example \nthe current--if the current regulation--if the current \nauthority of an agency to create regulations is limited or the \nagency determines that it doesn't have the authority \ncurrently----\n    Mr. Meehan. Well, I have never--we don't have a problem \nhere in Washington with agencies who believe that they have \nlimited authority to enter into issues and that is why I am \ntrying to explore this provision in the Order which says, you \nknow, if the current regulatory requirements are deemed to be \ninsufficient--now I don't know who deems them to be \ninsufficient but it may be the agency itself that says hey, we \nbelieve that this is, you know, the current regulatory \nrequirements are insufficient, you know, within 90 days we will \npublish a final of the--published final framework, we are going \nto propose, you know, further coordinated actions and that \nappears to me to be regulation or rulemaking.\n    Mr. Fischer. Right. So to me, the question becomes whether \nor not the agency currently has the authority to make those \nrules and regulations. If they do have that authority, then \nthey may do it anyways.\n    So for example, with respect to the pipeline sector and \ncertainly we have people who can talk to very specifically \nabout that, but with respect to pipelines, the TSA has the \ncapability of or says that it has the capability of creating \ncybersecurity regulations, but they have decided that those \nregulations are not needed and might in fact be \ncounterproductive to date. That is my understanding of what \nthey have said.\n    So, you know, so there are examples in which they clearly--\nagencies apparently have not----\n    Mr. Meehan. That is left to the discretion of the agency or \nare they constrained by law?\n    Mr. Fischer. Well, TSA appears to have that authority under \ncurrent law. Now whether that is true for others is hard to \nsay.\n    So for example, I would say that, generally speaking, you \nknow, we certainly haven't found anything with respect to the \nIT sector that would permit such things, which isn't to say \nthat some agency might not claim that they have it, that \nauthority, though.\n    Mr. Meehan. All right.\n    Well, thank you Dr. Fischer.\n    I now turn it to the distinguished lady from New York.\n    Ms. Clarke. Thank you, Mr. Chairman.\n    Just following up on the line of inquiry that our Chairman \nposed to you.\n    Mr. Romine, what does flexibility mean in the context of \nthe framework?\n    Mr. Romine. I would say the primary reason for the need for \nflexibility is the different sectors have very different \ncharacteristics in the way that they operate and you have to \nhave a framework that is capable of recognizing that.\n    In addition, the owner-operators might range from \nmultibillion-dollar international corporations to relatively \nsmall regional concerns who still own and operate some portion \nof what is deemed to be critical infrastructure. The \ncapabilities represented by those two things also mandates that \nwe have a flexible approach.\n    Ms. Clarke. So in effect, it is addressing the nuances of \nthe specificity of industry and company size, what have you?\n    Mr. Romine. That is right, and I think an additional point \nI would make is that many of these critical infrastructures \nhave in place a series of protections that they have invested \nin and believe are quite effective.\n    We want to be sure that the framework is flexible enough to \nrecognize that those measures that are already being taken if \nthey are effective should not be replaced by something else as \na result of the framework. So we are trying to be mindful of \nthat as well.\n    One final point I would make is that in many cases, these \nparticular critical infrastructures are regulated already to \none degree or another and in some cases, very heavily \nregulated, and I think the intent of this notion of regulation \nreview is to ensure that we harmonize the framework in a way \nthat recognizes the regulations that are already in place so \nthat we are not committing sectors to an onerous change in the \nway that they do their business.\n    Ms. Clarke. Very well.\n    Mr. Kolasky, Dr. Fischer, how can implementation of the \nframework be used to demonstrate compliance with existing \nregulatory requirements? That is, sort of, I think, where Dr. \nRomine was going. Is that something that you have also \nrecognized?\n    Mr. Kolasky. Yes, it is. Let me talk about it in a couple \nof terms. One of which you mentioned earlier, the incentives \nwork that we have done in analysis and over and over again we \nheard from our private-sector partners as well as some of our \nadvisory councils that one potential incentive would be to \nallow the cybersecurity framework to meet the information \nsecurity requirements for already-regulated industry ergo \nreducing compliance costs and we think that that is something \nthat needs to be pursued and thought about because if you can \ndemonstrate you have got good cybersecurity in place you \nshouldn't have to demonstrate it twice to the Government.\n    Second, just to echo Dr. Romine, I think it is really \nimportant to think about the idea of regulatory relief and are \nthere regulations in place that are going to impede the \nadoption of the cybersecurity framework and the Executive Order \nasks the regulatory agencies to think about that because we \ndon't want regulations that are in place that will cause people \nfrom not adopting good positive flexible cybersecurity \nsolutions.\n    Mr. Fischer. I guess the only question I might have about \nthat would be--obviously--if to the extent you have let's say \nmany private-sector entities are--feel more comfortable with--\nthose that are regulated--feel have developed good relations \nwithin their current regulatory environment and feel \ncomfortable with the like, for example the electric sector, but \nothers as well.\n    So they are somewhat concerned if in fact they feel that \nthat environment will be changed to the extent that other \nagencies would end up being involved say in the regulation.\n    So to the extent that the current environment could be kept \nstable for them, I think they would be more receptive to the \npossibility of--to compliance.\n    I think I will stop there.\n    Ms. Clarke. Dr. Fischer, that is a very intriguing \nstatement you have made for me because I understand how \nindustry could want to remain in a stable environment but the \nenvironment around them is changing and so to the extent, I \nguess it is an evolutionary process in terms of adaptation, but \nthe status quo wouldn't necessarily work.\n    Mr. Fischer. Well, we are--yes. So with respect to \ncyberspace, the situation is somewhat different than it may be \nwith--in other areas. So, you know, I often say cyberspace is \nthe most rapidly evolving technology space in human history, \nand the technology is evolving, the threat environment is \nevolving, things are changing constantly.\n    I think it is widely recognized within experts in this \narea, and the private-sector people have paid attention to \nthis, that in fact that kind of rapid evolution means that \nstatic, particularly design-based standards, for example, have \na very limited usefulness.\n    Now performance standards are usually considered to be \nbetter but the problem with performance standards is of course \nthat you have to come up with what the performance criteria are \nand that can be sometimes more difficult and they can sometimes \nbe more difficult to enforce.\n    But I think that most people who have looked at this \nquestion seriously have in fact said that well, there is \nbasically kind of a baseline of standards that are going to be \ntrue no matter what, performance standards, but there has to be \nthe flexibility to be able to change things on a much more \nrapid basis in reaction to what happens with respect to, you \nknow, with respect to the environment.\n    Now I just want to say one more thing about that. There is \nthis--it has been some time ago that, right, there is this \ndesign problem in cybersecurity that is that the cyberspace was \nnot designed with security in mind is often said.\n    One of the reactions to that is well, what you have to do \nis build security in. Now right now, I mean, everybody kind of \nseems I think to agree with that, but there are two things.\n    No. 1 is there is always going to be a need to add things \non because there is always going to be problems that you \ncouldn't possibly anticipate when you design something.\n    The second point I think is that there are always or there \nappear to be in the current--with the current incentive \nstructure with respect to cybersecurity--there appear to be, \nsort of, counter incentives to building security in from the \nget-go.\n    Now whether those are essentially fundamental or not is \nsomething that I don't think anybody really understands, but \nthat is always, you know, an issue. So to the extent that you \nare going to have to add this stuff on later is a question.\n    Ms. Clarke. I yield back, Mr. Chairman.\n    Thank you, gentlemen.\n    Mr. Meehan. I thank the gentlelady.\n    Just using the prerogative of the Chairman for one second, \nDr. Fischer, you are articulating something which is at the \nheart of where we, I think, appreciate and need to be sensitive \nto, which is the dynamic nature of the cyber threat.\n    Such that what you build today as a defense will not only \nbe analyzed but it will be--there are those who will spend \ntheir time purposely trying to get around it; therefore we have \ngot--it is a constant state of cat and mouse, so to speak, for \nlack of a better word.\n    The framework itself that we are talking about is very \nadmirable in the sense that it creates a place for people to \nbegin to have a sense about what they can and should be doing, \nbut do we create a problem if they see the framework as a \ncheck-the-box kind of thing that says, okay, now I am cyber \nsafe.\n    Mr. Fischer. Right. I appreciate the question, Mr. \nChairman. One of the criticisms that has been leveled by some \npeople, and I can't say to the degree to which they are \naccurate about this, but one of the things that has been \nleveled is that for example, by analogy with FISMA, one of the \ncriticisms of the Federal Information Security Management Act \nhas been that it has become something of a check-box exercise \nwhere, you know, it is very process-oriented and it doesn't \nreally focus on the question of how you keep systems actually \nsafe and secure.\n    Now there are obviously attempts to revise FISMA, to amend \nFISMA, and also I would say the administration has been doing--\nthe current administration and the Bush administration as \nwell--have been doing things to try to actually make systems \nsecure and focus more on that aspect of what the law intends, \nthe goals of the law.\n    But to the extent that the framework of, would it become a \nkind of bureaucratic, you know, check list, that would be a \nproblem. I certainly wouldn't want to speak to how NIST and DHS \nare trying to avoid having that happen, but I am sure that they \nare aware of that problem as well.\n    Mr. Meehan. Thank you.\n    Thank you for the indulgence.\n    The Chairman now recognizes the gentleman from \nPennsylvania.\n    Mr. Marino. Thank you, Chairman.\n    My colleague, the Chairman and of course my colleague is a \nformer U.S. attorney as well-spawned a thought based on his \nquestioning and the question I am asking and that I am going to \nfollow up with a little statement is who or whom, what person \nas far as general, what people, or what entities are we \nfocusing on because several weeks ago, Mayor Giuliani came in \nand testified before the full committee, and I agreed with him \n100 percent on his observations.\n    He said we cannot take our eye off of the ball but we have \nseveral balls in the air that we must be watching \nsimultaneously.\n    We cannot take our eye off of al-Qaeda and there are those \nthat think that al-Qaeda is defeated and we really don't have \nto worry about them anymore. I think that couldn't be any more \nfrom the truth than anything at all.\n    But then there are individuals that think we need to focus \non individual terrorists, who the leaders of the terrorist \norganizations persuade some fanatic, young terrorist to do \nsomething whether that is through propaganda or initial \ncontact--and by the way, you never see the terrorists who are \nrunning the organizations strap bombs to themselves or their \nfamilies, it is always that they convince somebody else to do \nit.\n    But Giuliani was very specific saying we have to keep our \neye on the rogue such as the Boston terrorists and \norganizations such as al-Qaeda and without tipping the cards, \nwhat say each of you about where we are as far as watching the \nwhole scheme? Do you understand my question?\n    Mr. Kolasky.\n    Mr. Kolasky. Sure. Thank you, Congressman Marino.\n    It is a hard challenge, and that is what is so important \nabout the intelligence component of this and we have made a lot \nof investments in trying to understand both the adversaries' \ntactics and the nature of the adversary and, you know, their \nincentives and what they are trying to do and we will continue \nto make those investments and as we learn from that, as I \ntalked about earlier, one of our jobs is to get the information \nout to those who are protecting the networks so they know what \nto be looking for.\n    This threat, unfortunately, is coming from a lot of \ndifferent places. It is coming from international, it is coming \nfrom domestically, it is coming from the mid-level hackers in \nthe organized coalitions, and in criminals.\n    And so because of that, we have to learn and we had to get \nthat information out to folks at an Unclassified level so that \nthey can protect their networks.\n    Mr. Marino. Sure, and as you mentioned, we do have the \nindividual hackers, we do have the genius kid and we have, I \nthink, still al-Qaeda and other organizations, and we have the \nChinese. So I am just hoping that we are keeping--I am pretty \nsure we are keeping our eye on each one of these entities.\n    Doctor, would you please respond?\n    Mr. Romine. I would say from the framework's standpoint and \nthough work that NIST is doing, the threat space is very broad \nand evolving as you have correctly noted and part of \nCongresswoman Clarke's question, if I could amend my answer, I \nwould also include the evolution of the threat space as an \nimportant component of being flexible in our response.\n    I think the goal of the framework is to assist the private-\nsector owners and operators to raise the bar as much as we can \nin the cybersecurity space so that all of these threat vectors \nare--it is much, much more difficult to cause harm to the \nUnited States regardless of whether you are in a basement or in \na foreign country.\n    Mr. Marino. Thank you, Doctor.\n    Mr. Fischer. Yes. Well, I tend to--we tend to think about \ndifferent classes of potential actors with respect to threats. \nSo clearly as you mentioned, I mean, you have on the one hand \nthere is the criminal element and often they are interested in, \nyou know, financial gain through illegal means; basically \nordinary crime through cyber means is what it amounts to. But \nincreasingly, there appears to be an organized crime element \nof--with respect to cyber attacks as well.\n    Then there is what you might call the cyber hacktivists--\nthe--or--you know, sometimes there is just, sort of, you know, \nthe script kiddie types, you know, people who are trying to \njust, you know, created an exploit of some sort. But also, \nthose are making some political statement.\n    Then the third is would be the terrorists, the al-Qaeda \ntypes, and the like that are more organized and have a specific \npolitical goal and then finally the, kind of, state actors, you \nknow, which sometimes called the advanced, persistent threats \nif you don't want to give a name to a particular country.\n    But all those are going to have--those actors are going to \nhave different goals. They are going to have different levels \nof sophistication. I think that to the extent that the--you \nknow, that the framework and the other aspects of the EO and \nPPD can in fact take those into account, obviously they will be \nmore effective.\n    Mr. Marino. Gentlemen, your task is monumental and I \nappreciate what you are doing for this country.\n    I yield back.\n    Mr. Meehan. Thank the gentleman from Pennsylvania.\n    The Chairman now recognizes the distinguished former \nprosecutor from Massachusetts.\n    Mr. Keating. Thank you, Mr. Chairman.\n    Thank you, Ranking Member Clarke, for having this important \nmeeting.\n    Just quickly, I just want to hone in on one thing is that \nas you go about the task, both with, you know, establishing the \nframework around the Executive Order of the President and as \nyou are dealing with the National Institute responsibility of \ndeveloping a framework to secure the information, in this whole \nprocess, is it going to be role carved out more specifically, \nor at least the flexibility for universities to get more \ninvolved and other involved Northeastern, in my own home State, \nhas worked very closely with some of you folks.\n    But I want to just see what your view is and is there \nbecause I think it is critically important. I think it is an \narea where you have maybe information gathering and research \ndone that may not be biased by existing economic impacts to an \nindividual business although there are some.\n    Also it is another important area for us not just with \nHomeland Security but in terms of other Government agencies and \nprivate agencies as well to really develop trained people which \nI see as one of the major problems that we will continue to \nhave as people move in and out of the private-sector jobs.\n    That we really need the intellectual and educational \nbrainpower to keep up as well. So I see the benefits of \nuniversities being great. Could you just comment on what you \nare going to do; how they have a place in this?\n    Mr. Romine. Certainly, and thank you very much for the \nquestion.\n    You are absolutely right. It is no accident that the three \nworking sessions or workshops that we--two that we have already \nheld and one that we are going to be holding are at university \nvenues--we had our second overall workshop was at Carnegie \nMellon University. The third one which we had last week was at \nthe University of California at San Diego and the next is going \nto be at the University of Texas, Dallas.\n    That is an attempt, an explicit attempt on our part to \nengage a cross-section of the academic community as well. We \nhave strong relationships with many academic institutions and I \ncouldn't agree more.\n    One of the risks that has been identified consistently in \nmany of our cybersecurity efforts but certainly during the \nframework development with industry is industry telling us as \nwell that workforce--a cyber-educated workforce is a key risk \nthat they see--the lack of the ability to attract cybersecurity \ntalent.\n    So, I agree with you. I think the other thing, the other \nrole that the universities can play is at the point where we \nhave identified a substantial gap whether it is in the \nstandards space or whether it is in the technology space, \nuniversities are well-poised to help us in that area as well.\n    Mr. Keating. Great. Well, thank you, and I would \nparticularly appreciate anything that you might offer to me and \nthe committee as a whole to tell us what we can do to try and \nencourage that because I see those gaps and I see them as \nbecoming more and more of a problem going forward.\n    So with that, I will yield back my time and I think my \ncolleague also for letting me go. Thank you.\n    Mr. Meehan. The Chairman now recognizes the gentleman from \nTexas, Mr. Vela.\n    Mr. Vela. Yes, I have a couple more questions for the \npanel.\n    Section 9(b) of the Executive Order allows other Federal \nagencies to share information with the Department of Homeland \nSecurity to identify at-risk infrastructure.\n    Since the Executive Order was issued in February, what has \nbeen the nature of this inter-agency information sharing?\n    Mr. Kolasky. Sure, thank you, Congressman.\n    So that specific task has been met by us working with the \nsectors of the critical infrastructure sectors to identify \ncritical infrastructure. So this has necessitated close \ncollaboration with the sector-specific agencies particularly \nagencies like the Department of Energy, the EPA, the Department \nof Transportation, and others, Health and Human Services and \nothers.\n    So the nature of that engagement is really to understand \nhow these sectors come to work and to bring in private-sector \npartners to have a conversation. We have focused largely in \ndoing that work in understanding the most critical \ninfrastructure in the infrastructure that can cause high \nconsequences so it is critical that we have the folks who \nunderstand how those industries work, bringing them to the \ntable, and then we work with our industry partners to \nunderstand if there is any nexus to cyber technologies.\n    Mr. Vela. Have the Department of Defense, law enforcement, \nor intelligence communities shared information with DHS under \nthis provision?\n    Mr. Kolasky. Sure. The Department of Defense is also a \nsector-specific agency. It is the sector-specific agency for \nthe defense industrial base and so we work closely with them in \nthat regard.\n    The law enforcement community and intelligence community \nwere involved in the discussions on the methodology and the \napproach we took, but given that the approach largely focused \non understanding how systems work and consequences related to \nsystems failing, those are questions that are largely outside \nof the sphere of the intelligence community and the law \nenforcement community.\n    So although they participated in the discussions, they have \nnot really been the focus of the information sharing.\n    Mr. Vela. Mr. Kolasky, Section 9(a) requires that the \nSecretary of Homeland Security in consultation with private-\nsector partners and other relevant agencies identify critical \ninfrastructure at the greatest risk. What criteria is being \nused for this purpose?\n    Mr. Kolasky. Sure, sure. The Executive Order talks about \nthe criteria in terms of public safety and health consequences, \neconomic consequences, and the impact to National security.\n    So as we defined that, when we are talking--and it uses the \nphrase catastrophic--and we take that phrase to be a fairly \nhigh threshold--so catastrophe is something that is very \nsignificant to this country either at a National or regional \nlevel.\n    So as we have developed a criteria, we have looked to pass \ncritical infrastructure efforts and we thought about economic \nsecurity and economic loss in terms of tens of billions of \ndollars, significant loss of life, and negative ability for us \nto project power, our military to protect power through \nNational security needs.\n    Mr. Vela. Last week, the administration held its first \nstrategic economic dialogue with Chinese officials. \nAdministration officials cited progress in the talks while \nstating that continued intellectual property theft originating \nfrom China was unacceptable. How does the Executive Order help \nstem the loss of intellectual property? I don't know who is \nbest to answer that question.\n    Mr. Kolasky. I think very much intellectual property theft \nis one of the cybersecurity incidents that we are very \ncognizant of, so our information-sharing efforts certainly take \nthat into account; so do our protective efforts in the work \nthat is being done via the framework.\n    Mr. Romine. I would just add that intellectual property \nloss is one of the risks that the owners and operators do face \nin the critical infrastructure domain and so to that extent, it \nfits into the overall risk management and risk mitigation \nstrategy that the framework promotes.\n    Mr. Fischer. You know, I would just like to add that the \neconomics of cybersecurity both even with respect to the \nquestion of what real losses are and what it means is an area \nthat is currently undergoing a lot of examination. A lot of \nthings about it aren't clear.\n    It depends on the scale at which one is looking at it, \nwhether you are looking at it on the scale of an individual \ncompany or the scale of a country or global scale, and from \nsome of the efforts I have seen, I think there is a pretty good \nchance that there will be a lot of clear understanding of that \nover the next year or so.\n    Mr. Vela. Thank you. I yield back my time.\n    Mr. Meehan. I thank the gentleman.\n    I just have some closing questions. If I may, and they \nreally go into two areas. Let me start with one. You know, we \nhave mentioned the issue of liability a number of times as we \nmove into this and it is sort of the back-end of incentives in \nsome ways because we are trying to incent our partners to step \nup to the plate.\n    But I also, in my experience, and of course we have work to \njointly here on this committee with ourselves and with staff \nfrom both sides of the aisle reaching out to a cross-section of \nparticipants in the various sectors, and the input has been \ngood because it really gives you a sense as to the way they see \nthe world why they are trying to evaluate the threat.\n    But one of the concerns is a lot of folks are already \nstruggling with where they make commitments of resources when \nit is hard to define what the impact of, you know, protective \nstances is so that you could do an endless amount of investment \nand not be certain how much you are increasing your security.\n    Therefore, there is a concern about, you know, steps that \nare being taken. What happens if we create this framework that \nthen is utilized as a basis for somebody to say rightly or \nwrongly in litigation you should have taken some steps? Where \ndoes it start to become a standard that becomes something that \nis used?\n    Dr. Fischer, do you have a thought on that?\n    Mr. Fischer. Well, I just--sort of following up on a \nprevious question with respect to this--one of the things that \ncan happen with voluntary standards is that if they become a \nbusiness norm, then of course businesses that don't follow \nthose standards can be subject to certainly criticism and \npotentially lawsuits.\n    So that would certainly be something that would have to be \npaid attention to. I think that is what you are referring to \nand what some critics of the framework have said with respect \nto a voluntary framework becoming effectively de facto \nmandatory.\n    Now I should mention that, you know, with respect to the \nparticular legal issues, that is outside of my area of \nexpertise, but we do have experts on our team who can talk with \nyou about it.\n    Mr. Meehan. All right. Thank you.\n    Let me just step into one last thing so long as we are \nhere. The gentlelady from New York in her opening statement \nidentified a document that I am also in possession of and it is \ncalled as the ``DHS Incentive Study Preliminary Analysis and \nFindings'', Mr. Kolasky, and of course it is as I am sure with \nanything, when it is called preliminary, this represents some \nof the current thinking.\n    But I would like to explore if I can some of this which is \nbefore us because it looks at the very concept of incentives \nand maybe you can explain to me what the document is first and \nthen there are a few specific questions----\n    Mr. Kolasky. That is a work product that we shared on May \n21 in advance of us delivering a document to the White House on \nJune 12. That work product was shared broadly with our working \ngroup in the integrated task force, which includes \nrepresentatives from industry.\n    What we were trying to do there is present a look at the \nresearch that is out there and get feedback from the owner-\noperator community to help us shape our final recommendations. \nSo I think it is fine that you have the document because we \nmade it regularly--we made it widely available so we could \ncollect feedback so we could hone in on our recommendations and \nthen I am happy to talk about----\n    Mr. Meehan. Well, if you can, can we walk down a couple of \nthings here because I know that you know, we are discussing \nfirst the idea of a legislative proposal. Can you indicate to \nme what is meant by a legislative proposal and what is the \nintention of DHS or the administration or others to introduce \nnew or additional legislation in the area of cybersecurity?\n    Mr. Kolasky. Sure. Again, we are still, at the \nadministration level, we are still having conversations. DHS \nissued a report. So did the Department of Treasury. So did to \nthe Department of Commerce as well as GSA and DOD on Federal \nprocurement incentives and so my understanding and in talking \nwith administration, is those four reports that are up there \nand we are now talking at the administration level, the policy \nprocess and steps forward as you refer to in the document.\n    Some of the incentives that have been recommended by \nvarious folks along the way and incentives reports would take \nlegislative action and so there is a possibility that the \nadministration would come and talk to you all about \nparticularly----\n    Mr. Meehan. So as you are looking into the future, but, you \nknow, we have been working on a bipartisan basis to try to \nconsider whether there are legislative steps that ought to be \ntaken in addition to and some argue that legislation is \nnecessary--legislation, we believe necessary to help you in \nyour job in terms of codifying the ability of DHS and then \nfurther to give DHS the ability to be a point of importance as \nwe move forward.\n    So in light of the fact that legislation generally begins \nin the Congress, it would be very good if conversations about \nlegislation include us.\n    Mr. Kolasky. I think we are happy to do that and happy to \nhave conversations particularly on the incentives and I will \necho my opening statements that as we pointed out, we \nappreciate the fact that one of the things that we hope is in \nthe new legislation is to codify some of DHS's roles in general \nand cybersecurity and also that some of these incentives if we \nthink they make sense, we have to work together to put them in \nplace because they are outside of the authority of the \nExecutive branch.\n    Mr. Meehan. Okay. Can I ask, there is a couple of things in \nhere--you talk about insurance, removed as an independent \ncategory of incentives and we are going to put it into the \ncybersecurity act. What steps are being considered with \nrespected to insurance?\n    Mr. Kolasky. So what we said in our incentives report is we \nare very much in favor of the evolution of the cyber insurance \nmarket. We think that a lot of progress has been made \nindependent of Government action to create a cyber insurance \nmarket and we hope that that will continue. The best incentives \nare market-based incentives.\n    In terms of if you are thinking about--and what that refers \nto--if you are thinking about any liability protections of that \nneed to be put in place, we have to think carefully as you have \ntalked about, Congressman Meehan, we have to think carefully \nabout not creating liability protections that incent bad \nbehavior and that any liability protections may have to be tied \nwith insurance requirements.\n    Mr. Meehan. Well, since insurance is generally a market-\nbased thing, what is the legislative aspect that relates to \ninsurance?\n    Mr. Kolasky. We do not recommend any legislative aspects \nrelated to insurance. We think that the Government has \nconvenient power to promote the insurance market, but----\n    Mr. Meehan. I am only saying final incentive category--I am \nreading the document--remove as independent category, include \nin cybersecurity act, which I am presuming is the legislation.\n    Mr. Kolasky. That was an acronym that was created. We do \nnot recommend that specifically in our----\n    Mr. Meehan. Would that be the same thing for liability \nconsiderations and legal benefits? I mean, those are two and so \nis there I guess I would ask liability considerations--is there \nsome discussion of legislation that would deal with liability?\n    Mr. Kolasky. Not that I am aware of at DHS.\n    Mr. Meehan. And legal benefits. I am just, again, coming \nfrom the document. Do you understand what that might refer to \nin any specific sense?\n    Mr. Kolasky. Sure. Other legal benefits could be things \nlike antitrust protections, which obviously is something that--\n--\n    Mr. Meehan. Right. FOIA?\n    Mr. Kolasky. It could be another legal benefit, and again, \nthe document that you are looking at is a review of incentives \nthat are available, not a review of our recommended incentives.\n    Mr. Meehan. Well, do you have recommended incentives? Are \nyou going to make recommendations in these particular areas?\n    Mr. Kolasky. We have made general recommendation pending \nthe creation of the cybersecurity framework. As I said, our \nrecommendations were done in coordination with Treasury and \nCommerce but are independent of each other and the \nadministration is considering all of those and all of us will \nwork together to chart a path forward.\n    Mr. Meehan. Okay. Let me just ask one then. I am sorry for \noverrunning my time, but I want to work with this document. If \nI could ask just one last question. Just the--tell me where you \nare on the expedited security clearance process because this \nseems to suggest that you are going to remove that incentive, \nthat there is a sense that this is moving along at an \nappropriate enough pace.\n    Mr. Kolasky. Yes. We do not believe that that is an \nincentive. We believe that should be done on a need-to-know \nbasis and that we should work with owners and operators.\n    We should not attach that to the cybersecurity framework \nbut instead, work with owners and operators to identify \ncritical infrastructure and individuals within critical \ninfrastructure owner and operators companies who have the need \nto get Classified cyber threat information; at the 150-day mark \nwe deliver to the administration, update on DHS's program to \nget private-sector individuals clearances, and improvements and \nenhancements----\n    Mr. Meehan. You know, because that is the thing that I hear \nagain and again and again and you are a little bit better than \nanother agency we hear frequently about but it--you know, we \nget asked for all kinds of information to be dumped into the \nGovernment and then we never hear anything again.\n    Mr. Kolasky. We have made a lot of progress since February, \nbut in doing so, we wanted it to be measured progress related \nto Congressman Marino's question to make sure we aren't giving \nclearances to people who don't need clearances.\n    Mr. Meehan. Okay. I thank you for your testimony.\n    Does the gentlelady have any follow-up questions?\n    Ms. Clarke. No, I am fine.\n    Mr. Meehan. Okay.\n    Well, I want to express my deep appreciation for your \ntestimony today. The witnesses' testimony has been very \nvaluable to us. There may be possible questions from some of \nthe other Members of the committee and if in fact there are and \nthey are forwarded to you, I ask that you would do your best to \nrespond in writing.\n    So without objection, the subcommittee stands adjourned.\n    [Whereupon, at 11:41 a.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"