b"<html>\n<title> - ASSESSING PERSISTENT AND EMERGING CYBER THREATS TO THE U.S. IN THE HOMELAND</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n               ASSESSING PERSISTENT AND EMERGING CYBER \n                THREATS TO THE U.S. IN THE HOMELAND\n=======================================================================\n\n\n\n                             JOINT HEARING\n\n                               before the\n\n                    SUBCOMMITTEE ON COUNTERTERRORISM\n\n                            AND INTELLIGENCE\n\n                                and the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n\n                       INFRASTRUCTURE PROTECTION,\n\n                       AND SECURITY TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              MAY 21, 2014\n\n                               __________\n\n                           Serial No. 113-69\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n[GRAPHIC] [TIFF OMITTED] \n\n                                     \n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n89-764                    WASHINGTON : 2014\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O'Rourke, Texas\nSteven M. Palazzo, Mississippi       Filemon Vela, Texas\nLou Barletta, Pennsylvania           Eric Swalwell, California\nRichard Hudson, North Carolina       Vacancy\nSteve Daines, Montana                Vacancy\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\nMark Sanford, South Carolina\nVacancy\n                   Brendan P. Shields, Staff Director\n          Michael Geffroy, Deputy Staff Director/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n         I. Lanier Avant, Minority Subcommittee Staff Director\n                                 ------                                \n\n           SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE\n\n                   Peter T. King, New York, Chairman\nPaul C. Broun, Georgia               Brian Higgins, New York\nPatrick Meehan, Pennsylvania, Vice   Loretta Sanchez, California\n    Chair                            William R. Keating, Massachusetts\nJason Chaffetz, Utah                 Bennie G. Thompson, Mississippi \nVacancy                                  (ex officio)\nMichael T. McCaul, Texas (ex \n    officio)\n               Mandy Bowers, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n            Hope Goins, Minority Subcommittee Staff Director\n\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                 Patrick Meehan, Pennsylvania, Chairman\nMike Rogers, Alabama                 Yvette D. Clarke, New York\nTom Marino, Pennsylvania             William R. Keating, Massachusetts\nJason Chaffetz, Utah                 Filemon Vela, Texas\nSteve Daines, Montana                Vacancy\nScott Perry, Pennsylvania, Vice      Bennie G. Thompson, Mississippi \n    Chair                                (ex officio)\nMichael T. McCaul, Texas (ex \n    officio)\n               Alex Manning, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Peter T. King, a Representative in Congress From \n  the State of New York, and Chairman, Subcommittee on \n  Counterterrorism and Intelligence..............................     1\nThe Honorable Brian Higgins, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Counterterrorism and Intelligence:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     3\nThe Honorable Patrick Meehan, a Representative in Congress From \n  the State of Pennsylvania, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies...................................................     4\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies:\n  Oral Statement.................................................    19\n  Prepared Statement.............................................    21\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Prepared Statement.............................................     5\n\n                               Witnesses\n\nMr. Glenn Lemons, Senior Intelligence Officer, Cyber Intelligence \n  Analysis Division, Office of Intelligence and Analysis, U.S. \n  Department of Homeland Security................................     6\nMr. Joseph Demarest, Assistant Director, Cyber Division, Federal \n  Bureau of Investigation:\n  Oral Statement.................................................     8\n  Prepared Statement.............................................    10\nMr. Larry Zelvin, Director, National Cybersecurity and \n  Communications Integration Center, National Protection and \n  Programs Directorate, U.S. Department of Homeland Security:\n  Oral Statement.................................................    14\n  Prepared Statement.............................................    16\n\n\n  ASSESSING PERSISTENT AND EMERGING CYBER THREATS TO THE U.S. IN THE \n                                HOMELAND\n\n                              ----------                              \n\n\n                        Wednesday, May 21, 2014\n\n     U.S. House of Representatives,        \n      Committee on Homeland Security,      \n      Subcommittee on Counterterrorism and \n                          Intelligence, and\n     Subcommittee on Cybersecurity, Infrastructure \n             Protection, and Security Technologies,\n                                            Washington, DC.\n    The subcommittees met, pursuant to call, at 10:04 a.m., in \nRoom 311, Cannon House Office Building, Hon. Peter T. King \n[Chairman of the Subcommittee on Counterterrorism and \nIntelligence] presiding.\n    Present: Representatives King, Broun, Meehan, Perry, \nClarke, Higgins, and Vela.\n    Mr. King. Good morning. The Committee on Homeland Security, \nSubcommittee on Counterterrorism and Intelligence, and the \nSubcommittee--chaired by Mr. Meehan--on Cybersecurity, \nInfrastructure Protection, and Security Technologies will come \nto order.\n    The subcommittees are meeting today to hear testimony \nexamining persistent and emerging cyber threats to the United \nStates. It is particularly fortuitous or appropriate that we \nhold this hearing in view of the fact that just the other day \nthe Justice Department announced indictments of several Chinese \nArmy officials for their role in violating cybersecurity. \nAgain, this hearing had been scheduled for several weeks. \nRanking Member Higgins and I have been working on this for \nquite a while now. But again I think the fact that we are \nholding it this week is particularly appropriate.\n    Due to the sensitivity of today's hearing, the \nsubcommittees will enter a closed portion with the witnesses to \ndiscuss Classified and sensitive matters, and I ask unanimous \nconsent that at the appropriate time the subcommittees recess \nand reconvene in closed session in the committee's secure \nspace. Without objection, so ordered.\n    I will now recognize myself for an opening statement.\n    The expanding number of cyber actors, ranging from nation-\nstates to terrorists to criminals, as well as increasing attack \ncapability and the increasing intensity of cyber attacks around \nthe globe, have made cyber warfare and cyber crime one of the \nmost significant threats facing the United States. This week \nthe Department of Justice unsealed an indictment against five \nChinese individuals working for the Chinese military for \nhacking into multiple private-sector U.S. businesses to steal \ntheir sensitive proprietary information. Additionally, this \nweek the FBI and international law enforcement arrested over \n100 people for using malicious software called Blackshades, \nwhich is used remotely to take over a computer, turn on the web \ncam, and access passwords and other information without the \nowner's knowledge.\n    I am encouraged by the DOJ indictment and the recent law \nenforcement operation. I hope it is a signal of more aggressive \nU.S. actions to address the cyber threat as we move forward, \nbecause this threat is not going away. Cyber attacks have \neconomic consequences, harm our National security, and could be \nused to carry out attacks on the U.S. homeland.\n    Over the last decade the threats facing the United States \nhave become more diverse, as have the tools for conducting \nattacks and waging war. While the United States has made great \nstrides to secure the homeland since 9/11, our enemies have \nevolved, and we must now consider that a foreign adversary, \nterrorist network, or a criminal organization will use \ncyberspace to penetrate America's defenses.\n    Director of National Intelligence James Clapper featured \nthe cyber threat prominently in his annual threat update to \nCongress this year. Along with other U.S. officials, he painted \na sobering picture of the potential fallout from a cyber \nattack.\n    Nation-states comprise the most capable cyber actors around \nthe globe. Countries such as Russia, China, and Iran have \ndemonstrated a willingness to use cyber space to steal our \nmilitary secrets, target our critical infrastructure, and even \nattack our free press and financial sector. Each has invested a \ngreat deal in cyber defenses and offensive capabilities, and \nsome have even used cyber attacks as a proxy in a physical \nmilitary confrontation. Many experts have suggested that \nRussian actors engaged in offensive attacks in Estonia to \nsupport military forces during their 2008 invasion of Georgia \nand again during the recent annexation of Crimea.\n    In addition to the threat from foreign powers, American \ncitizens and companies lose billions from organized cyber crime \nevery year. Traditional criminal networks have wasted no time \nin developing their on-line tradecraft to scam, steal, and \ndestroy valuable data. The recent data breach at Target is a \ngreat example of exactly how far-reaching and sophisticated \nthese operations are. Department of Homeland Security plays a \nmajor role in helping private companies keep their networks \nsecure, and this will only become more important in years to \ncome.\n    Finally, we are accustomed to think of the physical damage \ncaused by terrorist networks to life and property. We must now \nbe prepared to defend against groups like al-Qaeda using \nincreasingly sophisticated cyber attacks and cyber crimes to \ntheir advantage. For many years we have also seen these groups \nand violent Islamist extremists use the internet to \ncommunicate, radicalize, and spread their hate.\n    Today we will hear about these issues from witnesses \nprovided by the FBI and DHS. I am pleased that we will begin \nthis hearing in an open session and subsequently move into a \nclosed, executive session.\n    I am particularly pleased that Chairman Pat Meehan is here \ntoday and that his subcommittee is engaged in this hearing, \nbecause he, along with Chairman McCaul, have led this \ncommittee's efforts to enact serious cybersecurity legislation. \nWith the support of the private sector and privacy advocates, \ntheir bill was passed unanimously out of this committee. It is \na testament to their hard work; also to the importance of the \nissues. I am really privileged to have Pat working with us here \ntoday.\n    I welcome those on the front line of the issue and I look \nforward to their testimony.\n    I now recognize the Ranking Minority Member of the \nSubcommittee on Counterterrorism and Intelligence, the \ngentleman from New York, Mr. Higgins, for any statement he may \nhave.\n    Mr. Higgins. I would like to thank the Chairman for holding \nthis hearing, and in deference to the Chairman and our guests \ntoday, I will submit my opening statement for the record so we \ncan get right to it.\n    [The statement of Mr. Higgins follows:]\n               Statement of Ranking Member Brian Higgins\n                              May 21, 2014\n    I would like to thank the Chairman for holding today's hearing. I \nlook forward to hearing the testimony of our witnesses as the committee \ncontinues to expand our interests and understanding of the current and \nevolving cyber threats. I have gone on record before to state that \ncyber threats know no limits and have no boundaries. As a Member \nrepresenting the Buffalo and Niagara region, I dedicate a significant \namount of my time and interests to issues related to border security \nand the facilitation of commerce.\n    However, I understand the threats to our country and our way of \nlife are not limited to the reach of planes, trains, and automobiles, \nand also that these threats cannot be contained by Congressional \ndistricts. As technology continues to mature and our on-line world \ncontinues to grow, the threats and the means to carry out those threats \ngrow as well. For the second consecutive year, the director of national \nintelligence, James Clapper has designated cybersecurity as the top \nglobal threat. Also, the No. 2 global threat for the United States on \nthis same list is related to concerns of espionage.\n    As a reflection of the growing espionage cyber threats, on Monday, \nfor the first time in U.S. history, the Department of Justice issued \nindictments related to cybersecurity against foreign state actors. \nPursuant to that indictment, five members of the Chinese military were \ncharged with a total of 155 counts of crimes related to computer \nhacking, economic espionage, and other offenses related to \ncybersecurity. I believe this indictment sends a strong message for \nstate-actors that the United States will not be intimidated by cyber \nhackers and we will remain vigilant against attempts against cyber \nespionage. While I understand that the unprecedented nature of this \nindictment has and will continue to interest Members of this committee \nand Congress as a whole, I will refrain from interfering with the on-\ngoing judicial process.\n    However, I would request that as information can be shared with us, \nour witnesses will return to brief Members of this committee in the \nappropriate setting. America's economic prosperity depends on \ncybersecurity, and that is why we need effective oversight and robust \ncyber legislation that includes strategic initiatives, including \npublic-private partnerships that protect our Nation from hackers, \nnefarious state actors, and foreign intelligence services from \ncountries such as China.\n    While I understand that it would be inappropriate for our witnesses \nto go into detail about specific cyber threats in this open setting; \nwhen possible, I believe an open discussion of the threats that we do \nknow about, the technologies being used, and massive vulnerabilities \ncan be helpful to the American public. It is clear to everyone that our \ndependence on technology is growing exponentially by the day.\n    Therefore our Nation depends on us, both Congress and Federal \nagencies and departments, to have a robust, comprehensive set of \ncybersecurity policies and procedures in place. Therefore, we must not \nonly examine the threat, but also protect critical infrastructure and \nsafeguard our personal and financial information, while promoting \nresearch and development to ensure that we have the proper protocols in \nplace.\n\n    Mr. King. The Ranking Member yields back.\n    Chairman Meehan.\n    Mr. Meehan. I thank the Ranking Member for yielding, and I \nthank the Chairman for sharing the opportunity to collaborate \non, as Chairman King said, this very, very important issue. I \nwant to thank everybody for attending this important hearing.\n    This is the latest in a series of hearings the Subcommittee \non Cybersecurity, Infrastructure Protection, and Security \nTechnologies has held examining the threat to our computer \nnetworks and what the U.S. Government is doing to mitigate and \nrespond to that threat. The threat of cyber attack is real, and \nit is a growing menace in American security and prosperity. \nOver the past year alone we have seen Iranian hackers disrupt \nthe computer systems of Saudi energy company Aramco in an \nattempt to take down the American financial sector. We have \nalso seen criminals attack some of the icons of our retail \nsector, compromising the personal information of over 100 \nmillion customers. Just this week the Department of Justice \nannounced indictments against five Chinese military operatives \nfor hacking into U.S. companies to steal proprietary \ninformation.\n    Last month I had the opportunity to travel to China with a \nnumber of my colleagues, including House Majority Leader Eric \nCantor, and we met with a number of China's most senior \nleaders, up to and including the Premier, and we specifically \nraised concerns about state-sponsored industrial espionage and \nthe importance of protecting and respecting intellectual \nproperty and the trade secrets of American businesses. China \nhas a responsibility to adhere to international law, a \nresponsibility it has repeatedly failed to acknowledge.\n    The response we received from Chinese officials where we \nraised these concerns was disciplined. The Chinese refused to \nadmit that they condoned or supported their state-sponsored \ncorporate espionage, and they refused to concede that American \nbusinesses were routinely targeted by Chinese hackers for \nintrusion.\n    In addition to state-sponsored and criminal organizations, \nideologically motivated actors, including terrorist groups and \nactivists, use the internet to attack us and to finance their \nillicit activities. As the 2014 report by the cybersecurity \nfirm Mandiant states, threat actors are not just interested in \nseizing the corporate crown jewels, but are also looking for \nways to publicize their views, to cause physical destruction, \nand to influence global decision makers.\n    Defending against and responding to these attacks has a \nreal cost, and the cost is primarily borne by the American \nprivate sector. Companies spend hundreds of millions of dollars \nper year defending their networks. At a hearing we held last \nmonth in Philadelphia, just an area community bank testified \nthat they had to spend a million dollars a year--this is a \nsmall community bank--on its cybersecurity efforts, and they \nsuggested they could spend much more.\n    Attacks that cause business disruptions cost companies an \naverage of nearly $300,000 each to mitigate the damage, and \ncertainly it can be significantly higher where there is real \ndamage, and companies that have lost untold amounts of \nintellectual property have found themselves at a competitive \ndisadvantage with their global competitors. Identity theft \nalone costs U.S. banks, retailers, and consumers roughly $780 \nmillion a year, and as the Chairman himself said, literally \nbillions of dollars in value associated with stolen \nintellectual property.\n    All of these losses directly contribute to job losses, \nmissed business opportunities, and American companies at a \ncompetitive disadvantage on the world stage. The question then \nbecomes: How do we respond to this?\n    First, we must ensure that our Federal agencies have \ndefined roles and are coordinating with each other and the \nprivate sector to share threat information. We must also crack \ndown on the perpetrators of these attacks by arresting \nmalicious hackers and pressuring other countries to do the \nsame. It is especially true in China and Eastern Europe, where \nthese companies' spies and criminals hide.\n    The indictments of the Chinese military hackers and the \narrest of over 100 hackers linked to the malicious software \ncalled Blackshades are a good start, but there is more work to \ndo. Importantly, we in Congress need to continue to study this \nthreat and to understand who the adversaries are, what they \nwant, where they live, and what they are capable of doing.\n    I want to thank each of the members of this panel who are \nbefore us today for their work in this area, and we look \nforward to your testimony both in here and in the closed \nhearings to better understand and to better continue to educate \nnot only our colleagues, but the American people on this very, \nvery important and challenging issue. I thank Chairman King for \nthe opportunity to share it with him.\n    I yield back.\n    Mr. King. Thank you, Chairman Meehan.\n    Other Members of the committee are reminded that opening \nstatements may be submitted for the record.\n    [The statement of Mr. Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                              May 21, 2014\n    This hearing is timed only days after the Department of Justice \nannounced indictments against five Chinese military officials for \nconducting cyber espionage against U.S. industries related to nuclear \npower and solar and metal products. I understand the investigative role \nof the FBI in this investigation and that our judicial process limits \nthe information which can be shared at such a critical point in this \nprocess. Therefore, I look forward to working with all of our witnesses \nto discuss and review this case at the appropriate time.\n    During this Congress and in previous Congresses, I have maintained \nand expanded this committee's cybersecurity jurisdiction by conducting \neffective oversight and offering both responsive and responsible \nlegislation. I continue to be encouraged as DHS assumes its role as the \nprimary agency charged with securing Federal Government systems from \ncyber attacks, while working with other agencies to collect \ninformation, analyze threats, and respond accordingly.\n    It is important for DHS to continue to make progress in addressing \none of the greatest homeland security challenges of our day--how to \nhelp Government agencies and private-sector infrastructure owners and \noperators protect critical infrastructure from cyber threats.\n    Too often when we discuss cyber threats or cybersecurity, we group \nall bad actors into the same category. Today, our witnesses should \nexplain not only the on-going threats, but also distinguish the threat \nactors. Specifically, I am interested in hearing about the organized \ncrime groups and their efforts to target financial service sectors, \nterrorist groups' use of on-line networks to recruit and organize \nattack efforts, and foreign governments with an interest in obtaining \ndata and information from Government agencies and major manufacturers, \nincluding those with defense contracts.\n    I would also like to hear how the witnesses and their agencies \nmanage and analyze the volumes of open-source information and postings \nthat can be found on various social networking websites.\n    I have gone on record several times to emphasize social media as an \nintegral tool in recognizing and preventing emerging threats, but \nwarning that a balance must be created to manage this information. We \nmust still heed that warning and make our Federal security regime as \neffective as possible.\n\n    Mr. King. Now I am pleased to introduce the distinguished \npanel that we have here today.\n    Mr. Glenn Lemons is the senior intelligence officer for the \nCyber Intelligence Analysis Division in Homeland Security's \nOffice of Intelligence and Analysis. His responsibilities \ninclude providing all-source cyber intelligence support for DHS \nsenior personnel and owners and operators of critical \ninfrastructure. Additionally, he manages and leads a diverse \ncyber workforce that, in coordination with the National \nProtection and Programs Directorate, provides operational \nintelligence support to our Nation's 16 critical infrastructure \npartners and all applicable State, local, territorial, Tribal, \nand private-sector entities.\n    Mr. Joseph Demarest is the assistant director of the Cyber \nDivision at the Federal Bureau of Investigation. The FBI helps \nlead the National effort to investigate high-tech crimes, \nincluding cyber-based terrorism, espionage, computer \nintrusions, and cyber fraud. Joe Demarest has been with the FBI \nfor more than a quarter of a century, and I had the personal \nprivilege of seeing him operate first-hand when he headed the \nJoint Terrorism Task Force in New York and later as the \nassistant director in charge, where he did a truly outstanding \njob in coordinating efforts against terrorism in the New York \nCity, Long Island, New York area.\n    So, Joe Demarest, it is great to see you here today. Thank \nyou.\n    Larry Zelvin is the director of National Cybersecurity and \nCommunications Integration Center at the Department of Homeland \nSecurity--easier to say NCCIC. It is comprised of several \ncomponents, including the U.S. Computer Emergency Readiness \nTeam, the National Coordination Center for Telecommunications, \nthe Industrial Control Systems Cyber Emergency Response Team, \nand a 24/7 operations center. Mr. Zelvin is a retired U.S. Navy \ncaptain and naval aviator with 26 years of active service.\n    I want to thank all of you for appearing here today, and \nlet you know that your written testimony is being submitted for \nthe record. I will now recognize Mr. Lemons for 5 minutes for \nhis testimony.\n    Mr. Lemons.\n\n STATEMENT OF GLENN LEMONS, SENIOR INTELLIGENCE OFFICER, CYBER \n  INTELLIGENCE ANALYSIS DIVISION, OFFICE OF INTELLIGENCE AND \n         ANALYSIS, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Lemons. Thank you, sir.\n    Chairman King, Chairman Meehan, Ranking Member Higgins, and \ndistinguished Members of the committee, I am pleased to be here \ntoday to discuss the continued threat to the homeland from \nmalicious cyber actors and the Office of Intelligence and \nAnalysis role in assessing these threats.\n    Cyber intrusions into critical infrastructure and \nGovernment networks are increasing in sophistication and \nseriousness. Although the persistent cyber threat to the \nhomeland remains theft of data and espionage, the complexity of \nemerging threat capabilities, the inextricable link between \nphysical and cyber domains, and a diversity of cyber actors \npresent challenges to DHS and all of our customers.\n    With the private sector owning and operating over 85 \npercent of our Nation's critical infrastructure, information \nsharing becomes especially important between public and private \nsector. Malicious cyber actors who target the homeland include \nnation-states, cyber criminals, criminal hackers, asymmetric \nactors, to include terrorists, with the insidious and/or \nunwitting insider presenting unique cybersecurity concerns that \ncan magnify any threat.\n    Nation-states aggressively target and gain persistent \naccess to public and private-sector networks to exploit and \nsteal massive quantities of data. Given the increasing world \nview of cyber space as a domain of warfare, we cannot discount \nthat adversaries currently support planning for contingencies \nby mapping and evaluating U.S. networks and infrastructure. \nCyber criminals are largely motivated by profit and are \nextremely capable, representing a long-term global and common \nthreat. We see sophisticated financial criminals in many \ncountries throughout the world.\n    Criminal hackers are politically or ideologically motivated \nand target for publicity, which can result in high-profile \noperations in both, but often with limited effectiveness. The \nMay 2000 Middle East and North Africa-based hacker campaign \nknown as OpUSA showed the group's desire for media attention, \ndespite its lack of capability to disrupt websites of U.S. \nGovernment, financial, and commercial entities.\n    Asymmetrical actors, to include terrorists, primarily use \nthe internet for on-line recruitment, communication, \npropaganda, and research. While limited by persistent \ncounterterrorism pressures and difficulty in recruiting \nexperts, we believe they will continue to seek cyber targets of \nopportunity. Therefore, despite the low probability of a \ndestructive terrorist cyber attack occurring, such an event may \nhave a high-profile impact, even if unsuccessful. Success in \nthis case may be determined by press coverage by its \ndestructive network activity.\n    The outlook of these threats is that malicious cyber \nactivity targeting Government and private-sector networks can \nresult in intentional and in some cases unintentional \nconsequences which can threaten National and economic security, \ncritical infrastructure, as well as public health and welfare. \nIt is reasonable to assess both disruptive and possibly \ndestructive cyber activity are the goals of malicious cyber \nactors who target our Nation's critical infrastructure in an \neffort to cause harm.\n    I&A has an important role in supporting the Department in \ncarrying out its cyber responsibilities by assessing these \nemerging threats and ensuring both public and private sector \nare made aware of them through robust information sharing. The \nI&A support for public and private-sector owners and operators \nis multidimensional. Since the implementation of Executive \nOrder 13636, which charges the Department to increase the \nvalue, the quantity, and quality of Unclassified cyber threat \nreporting, DHS I&A has increased Unclassified cyber outreach by \n382 percent from fiscal year 2012 to 2013, and for 2014 we are \non a trajectory to bypass last year's numbers. These activities \nare in addition to our regularly scheduled Unclassified and \nClassified production, and weekly, monthly, and quarterly \nsecurity engagements.\n    Additionally, we are partnering with State and local fusion \ncenters to deconflict production, solicit requirements, and \nparticipate in joint production opportunities. These are just \nsome of our efforts to increase threat awareness, decrease \nduplicative reporting, and align priorities.\n    Thank you for providing me the opportunity to speak with \nyou today about these important issues. I look forward to your \nquestions both here and in the follow-on Classified session.\n    Mr. King. Thank you for your testimony, Mr. Lemons.\n    Now I am pleased to recognize Mr. Demarest.\n\n    STATEMENT OF JOSEPH DEMAREST, ASSISTANT DIRECTOR, CYBER \n           DIVISION, FEDERAL BUREAU OF INVESTIGATION\n\n    Mr. Demarest. Good morning, Chairmen King, Meehan, and \nRanking Member Higgins, and distinguished Members. I am pleased \nto appear before you today to discuss the cyber threats facing \nour Nation and how the FBI and our partners, most importantly \nDHS and a broadband of others domestically and abroad, what we \nare doing together to protect the United States.\n    Today's FBI is a threat-focused, intelligence-driven \norganization. Just as our adversaries continue to evolve, so, \ntoo, must the FBI. We live in a time of acute and persistent \nterrorist, state-sponsored, and criminal threats to our \nNational security, our economy, and our communities. These \ndiverse threats facing our Nation and our neighborhoods \nunderscore the complexity and breadth of the FBI's mission \ntoday.\n    The United States faces cyber threats from state-sponsored \nhackers, hackers for hire, global cyber criminal syndicates, \nand terrorists. They seek our trade and state secrets, our \ntechnology, our personal and financial information, and our \nideas, all of which are of incredible value to us here in the \nUnited States. Given the scope of the cyber threat, agencies \nacross the Federal Government are making cybersecurity \nobviously a top priority. Within the FBI we are prioritizing \nhigh-level intrusions. The biggest and most dangerous botnets, \ncriminal forums, state-sponsored hackers, and global cyber \ncriminal syndicates are our priorities. We want to predict and \nprevent attacks and get to the position where we can, rather \nthan simply react to after the fact.\n    FBI agents, analysts, and computer scientists are using \ntechnological capabilities and traditional investigative \ntechniques to fight cyber crime today. We are working side-by-\nside with our Federal, State, and local partners on cyber task \nforces in each of our 56 field offices and through the National \nCyber Investigative Joint Task Force in Chantilly, Virginia. \nThrough our 24/7 cyber command center, CyWatch, we combine the \nresources of the FBI and the NCIJTF, allowing us to provide \nconnectivity to the other Federal cyber centers, NCCIC being \nchief among them, Government agencies, FBI field offices, legal \nattaches, and the private sector in the event of a cyber event.\n    As the committee is well aware, the frequency and impact of \ncyber attacks on our Nation's private sector and Government \nnetworks have increased dramatically in the past decade and are \nexpected to grow exponentially. The FBI and our partners have \nhad multiple recent investigative successes against the threat \nand we are continuing to push ourselves to respond more rapidly \nto prevent attacks before they occur.\n    On Monday the Western District of Pennsylvania unsealed an \nindictment naming five members of the People's Liberation Army \nof the People's Republic of China on 31 counts, including \nconspiring to commit computer fraud, accessing a computer \nwithout authorization for the purpose of commercial advantage \nand private financial gain, damaging computers through the \ntransmission of code and commands, aggravated identity theft, \neconomic espionage, and theft of trade secrets. Each of the \ndefendants provided his individual expertise to a conspiracy to \npenetrate the computer networks of six U.S. companies while \nthose companies were engaged in negotiations or joint ventures \nwith or were pursuing legal action against state-owned \nenterprises in China. This marks the first time criminal \ncharges have been filed against known state actors for hacking.\n    Also on Monday the FBI announced a world-wide operation \nagainst those individuals who created and purchased malware \nknown as Blackshades. This operation involved 18 countries. \nMore than 90 arrests have been made so far, and more than 300 \nsearches have been conducted around the world in support of the \noperation. Blackshades products were offered on their website. \nTheir products include Blackshades Remote Access Tool and \nBlackshades Password Recovery, to name just a few.\n    The most popular product was the Blackshades Remote Access \nTool. The tool contained a key logger feature that allowed \nusers to record each key the victim typed on their computer \nkeyboards. To help users steal a victim's password and other \nlog-on credentials, the tool also had a form-grabber feature \nwhich automatically captured log-on information that victims \nentered into the forms on their infected computers. The tool \nalso provided its users with complete access to all the files \ncontained on a victim's computer. A tool user could use this \naccess to view or download photographs, documents, or other \nfiles on the victim's computer. Further, the tool enabled users \nto encrypt or lock a victim's files and demand ransom payment \nto unlock them, much like ransomware. The tool even came with a \nprepared script to demand such a ransom. As you can imagine, \nthis tool alone poses a significant threat to individual \nvictims across the United States and certainly around the \nworld.\n    These successes are just the beginning. The FBI has \nredoubled its efforts to strengthen our cyber capabilities \ninternally. The FBI's Next Generation Cyber Initiative, which \nwe launched in 2012, included a wide range of developments, \nlike establishing the cyber task forces throughout each of our \nfield offices; also focusing on cyber intrusion or intrusion \ninvestigations. We have also hired additional computer \nscientists to assist in the technical investigations in the \nfield and at headquarters; and then certainly expanded our \npartnerships to enhance collaboration through the NCIJTF and \nwithin the U.S. Government.\n    The NCIJTF, which serves as a coordination, integration, \nand information-sharing center among 19 U.S. agencies and our \nFive Eyes partners for cyber threat investigations has provided \nunprecedented coordination. This coordination involves senior \npersonnel at key agencies. NCIJTF, which is led by the FBI, has \ndeputy directors from the NSA, DHS, CIA, U.S. Secret Service, \nand U.S. Cyber Command.\n    In addition to strengthening our partnerships in Government \nand law enforcement, we recognize that to effectively combat \nthe cyber threat we must significantly enhance our cooperation \nwith the private sector, which we are doing through our \nInfraGard program; our DSAC program as well. We recognize that \nunderstanding the cyber threat is critical to effectively \ncombatting that, and the private sector is a key ingredient. As \npart of our enhanced private-sector outreach, we have begun to \nprovide industry partners with Classified threat briefings and \nindicators in advance of attacks that we are knowledgeable of.\n    In conclusion, sir, to counter the threats we face today, \nwe are engaging in an unprecedented level of collaboration \nwithin the U.S. Government, with the private sector, and with \nour international partners. We are grateful for the committee's \ncontinued support and look forward to working with you and \nexpanding our partnerships as we determine a successful course \nforward for this Nation to defeat the cyber adversaries we face \ntoday. Thank you again, sir.\n    [The prepared statement of Mr. Demarest follows:]\n                 Prepared Statement of Joseph Demarest\n                              May 21, 2014\n    Good morning Chairmen Meehan and King and Ranking Members Clarke \nand Higgins. I'm pleased to appear before you today to discuss the \ncyber threats facing our Nation and how the FBI and our partners are \nworking together to protect the United States Government and private-\nsector networks.\n    Today's FBI is a threat-focused, intelligence-driven organization. \nEach employee of the FBI understands the key threats facing our Nation \nand we must constantly strive to be more efficient and more effective. \nJust as our adversaries continue to evolve, so, too, must the FBI. We \nlive in a time of acute and persistent terrorist, state-sponsored, and \ncriminal threats to our National security, our economy, and our \ncommunities. These diverse threats facing our Nation and our \nneighborhoods underscore the complexity and breadth of the FBI's \nmission.\n    We remain focused on defending the United States against terrorism, \nforeign intelligence, and cyber threats; upholding and enforcing the \ncriminal laws of the United States; protecting civil rights and civil \nliberties; and providing leadership and criminal justice services to \nFederal, State, local, and international agencies and partners.\n                    the cyber threat & fbi response\n    The United States faces cyber threats from state-sponsored hackers, \nhackers for hire, global cyber syndicates, and terrorists. They seek \nour state secrets, our trade secrets, our technology, our personal and \nfinancial information, and our ideas, all of which are of incredible \nvalue to all of us. They may seek to strike our critical infrastructure \nand our economy.\n    Given the scope of the cyber threat, agencies across the Federal \nGovernment are making cybersecurity a top priority. Within the FBI, we \nare prioritizing high-level intrusions--the biggest and most dangerous \nbotnets, state-sponsored hackers, and global cyber syndicates. We want \nto predict and prevent attacks, rather than simply react after the \nfact.\n    FBI agents, analysts, and computer scientists are using technical \ncapabilities and traditional investigative techniques, such as sources \nand communication intercepts, as well as forensics, to fight cyber \ncrime. We are working side-by-side with our Federal, State, and local \npartners on Cyber Task Forces in each of our 56 field offices and \nthrough the National Cyber Investigative Joint Task Force (NCIJTF). \nThrough our 24/7 cyber command center, CyWatch, we combine the \nresources of the FBI and NCIJTF, allowing us to provide connectivity to \nFederal cyber centers, Government agencies, FBI field offices and legal \nattaches, and the private sector in the event of a cyber intrusion.\n    We also work with the private sector through partnerships such as \nthe Domestic Security Alliance Council, InfraGard, and the National \nCyber Forensics and Training Alliance. The FBI is training our State \nand local counterparts to triage local cyber matters, so that we can \nfocus on the most pressing issues with National impact.\n    In addition, our Legal Attache offices overseas work to coordinate \ncyber investigations and address jurisdictional hurdles and differences \nin the law from country to country. We are supporting partners at \nInterpol and The Hague as they work to establish international cyber \ncrime centers. We continue to assess other locations to ensure that our \ncyber personnel are in the most appropriate locations across the globe.\n    We know that to be successful in the fight against cyber crime, we \nmust continue to recruit, develop, and retain a highly-skilled \nworkforce. To that end, we have developed a number of creative staffing \nprograms and collaborative partnerships with private industry to ensure \nthat over the long term we remain focused on our most vital resource, \nour people.\n    As the committee is well aware, the frequency and impact of cyber \nattacks on our Nation's private sector and Government networks have \nincreased dramatically in the past decade and are expected to continue \nto grow.\n                            recent successes\n    While the FBI and our partners have had multiple recent \ninvestigative successes against the threat, we are continuing to push \nourselves to respond more rapidly and prevent attacks before they \noccur.\n    One area in which we recently have had great success with our \noverseas partners is in targeting infrastructure we believe has been \nused in Distributed Denial of Service (DDOS) attacks, and preventing \nthat infrastructure from being used for future attacks. A DDOS attack \nis an attack on a computer system or network that causes a loss of \nservice to users, typically the loss of network connectivity and \nservices by consuming the bandwidth of the victim network. Since \nOctober 2012, the FBI and the Department of Homeland Security (DHS) \nhave released nearly 168,000 Internet Protocol addresses of computers \nthat were believed to be infected with DDOS malware. We have released \nthis information through Joint Indicator Bulletins (JIBs) to more than \n130 countries via DHS's National Cybersecurity and Communications \nIntegration Center (NCCIC), where our liaison officers provide expert \nand technical advice for increased coordination and collaboration, as \nwell as our Legal Attaches overseas.\n    These actions have enabled our foreign partners to take action and \nreduced the effectiveness of the botnets and the DDOS attacks. We are \ncontinuing to target botnets through this strategy and others.\n    In April 2013, the FBI Cyber Division initiated an aggressive \napproach to disrupt and dismantle the most significant botnets \nthreatening the economy and National security of the United States. \nThis initiative, named Operation Clean Slate, was implemented to \nappropriately address the threat neutralization actions through \ncollaboration with the private sector, Department of Homeland Security \nand other United States Government partners, and our foreign partners. \nThis includes law enforcement action against those responsible for the \ncreation and use of the illegal botnets, mitigation of the botnet \nitself, assistance to victims, public-service announcements, and long-\nterm efforts to improve awareness of the botnet threat through \ncommunity outreach. Although each botnet is unique, Operation Clean \nSlate's strategic approach to this significant threat ensures a \ncomprehensive neutralization strategy, incorporating a unified public/\nprivate response and a whole-of-Government approach to protect U.S. \ninterests.\n    The impact of botnets has been significant. Botnets have caused \nover $113 billion in losses globally, with approximately 378 million \ncomputers infected each year, equaling more than 1 million victims per \nday, translating to 12 victims per second.\n    To date, Operation Clean Slate has resulted in several successes. \nWorking with our partners, we disrupted the Citadel Botnet. This botnet \nwas designed to facilitate unauthorized access to computers of \nindividuals and financial institutions to steal on-line banking \ncredentials, credit card information, and other personally identifiable \ninformation. Citadel was responsible for the loss of over a half \nbillion dollars. As a result of our actions, over 1,000 Citadel domains \nwere seized, accounting for more than 11 million victim computers \nworld-wide. In addition, working with foreign law enforcement, we \narrested a major user of the malware.\n    Building on the success of the disruption of Citadel, in December \n2013, the FBI and Europol, together with Microsoft and other industry \npartners, disrupted the ZeroAccess Botnet. ZeroAccess was responsible \nfor infecting more than 2 million computers, specifically targeting \nsearch results on Google, Bing, and Yahoo search engines, and is \nestimated to have cost on-line advertisers $2.7 million each month.\n    In January 2014, Aleksandry Andreevich Panin, a Russian national, \npled guilty to conspiracy to commit wire and bank fraud for his role as \nthe primary developer and distributer of the malicious software known \nas ``Spyeye'' which infected over 1.4 million computers in the United \nStates and abroad. Based on information received from the financial \nservices industry, over 10,000 bank accounts were compromised by Spyeye \ninfections in 2013 alone. Panin's co-conspirator, Hamza Bendelladj, an \nAlgerian national who helped Panin develop and distribute the malware, \nwas also arrested in January 2013 in Bangkok, Thailand.\n                    next generation cyber initiative\n    The need to prevent attacks is a key reason the FBI has redoubled \nour efforts to strengthen our cyber capabilities while protecting \nprivacy, confidentiality, and civil liberties. The FBI's Next \nGeneration Cyber Initiative, which we launched in 2012, entails a wide \nrange of measures, including focusing the FBI Cyber Division on \nintrusions into computers and networks, as opposed to crimes committed \nwith a computer as a modality. The Cyber Division established Cyber \nTask Forces in each of our 56 field offices to conduct cyber intrusion \ninvestigations and respond to significant cyber incidents. The Cyber \nDivision has also hired additional computer scientists to assist with \ntechnical investigations in the field and expanded partnerships to \nenhance collaboration with the NCIJTF.\n    The NCIJTF, which serves as a coordination, integration, and \ninformation-sharing center among 19 U.S. agencies and our Five Eyes \npartners for cyber threat investigations has resulted in unprecedented \ncoordination. This coordination involves senior personnel at key \nagencies. NCIJTF, which is led by the FBI, now has deputy directors \nfrom the NSA, DHS, the Central Intelligence Agency, U.S. Secret \nService, and U.S. Cyber Command. In the past year, we have had our Five \nEyes partners join us at the NCIJTF. Australia embedded a liaison \nofficer in May 2013, the United Kingdom in July 2013, and Canada in \nJanuary 2014. By developing partnerships with these and other nations, \nNCIJTF is working to become the international leader in synchronizing \nand maximizing investigations of cyber adversaries.\n    While we are primarily focused with our Federal partners on cyber \nintrusions, we are also working with our State and local law \nenforcement partners to identify and address gaps in the investigation \nand prosecution of internet fraud crimes.\n    Currently, the FBI's Internet Crime Complaint Center (IC3) collects \nreports from private industry and citizens about on-line fraud schemes, \nidentifies emerging trends, and produces reports about them. The FBI \ninvestigates fraud schemes that are appropriate for Federal prosecution \n(based on such factors as the amount of loss). Others are packaged \ntogether and referred to State and local law enforcement.\n    The FBI is also working to develop the Wellspring program in \ncollaboration with the International Association of Chiefs of Police, \nthe Major Cities Chiefs Association, and the National Sheriffs' \nAssociation to enhance the internet fraud targeting packages IC3 \nprovides to State and local law enforcement for investigation and \npotential prosecution. During the first phase of this program's \ndevelopment, IC3 worked with the Utah Department of Public Safety to \ndevelop better investigative leads for direct dissemination to State \nand local agencies.\n    Through IC3, Operation Wellspring provided Utah police 22 referral \npackages involving over 800 victims, from which the FBI opened 14 \ninvestigations. Additionally, another 9 investigations were opened and \ndeveloped from the information provided.\n    The following are reported loss totals:\n  <bullet> IC3-referred investigations=$2,135,264.\n  <bullet> Cyber Task Force initiated investigations=$385,630.\n  <bullet> Operation Wellspring/Utah Total=$2,520,894.\n    The FBI is also partnering closely with DOJ's Bureau of Justice \nAssistance to support efforts of the International Association of \nChiefs of Police to develop a National Cyber Center designed \nspecifically to identify and share resources from across Government to \nassist local, State, and Tribal law enforcement agencies better address \ntheir cyber crime needs.\n    The FBI's newly-established Guardian for Cyber application, being \ndeveloped for Cyber use by the Guardian Victim Analysis Unit (GVAU), \nprovides a comprehensive platform that tracks U.S. Government \ncoordination and efforts to notify victims or targets of malicious \ncyber activity.\n    The FBI is working toward the full utilization of Guardian for \nCyber across FBI, other Government agencies, State, local, Tribal, and \nterritorial (SLTT) governments, as well as industry partners, in order \nto provide forward understanding of cyber-related threats, increase \nawareness of victim actions to mitigate those threats, and facilitate a \ncoordinated overall cyber incident response by the U.S. Government.\n                        private sector outreach\n    In addition to strengthening our partnerships in Government and law \nenforcement, we recognize that to effectively combat the cyber threat, \nwe must significantly enhance our collaboration with the private \nsector. Our Nation's companies are the primary victims of cyber \nintrusions and their networks contain the evidence of countless \nattacks. In the past, industry has provided us information about \nattacks that have occurred, and we have investigated the attacks, but \nwe have not always provided information back.\n    The FBI's newly-established Key Partnership Engagement Unit (KPEU) \nmanages a targeted outreach program focused on building relationships \nwith senior executives of key private-sector corporations. Through a \ntiered approach the FBI is able to prioritize our efforts to better \ncorrelate potential National security threat levels with specific \ncritical infrastructure sectors.\n    The KPEU team promotes the FBI's Government and industry \ncollaborative approach to cybersecurity and investigations by \ndeveloping a robust information exchange platform with its corporate \npartners.\n    Through the FBI's InfraGard program, the FBI develops partnerships \nand working relationships with private sector, academic, and other \npublic/private entity subject-matter experts. Primarily geared toward \nthe protection of critical, National infrastructure, InfraGard promotes \non-going dialogue and timely communication between a current active \nmembership base of 25,863 (as of April 2014).\n    InfraGard members are encouraged to share information with \nGovernment that better allows Government to prevent and address \ncriminal and National security issues. One of the resources available \nto members is the Guardian for Cyber program, which facilitates real-\ntime incident reports to the FBI. InfraGard members also benefit from \naccess to robust on- and off-line learning resources, connectivity with \nother members and special interest groups, and relevant Government \nintelligence and information updates that enable them to broaden threat \nawareness and protect their assets.\n    The FBI's Cyber Initiative & Resource Fusion Unit (CIRFU) maximizes \nand develops intelligence and analytical resources received from law \nenforcement, academia, international, and critical corporate private-\nsector subject-matter experts to identify and combat significant actors \ninvolved in current and emerging cyber-related criminal and National \nsecurity threats. CIRFU's core capabilities include a partnership with \nthe National Cyber Forensics and Training Alliance (NCFTA) in \nPittsburgh, Pennsylvania, where the unit is collocated. NCFTA acts as a \nneutral platform through which the unit develops and maintains liaison \nwith hundreds of formal and informal working partners who share real-\ntime threat information and best practices, and who collaborate on \ninitiatives to target and mitigate cyber threats domestically and \nabroad. In addition, the FBI, Small Business Administration, and the \nNational Institute of Standards and Technology (NIST) partner together \nto provide cybersecurity training and awareness to small business as \nwell as citizens leveraging the FBI InfraGard program.\n    The FBI recognizes that understanding the cyber threat is critical \nto effectively combating it. As part of our enhanced private-sector \noutreach, we have begun to provide industry partners with Classified \nthreat briefings and other information and tools to better help them \nrepel intruders. Earlier this year, in coordination with the Treasury \nDepartment, we provided a Classified briefing on threats to the \nfinancial services industry to executives of more than 40 banks who \nparticipated via secure video teleconference in FBI field offices. We \nprovided another Classified briefing on threats to the financial \nservices industry in April 2014, with 100 banks participating. Another \nillustration of the FBI's commitment to private-sector outreach is our \nincrease in production of our external use products such as the FBI \nLiaison Alert System (FLASH) reports and Private Industry Notifications \n(PINs).\n                               conclusion\n    In conclusion, to counter the threats we face, we are engaging in \nan unprecedented level of collaboration within the U.S. Government, \nwith the private sector, and with international law enforcement.\n    We are grateful for the committee's continued support and look \nforward to working with you and expanding our partnerships as we \ndetermine a successful course forward for the Nation to defeat our \ncyber adversaries.\n\n    Mr. King. Thank you, Mr. Demarest.\n    Now Mr. Zelvin.\n\nSTATEMENT OF LARRY ZELVIN, DIRECTOR, NATIONAL CYBERSECURITY AND \n  COMMUNICATIONS INTEGRATION CENTER, NATIONAL PROTECTION AND \n   PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Zelvin. Chairman King, Chairman Meehan, Ranking Members \nHiggins, Ranking Member Clarke, distinguished Members of the \ncommittee, thank you for the opportunity to appear before you \ntoday.\n    As you well know, the Nation's economic vitality and \nNational security depend on a secure cyber space where \nreasonable risk decisions can be made and the flow of digital \ngoods, transactions, and on-line interactions can occur safely \nand reliably. In order to meet this objective, the technical \ncharacteristics of malicious cyber activity must be shared in a \ntimely fashion so cyber defenders can discover, address, and \nmitigate a variety of threats and vulnerabilities.\n    In carrying out our particular responsibilities, the NCCIC \npromotes and implements a unified approach to cybersecurity \nwhich enables the rapid sharing of cybersecurity information in \na manner that ensures the protection of individuals' privacy, \ncivil liberties, and rights.\n    The NCCIC is a civilian organization that provides an \naround-the-clock center where Government, private sector, and \ninternational partners can work together in both physical and \nvirtual environments. As mentioned, the NCCIC is comprised of \nfour branches, US-CERT, ICS-CERT, NCC, and an ops and \nintegration component.\n    From October 1, 2013, to May 20, 2014, the NCCIC has \nreceived over 350,000 cyber incident reports from Government \npartners, critical infrastructure organizations, and \ninternational partners, a significant increase from the nearly \n230,000 reports received in all of fiscal year 2013. These \nreports included incidents such as distributed denial of \nservice attacks, phishing campaigns, and intrusions into a \nvariety of technology information systems.\n    In response to these incidents, the NCCIC regularly \npublishes technical and nontechnical information products, \noften co-authoring with the FBI, analyzing the characteristics \nof malicious cyber activity, improving the ability of the \norganizations, their ability to reduce risk. Additionally, when \nappropriate, all NCCIC components have on-site incident \nresponse teams that can assist asset owners and operators and \ntheir facilities, in close cooperation with our Government \npartners.\n    US-CERT's global partnerships with more than 200 other \nCERTs world-wide are particularly useful as our team works to \ndevelop analysis across international borders to develop a \ncomprehensive picture of malicious cyber activity. Data from \nthe NCCIC and US-CERT can also be shared in machine-readable \nformats called a Structured Threat Information eXpression \nlanguage, also known as STIX, which is currently being \nimplemented and utilized.\n    When looking at cyber threats, one of our greatest \nchallenges in cybersecurity is, is our information technology \nsystems are not nearly as secure as they could or should be. \nWhile there are a number of cases I could use to highlight my \nstatement, I would like to use my remaining time to talk about \nhow we in DHS aided Federal departments and agencies respond to \nand mitigate to the Heartbleed vulnerability across the dot-gov \ndomain.\n    On April 17, 2014, the NCCIC learned of a vulnerability in \nthe widely-used Secure Sockets Layer encryption software dubbed \nHeartbleed. On April 8, US-CERT issued a public alert on the \nHeartbleed vulnerability and deployed signatures into our \nEINSTEIN 2 intrusion detection system to enable the detection \nof possible exploitation of the Heartbleed in the dot-gov \ndomain. On April 10, mitigation guidance was distributed to our \nnational world-wide partners, and then the NCCIC's National \nCybersecurity Assessment & Technical Services team collaborated \nwith well over 100 Federal agencies, receiving their \nauthorization to scan for the Heartbleed vulnerability, \nidentify their public IP space, schedule times to conduct the \nscanning, and then deliver individualized reports and results \nto each agency for their mitigation.\n    To date, the NCATS team has scanned Federal IP space of \napproximately 15.5 million IPs on 11 different occasions and \nassisted reducing the number of Federal Heartbleed \nvulnerability occurrences from 270 to about 2 in less than 3 \nweeks. More than half of these vulnerabilities were identified \nand mitigated in the first 6 days of scanning.\n    The Industrial Control System CERT, in partnership with \nprivate-sector research groups, conducted two webinars \nregarding Heartbleed, one with the Industrial Control System \nvendor community on April 16 and one with 16 critical \ninfrastructure sectors directly impacted by the vulnerability \non April 25. Approximately 140 vendors attended the first \nsession and nearly 500 critical infrastructure asset and owner-\noperators, as well as representatives from sector-specific \nagencies and information-sharing and analysis centers, attended \nthe second.\n    Fortunately, due to the hard work throughout the Federal \nGovernment, the impact of the Heartbleed on the dot-gov domain \nhas been minimal. I am very proud of how the team responded and \ncontinues to counter this significant vulnerability as it \nserves as yet another example of how we collaborate with and \nserve a large community of stakeholders. We still can do \nbetter, and we are asking for the help of the committee to \nclarify DHS' authorities so it can better mitigate threats to \nthe dot-gov and our dot-com domains closer to the time in which \nthey occur.\n    In conclusion, I would like to again thank the committee \nfor the ability to appear today and highlight that we in DHS \nand across the NCCIC strive every day to enhance the security \nand resilience across cyber space and the information \ntechnology enterprise. We accomplish our mission using \nvoluntary means and ever-mindful of the need to respect \nprivacy, civil liberties, and the law. I truly appreciate the \nopportunity to speak with you today and look forward to your \nquestions.\n    [The prepared statement of Mr. Zelvin follows:]\n                   Prepared Statement of Larry Zelvin\n                              May 21, 2014\n                              introduction\n    Chairman King, Chairman Meehan, Ranking Member Higgins, Ranking \nMember Clarke, and distinguished Members of the committee, I am pleased \nto appear today to discuss the Department of Homeland Security (DHS) \nNational Protection and Programs Directorate (NPPD) and the National \nCybersecurity and Communications Integration Center (NCCIC) efforts to \nassess persistent and emerging cyber threats to the U.S. homeland.\n    On February 12, 2013, the President signed Executive Order (E.O.) \n13636, Improving Critical Infrastructure Cybersecurity and Presidential \nPolicy Directive (PPD) 21, Critical Infrastructure Security and \nResilience, which set out steps to strengthen the security and \nresilience of the Nation's critical infrastructure, and reflect the \nincreasing importance of integrating cybersecurity efforts with \ntraditional critical infrastructure protection. The President also \nhighlighted that it is important for Government to encourage \nefficiency, innovation, and economic prosperity while promoting safety, \nsecurity, business confidentiality, privacy, and civil liberties. DHS \npartners closely with critical infrastructure owners and operators to \nimprove cybersecurity information sharing and encourage risk-based \nimplementation of standards and guidelines in order to strengthen \ncritical infrastructure security and resilience.\n    In my testimony today, I would like to highlight how DHS helps \nsecure cyber infrastructure and then discuss a few specific examples \nwhere we have prevented incidents and responded to a variety of \ncybersecurity challenges.\n             enhancing the security of cyber infrastructure\n    Based on our statutory authorities, and in response to policy \nrequirements, DHS coordinates the National protection, prevention, \nmitigation of, and recovery from significant cyber and communications \nincidents; disseminates domestic cyber threat and vulnerability \nanalysis across various sectors; and investigates cyber crimes under \nDHS's jurisdiction. DHS has a unique responsibility in securing Federal \ncivilian systems against all threats and hazards. DHS components \nactively involved in cybersecurity include NPPD, the United States \nSecret Service, the U.S. Coast Guard, U.S. Customs and Border \nProtection, Immigration and Customs Enforcement, the DHS Office of the \nChief Information Officer, and the DHS Office of Intelligence and \nAnalysis (I&A), among others. In all of its activities, DHS coordinates \nall of its cybersecurity efforts with public, private-sector, and \ninternational partners.\n    The DHS National Cybersecurity & Communications Integration Center \n(NCCIC) is a 24x7 cyber situational awareness and incident response and \nmanagement center that serves as a centralized location where \noperational elements involved in cybersecurity and communications \nreliance coordinate and integrate cybersecurity efforts. NCCIC partners \ninclude all Federal departments and agencies; State, local, Tribal, and \nterritorial governments (SLTT); the private sector; and international \nentities. NCCIC's activities include providing greater understanding of \ncybersecurity and communications vulnerabilities, intrusions, \nincidents, mitigation, and recovery actions. The NCCIC is composed of \nthe United States Computer Emergency Readiness Team (US-CERT), the \nIndustrial Control System Cyber Emergency Response Team (ICS-CERT), the \nNational Coordination Center for Communications (NCC), and an \nOperations and Integration Team. NCCIC operations are currently \nconducted from three States--Virginia, Idaho, and Florida. During the \nfirst 7 months of fiscal year 2014, the NCCIC has received 31,593 \nreports of incidents, detected over 28,000 vulnerabilities, issued over \n4,006 actionable cyber alerts, and had over 252,523 partners subscribe \nto our cyber threat warning sharing initiative.\n    The NCCIC actively collaborates with public and private-sector \npartners every day, including responding to and mitigating the impacts \nof attempted disruptions to the Nation's critical cyber and \ncommunications networks. In fiscal year 2014 so far, the Industrial \nControl Systems Cyber Emergency Response Team (ICS-CERT) has provided \nover 161 alerts, bulletins, and other products to the ICS community \nwarning of various threats and vulnerabilities impacting control \nsystems, tracked 85 unique vulnerabilities affecting ICS products, \nconducted 41 assessments across critical infrastructure sectors, and \ndeployed the Cyber Security Evaluation Tool to 2,412 critical \ninfrastructure owners and operators to assist in performing their own \ncybersecurity self-assessments against known control systems standards.\n    DHS also directly supports Federal civilian departments and \nagencies in developing capabilities that will improve their own \ncybersecurity posture. Through the Continuous Diagnostics and \nMitigation (CDM) program, led by the NPPD Federal Network Resilience \nBranch, DHS enables Federal agencies to more readily identify network \nsecurity issues, including unauthorized and unmanaged hardware and \nsoftware, known vulnerabilities, weak configuration settings, and \npotential insider attacks. Agencies can then prioritize mitigation \nactions for these issues based on potential consequences or likelihood \nof exploitation by adversaries. The CDM program provides diagnostic \nsensors, tools, and dashboards that provide situational awareness to \nindividual agencies, as well as general situational awareness at the \nFederal level. Memoranda of Agreement with the CDM program encompass \nover 97 percent of all Federal civilian personnel.\n    Complementing these efforts, the National Cybersecurity Protection \nSystem (NCPS), a key component of which is referred to as EINSTEIN, is \nan integrated intrusion detection, analysis, information sharing, and \nintrusion-prevention system, utilizing hardware, software, and other \ncomponents to support DHS's mandate to protect Federal civilian agency \nnetworks. In fiscal year 2014 and beyond, the program will expand \nintrusion prevention, information sharing, and cyber analytic \ncapabilities at Federal agencies. EINSTEIN 3 Accelerated (E3A) \ncurrently provides Domain Name System and/or email protection services \nto a total of seven departments and agencies, and we are working with \nour service providers to bring coverage to the rest of the Executive \nbranch. However, this process has been significantly delayed by the \nlack of clear authorities for DHS. E3A gives DHS an active role in \ndefending .gov network traffic and significantly reduces the threat \nvectors available to malicious actors seeking to harm Federal networks.\n  securing the homeland against persistent and emerging cyber threats\n    Cyber intrusions into critical infrastructure and Government \nnetworks are serious and sophisticated threats. The complexity of \nemerging threat capabilities, the inextricable link between the \nphysical and cyber domains, and the diversity of cyber actors present \nchallenges to DHS and all of our customers. Because the private sector \nowns and operates a significant percentage of the Nation's critical \ninfrastructure, information sharing becomes especially critical between \nthe public and private sectors.\nHeartbleed\n    The Department recently learned of a serious vulnerability, known \nas ``Heartbleed,'' a weakness in the widely-used OpenSSL encryption \nsoftware that protects the electronic traffic across two-thirds of the \ninternet and in scores of electronic devices. Although new computer \n``bugs'' and malware crop up almost daily, this vulnerability is \nunusual in how widespread it is, the potentially damaging information \nit allows malicious actors to obtain, and the length of time before it \nwas discovered.\n    NCCIC learned of the of the Heartbleed vulnerability on April 7, \n2014. Less than 24 hours later, NCCIC released alert and mitigation \ninformation on the US-CERT website. In close coordination with the \nDepartments of Defense and Justice, as well as private-sector partners, \nthe NCCIC then created a number of compromise detection signatures for \nthe EINSTEIN system that were also shared with additional critical \ninfrastructure partners. DHS worked with civilian agencies to scan \ntheir .gov websites and networks for Heartbleed vulnerabilities, and \nprovided technical assistance for issues of concern identified through \nthis process. The NCCIC and its components also began a highly active \noutreach to cyber researchers, critical infrastructure owners, \noperators, and vendors, Federal, and SLTT entities, and international \npartners to discuss measures to mitigate the vulnerability and \ndetermine if there had been active exploits.\n    Once in place, DHS began notifying agencies that EINSTEIN \nsignatures had detected possible activity, and immediately provided \nmitigation guidance and technical assistance.\n    The administration's May 2011 Cybersecurity Legislative Proposal \ncalled for Congress to provide DHS with clear statutory authority to \ncarry out this operational mission, while reinforcing the fundamental \nresponsibilities of individual agencies to secure their networks, and \npreserving the policy and budgetary coordination oversight of the \nOffice of Management and Budget and the Executive Office of the \nPresident. While there was rapid and coordinated Federal Government \nresponse to Heartbleed, the lack of clear and updated laws reflecting \nthe roles and responsibilities of civilian network security caused \nunnecessary delays in the incident response.\nPoint-of-Sale Compromises\n    On December 19, 2013, a major retailer publically announced it had \nexperienced unauthorized access to payment card data from the \nretailer's U.S. stores. The information involved in this incident \nincluded customer names, credit and debit card numbers, and the cards' \nexpiration dates and card verification value security codes (i.e., the \nthree- or four-digit numbers that are usually on the back of the card). \nSeparately, another retailer reported a malware incident involving its \nPoint-of-Sale (POS) system on January 11, 2014, that resulted in the \napparent compromise of credit card and payment information.\n    In response to this activity, NCCIC/US-CERT analyzed the malware \nidentified by the Secret Service as well as other relevant technical \ndata and used those findings, in part, to create two information-\nsharing products. The first product, which is publically available and \ncan be found on US-CERT's website, provides a non-technical overview of \nrisks to POS systems, along with recommendations for how businesses and \nindividuals can better protect themselves and mitigate their losses in \nthe event an incident has already occurred. The second product provides \nmore detailed technical analysis and mitigation recommendations, and \nhas been shared through non-public, secure channels with industry \npartners to enable their protection efforts. When possible, NCCIC's \ngoal is always to share information broadly, including by producing \nproducts tailored to specific audiences.\n    These efforts ensured that actionable details associated with a \nmajor cyber incident were shared quickly and accurately with the \nprivate-sector partners who needed the information in order to protect \nthemselves and their customers, while also providing individuals with \npractical recommendations for mitigating the risk associated with the \ncompromise of their personal information. NCCIC especially benefited \nfrom close coordination with the private-sector Financial Services \nInformation Sharing and Analysis Center (FS-ISAC) during this response.\nEnergy Sector\n    In March 2012, DHS identified a campaign of cyber intrusions \ntargeting natural gas pipeline sector companies with spear-phishing e-\nmails that dated back to December 2011. The attacks were highly-\ntargeted, tightly-focused, and well-crafted.\n    ICS-CERT kicked off an ``Action Campaign'' in partnership with the \nFederal Bureau of Investigation, Department of Energy (DOE), \nElectricity Sector-Information Sharing and Analysis Centers, \nTransportation Security Administration, and others to provide \nClassified briefings to private-sector critical infrastructure \norganizations across the country. In May and June 2012, DHS deployed \non-site assistance to two of the organizations targeted in this \ncampaign: An energy company that operates a gas pipeline in the United \nStates and a manufacturing company that specializes in producing \nmaterials for pipeline construction. ICS-CERT and the Federal Bureau of \nInvestigation (FBI) provided 14 briefings in major cities throughout \nthe United States to over 750 personnel involved in the protection of \nenergy assets and critical infrastructure.\n    ICS-CERT, in coordination with DOE and the Federal Energy \nRegulatory Commission (FERC), has also started an initiative dubbed \n``SAFEGUARD'' to assess the cybersecurity of major energy sector asset \nowners (e.g., electric and gas utilities, petroleum companies) to \nproactively understand the state of security. Customized services \ninclude cybersecurity assessments, network architecture reviews, \nnetwork scanning to look for static indicators and indicators of \nadversary persistence and anomalies, and control systems network \ntraffic visualization.\n    Our I&A colleagues have increased outreach to the Energy Sector, \nproviding expertise on malicious capabilities and intentions of \nemerging cyber threat actors targeting the sector, including in \nUnclassified forums. I&A leveraged partnerships with DHS and other \nFederal experts, including colleagues at DOE, to provide threat \nbriefings to CEOs, CIOs, CISOs, and other private and public-sector \nleaders. These included engagements with the leadership and members of \nthe American Petroleum Institute, alongside NPPD partners and National \nSecurity Staff colleagues, and a joint briefing with the FBI to the \nFederal Energy Regulatory Commission.\nFinancial Sector Distributed Denial of Service (DDoS) Attacks\n    The continued stability of the U.S. financial sector is often \ndiscussed as an area of concern, as U.S. banks are consistent targets \nof cyber attacks. DDoS incidents impacting leading U.S. banking \ninstitutions in 2012 and 2013 and periodically in 2014 have gotten more \npowerful as the DDoS campaign has persisted. US-CERT has a distinct \nrole in responding to a DDoS: To disseminate victim notifications to \nUnited States Federal Agencies, Critical Infrastructure Partners, \nInternational CERTs, and U.S.-based Internet Service Providers.\n    US-CERT has provided technical data and assistance, including \nidentifying 600,000 DDoS-related IP addresses and supporting contextual \ninformation in order to help financial institutions and their \ninformation technology security service providers improve their \ndefensive capabilities. In addition to sharing with the relevant \nprivate-sector entities, US-CERT has provided this information to over \n120 international partners, many of whom have contributed to our \nmitigation efforts. US-CERT, along with the FBI and other interagency \npartners, has also deployed on-site technical assistance to provide in-\nperson support. US-CERT works with Federal civilian agencies to ensure \nthat no U.S. Government systems are infected with botnet software that \nlaunches DDoS attacks and to increase the U.S. Government's domestic \nand international sharing and coordination efforts with public and \nprivate-sector partners.\n    During these attacks, our I&A partners bolstered long-term and \nconsistent threat engagements with the Department of Treasury and \nprivate-sector partners throughout the Financial Services Sector. I&A \nanalysts presented numerous sector-specific Unclassified briefings on \nthe relevant threat intelligence, including at the annual FS-ISAC \nconference, alongside the Office of the National Counterintelligence \nExecutive and the U.S. Secret Service. Additionally, at the request of \nthe Treasury and the Financial and Banking Information Infrastructure \nCommittee (FBIIC), I&A analysts provided Classified briefings on the \nmalicious cyber threat actors to cleared individuals and groups from \nseveral financial regulators, including the Federal Deposit Insurance \nCorporation (FDIC), Securities and Exchange Commission (SEC), and the \nFederal Reserve Board (FRB).\n                               conclusion\n    DHS is committed to creating a safe, secure, and resilient cyber \nenvironment while promoting cybersecurity knowledge and innovation and \nprotecting confidentiality, privacy, and civil liberties in \ncollaboration with our public, private, and international partners. We \nwork around the clock to ensure that the peace and security of the \nAmerican way of life will not be interrupted by opportunist enemies or \nterrorist actors. Each incarnation of threat has some unique traits. \nMitigation requires agility and adaptation. Cybersecurity is not an \nend-state, but a continuous process of risk management.\n    We continue to believe that carefully-crafted information-sharing \nprovisions, as part of a comprehensive suite of cybersecurity \nlegislation, are essential to improving the Nation's cybersecurity, and \nwe will continue to work with Congress and the White House to achieve \nthis objective. We continue to seek legislation that clarifies and \nstrengthens DHS responsibilities and allows us to respond quickly to \nvulnerabilities like Heartbleed. We continue to seek legislation that \nincorporates privacy, civil liberties, and confidentiality safeguards \ninto all aspects of cybersecurity; strengthens our critical \ninfrastructure's cybersecurity by further increasing information \nsharing and promoting the adoption of cybersecurity standards and \nguidelines; gives law enforcement additional tools to fight crime in \nthe digital age; and creates a National Data Breach Reporting \nrequirement.\n    DHS plays an integral role in promoting National cybersecurity: We \nare building a foundation of voluntary partnerships with private owners \nof critical infrastructure and Government partners working together to \nsafeguard stability. We form a crucial underpinning for ensuring the \non-going continuation of services. We work through information sharing, \nthreat and indicator technical tools, sector-specific outreach, on-site \ntechnical assistance, education and awareness campaigns, and other \nmechanisms--in other words, we use a multi-dimensional approach that \nprovides layered security. We look forward to continuing the \nconversation and continuing to serve the American goals of peace and \nstability, and we hope for your continued support.\n\n    Mr. King. Thank you, Mr. Zelvin.\n    Now I would recognize Ms. Clarke for opening remarks.\n    Ms. Clarke. I thank you, Mr. Chairman, and I thank Chairman \nMeehan and Ranking Member Higgins, for holding this hearing \nthis morning.\n    As we have just heard and are keenly aware, threats to \nsystems supporting U.S. critical infrastructure and Federal and \ncorporate information systems are evolving and growing. \nAdvanced persistent threats where adversaries possess \nsophisticated levels of expertise and significance pose \nincreasing threats.\n    Soon after his election in 2008, President Obama declared \nthe cyber threat to be one of the most serious economic and \nNational security challenges we face as a Nation and stated \nAmerica's economic prosperity in the 21st Century will depend \non cybersecurity. The Director of National Intelligence has \nalso warned us of the increasing globalization of cyber \nattacks, including those carried out by foreign militaries or \norganized international crime.\n    As has been mentioned already this morning, on Monday we \nsaw the Department of Justice indict members of a foreign \nmilitary involved in economic espionage cyber crime, most \nlikely espionage in support of its state-owned companies. It \nappears that the Department of Justice has been working on this \nindictment for more than a year. Prosecutors in the DOJ's \nNational Security Division had to show there was strong \nspecific evidence, and there had to be companies that were \nwilling to go public against China.\n    The evolving array of cyber-based threats facing the Nation \npose threats to National security, commerce, and intellectual \nproperty, as well as individuals. International threats include \nboth targeted and untargeted attacks from a variety of sources. \nThese sources include business competitors, criminal groups, \nhackers, and foreign nations engaged in espionage and \ninformation warfare.\n    These sources of cybersecurity threats make use of various \ntechniques to compromise information or adversely affect \ncomputers, software, a network or organization's operation and \nindustry, or the internet itself. Such threat sources vary in \nterms of the types and capabilities of the actors, their \nwillingness to act, and their motives. Adversarial \ncybersecurity threats can range from, as I like to say, from \nbotnets to business competitors.\n    Addressing international cybersecurity threats involves \nmany Government and private entities, including internet \nservice providers, security vendors, software developers, and \ncomputer forensic specialists. Their focus is on developing and \nimplementing technology systems to protect against computer \nintrusions, internet fraud and spam, and if a crime does occur, \ndetecting it and helping to gather evidence for an \ninvestigation. Also, because cyber crime threats cross National \nand State borders, law enforcement organizations have to deal \nwith multiple jurisdictions with their own laws and legal \nprocedures, a situation that complicates and hobbles \ninvestigations.\n    Law enforcement's challenge in investigating and \nprosecuting malicious 21st Century cyber criminals is this: \nModern criminals can readily leverage technology to victimize \ntargets across borders, and the criminals themselves need not \ncross a single border to do so. This creates a unique test in \nidentifying and locating the criminals and in apprehending and \nprosecuting them.\n    The United States has extradition treaties and mutual legal \nassistance agreements with some, but not all countries, and \neven with these agreements in place, the process may be slow. \nWe must continue to search for ways that Congress can help \nenhance international law enforcement capabilities and to get \ncriminals off the streets or, shall we say, out of cyberspace, \nand thus protect U.S. critical infrastructure, Government \nsystems, and consumers.\n    I appreciate hearing the informed testimony of our \nwitnesses this morning. It is reassuring to know that our \nNation benefits from your diligence, knowledge, and expertise.\n    With that, Mr. Chairman, I yield back.\n    [The statement of Ms. Clarke follows:]\n              Statement of Ranking Member Yvette D. Clarke\n                              May 21, 2014\n    We all know that threats to systems supporting U.S. critical \ninfrastructure, and Federal and corporate information systems are \nevolving and growing. Advanced persistent threats--where adversaries \npossess sophisticated levels of expertise and significant--pose \nincreasing risks.\n    Soon after his election in 2008, President Obama declared the cyber \nthreat to be ``one of the most serious economic and National security \nchallenges we face as a Nation'' and stated ``America's economic \nprosperity in the 21st Century will depend on cybersecurity.'' The \nDirector of National Intelligence has also warned of the increasing \nglobalization of cyber attacks, including those carried out by foreign \nmilitaries or organized international crime.\n    On Monday, we saw the Department of Justice indict members of a \nforeign military involved in economic espionage cyber crime, most \nlikely espionage in support of its state-owned companies. It appears \nthat the Department of Justice has been working on this indictment for \nmore than a year. Prosecutors in the DOJ's National Security Division \nhad to show there was strong, specific evidence, and there had to be \ncompanies that were willing to go public against China.\n    The evolving array of cyber-based threats facing the Nation poses \nthreats to National security, commerce and intellectual property, and \nindividuals. Intentional threats include both targeted and untargeted \nattacks from a variety of sources. These sources include business \ncompetitors, criminal groups, hackers, and foreign nations engaged in \nespionage and information warfare.\n    These sources of cybersecurity threats make use of various \ntechniques to compromise information or adversely affect computers, \nsoftware, a network, an organization's operation, an industry, or the \ninternet itself. Such threat sources vary in terms of the types and \ncapabilities of the actors, their willingness to act, and their \nmotives. Adversarial cybersecurity threats can range from, as I like to \nsay, ``From Botnets to Business Competitors''.\n    Addressing international cyber crime threats involves many \nGovernment and private entities--including internet service providers, \nsecurity vendors, software developers, and computer forensics \nspecialists. Their focus is on developing and implementing technology \nsystems to protect against computer intrusions, internet fraud, and \nspam and, if a crime does occur, detecting it and helping to gather \nevidence for an investigation.\n    Also, because cyber crime threats cross National and State borders, \nlaw enforcement organizations have to deal with multiple jurisdictions \nwith their own laws and legal procedures, a situation that complicates \nand hobbles investigations. Law enforcement's challenge in \ninvestigating and prosecuting malicious, 21st Century cybercriminals is \nthis--modern criminals can readily leverage technology to victimize \ntargets across borders, and the criminals themselves need not cross a \nsingle border to do so.\n    This creates a unique test in identifying and locating the \ncriminals, and in apprehending and prosecuting them. The United States \nhas extradition treaties and mutual legal assistance agreements with \nsome, but not all countries. Even with these agreements in place, the \nprocess may be slow.\n    We must continue to search for ways that Congress can help enhance \ninternational law enforcement capabilities and to get criminals off the \nstreets, or shall we say, out of cyberspace, and thus protect U.S. \ncritical infrastructure, Government systems, companies, and consumers.\n\n    Mr. King. I thank Ranking Member Clarke.\n    Now we will open up the hearing for a few questions. I just \nwant to remind Members, however, that we are going to be moving \nto a closed session where these questions can be better \naddressed. But, again, if we can keep it to a few questions, I \nthink it will be to everyone's benefit because there is much to \nbe learned in closed session.\n    I just basically have one question, and I would ask it to \nthe panel. Are terrorist organizations actively targeting the \nUnited States and have you seen cases of terror groups \ncoordinating with criminal organizations to carry out attacks \nor to gain capability? Again we are in an open session, so you \ncan tailor your answer accordingly.\n    Mr. Demarest. Yes, Chairman. So for this session, sir, yes, \nwe are seeing that, but it is focused against the websites that \nare hosted in the United States, and they tend to be low-level \nattacks, website defacements and the like, maybe some DDoS \nactivity. There are three principal groups that have the \ncapabilities or are developing the capabilities today or are \nlooking for the capabilities today to do something more I will \nsay in the physical realm.\n    As far as your second part of the question about joining \nwith criminal organizations, we have not seen that yet, though \nwe do actively watch for terrorist organizations crossing over \nto the criminal forums that are on-line today to acquire a \nskill or talent or tools to perpetrate some greater crime.\n    Mr. King. Do you believe that we have the defense \ncapability? I know you said you want to head them off, but also \ndo we have the defense capability against these type attacks?\n    Mr. Demarest. I think it is sector by sector, Chairman. I \nthink in the dot-gov space we are fairly well-prepared, along \nwith the dot-mil, but once you get into the dot-com space it is \nvarying degrees of preparedness I would say, and I would \nprobably defer to Larry on that, or Mr. Zelvin, as far as the \nsectors and how well they are prepared. But we see finance in \nparticular doing a stellar job. They have invested heavily. \nTransportation and some of the others, energy. Then as you get \ndown lower on the priority scale, less so.\n    Mr. King. Mr. Lemons, Mr. Zelvin, any comment?\n    Mr. Lemons. I would say I concur with Mr. Demarest at this \npoint.\n    Mr. Zelvin. Mr. Chairman, the only thing I think I would \nadd is just that obviously law enforcement intelligence is \ndoing their collection. Where we see this is reporting from \nvictims, and then we turn it over to the FBI and other law \nenforcement both at the State and local level.\n    You know, most of the terrorist groups, especially \ndomestic, are going after faith-based groups, so that has been \nmostly trying to influence and having an impact with those \ngroups. We are working with them. Many of these groups don't \nhave very sophisticated cyber defenses. So we are working with \nthem not only to understand what may be targeting them, but \nalso what companies out there can assist, and then obviously we \noffer assistance as well. I can cover more in the closed \nsession if you like.\n    Mr. King. Thank you.\n    Ranking Member Higgins.\n    Mr. Higgins. Thank you, Mr. Chairman.\n    It seems as though capability and desire are hard things to \nmonitor and to detect, and it seems as though the cyber threat \nis coming from both state and non-state actors. So I would be \ninterested in your assessment as to the terrorist threat from \nnon-state actors like Hezbollah, Syria, and al-Qaeda. \nTerrorists second generation, post-9/11, are younger, more \naggressive, and more technologically savvy. So I am just \ninterested in your assessment of that relative to capability \nand desire to strike U.S. targets.\n    Mr. Demarest. Ranking Member, I would say the desire is \nstrong. I will say the capability is developing. What we have \nseen among the three groups you mentioned, Lebanese Hezbollah \nis certainly an organization that is looking to develop a \nsignificant capability in this arena. They focus primarily on \nregional enemies, I will say their enemies, but not so much \nagainst the United States.\n    Mr. Zelvin. Sir, I would concur with Mr. Demarest.\n    Mr. Lemons. Me also, sir.\n    Mr. Higgins. What about the threat posed by state actors \nlike Iran, China, and Russia? Is the level of activity \nincreasing, and what are we doing to combat that?\n    Mr. Demarest. I will say certainly more for the closed \nsession, sir, but significantly increasing on all three. I \nwould say Russia, China, and Iran are certainly developing \nsignificant capabilities.\n    Mr. Lemons. I would also concur with Mr. Demarest. As we \nsee these nations also increase in complexity, their \ninformation needs also increase. Part of those information \nneeds are also developing a cyber program to meet those needs \nas they go forward. We will get into more detail in the closed \nsession, sir.\n    Mr. Higgins. I would just say in closing, the terrorist \nmentality is to target high-impact targets obviously, and 9/11, \nin addition to the death and destruction that was exacted on \nthe United States, there was also a symbolic attack as well, \nwhich the cyber threat seems to confirm, and that is to disrupt \nour way of life. They attacked the Twin Towers because it was a \nsign of America's economic superiority. They attacked the \nPentagon because it was a symbol of America's military \nsuperiority. Presumably a plane was headed for either the \nCapitol or the White House because of our democratic freedoms \nthat we enjoy.\n    So it would seem to me that the potential of cyber attacks \nand the motivation and desire of those who seek to hurt us and \nour way of lives is pretty imminent and pretty significant. So \nI will yield back.\n    Mr. King. Chairman Meehan.\n    Mr. Meehan. I thank you, Chairman King.\n    I thank, again, the panel for your work in this area.\n    We have looked at a variety of issues, and a lot of the \nfocus continues to be, appropriately so, on the nation-state \nactivity and the very sophisticated criminal gangs and the \npotential for them to do massive disruption, not only to our \ninfrastructure, but also theft of intellectual property and \nthings of that nature.\n    But Special Agent Demarest, you used a term, and it struck \nme, because you talked about this kind of a threat affecting \nnot just our nations, but also our neighborhoods. I often think \nabout the average American thinking about us discussing these \nissues and believing that somehow it is very remote from them--\nsomething might happen to some bank in New York, but it doesn't \naffect me. I praise law enforcement across the board, including \nthe great work done by the Justice Department taking on \nsophisticated Chinese operations that have been sponsored, \nnation-sponsored activity, hacking into our most sophisticated \nsystems.\n    But in your testimony you also talked about this process \nBlackshades, and in effect this is a market that exists out \nthere in the world, you touched 19 countries with this very \nimportant indictment. Effectively, Blackshades, for anywhere \nbetween $5 and $40, individuals can go into the black market \nand purchase malware that if they are sophisticated enough, \neffectively they could go into the home of any American and \ntake over their computer. As I understand your testimony, it is \nnot only the ability to use that malware if it is invited in, \nin some capacity to take over the operation of a computer, \nincluding tracking the key strokes and things of that nature, \nbut in reading the publicly-available information. So I am not \ntalking about anything that hasn't been spoken about publicly.\n    Is it not accurate that in addition there was the capacity \nto be able to manipulate remotely the same kind of control \nfunctions that the individual would, including the use of \ncameras? So the reality is an individual could be sitting in \ntheir own home, they could be sitting in their own bedroom, and \na remotely-controlled access would be able to not only have \naccess to what is contained within their computer, but maybe \nactually in real time be actually viewing what is going on in \nthat home. So we are inviting into our own homes, an average \nAmerican, for as little as $5 some criminal in Eastern Europe \nor across the street would be able to have that access.\n    So I don't think we talk enough about this. Could you \nexplain to me just what is Remote Access Tool? How is it \navailable? What can it do? What are we doing to be able to take \nsteps to prevent its use?\n    Mr. Demarest. Chairman Meehan, you are exactly right. You \ncan imagine as a citizen sitting anywhere in the United States \ntoday, you could have an actor sitting in some remote region of \nthe world actually viewing you through your own laptop or a \ncomputer at home through your camera.\n    Basically Remote Access Tool provides access by an actor to \nyour box or to your computer to take it over. They own your PC \nor laptop or device that you are using. It gives them access, \nas you mentioned, to the web cam or the camera, and they can \nturn it on and off at will. As I mentioned, ransomware, they \ncan lock files, take photos, whether they be sensitive photos \nto the individual, the owner of the computer or not, they \ncollect all this information, financial information, passwords \nand the like. So it is completely owned. Then the information \nis taken and either used by that particular actor or sold in \ndifferent environments on-line in these criminal forums.\n    So you are being exposed and exploited once, and then \npotentially multiple times by other actors who purchase the \ninformation on-line. Separately more, I guess, salt to the \nwound, they have the ability to send out chat messages to your \ncontacts within your computer, so it looks like Chairman Meehan \nis sending Joe Demarest an email or chat and I respond to that. \nIn that is a link that has the malware that is attached, so it \nthen spreads the Blackshades now to my computer.\n    Mr. Meehan. So a friend could pick up what I think is a \nmessage to me that would just be in the normal course, I \nrespond and send back a picture of our vacation that we took \ndown to the Jersey shore, but because of that communication \nthey now have access into my computer and now they can begin to \ndo the same process, not only the taking over of the files and \nthe key strokes, but potentially even manipulating the camera \nin my bedroom?\n    Mr. Demarest. Friends and family. What it would require \nfrom me when you send or after sending that chat to me, for me \nto click on a link that you send me via the chat message.\n    Mr. Meehan. How do we identify something like that in our \nsystem and what are we doing to be able to educate Americans to \ntake steps to protect their most intimate and most private and \nmost secure information, that which they do in the comfort of \ntheir own home?\n    Mr. Demarest. Excellent question. So throughout the \ninvestigation and in the culmination of the enforcement is a \nsignificant technical aspect to it where we are seizing the \ninfrastructure used by the actors. Specifically, administrative \nservers, which has most of the victim information on it. So \nthen we work with the victim, I will say the internet service \nproviders for the various countries, to identify the victims \nand to get information to them, the fact that they have been \nimpacted, and tools made available for them to actually \nmitigate or remediate what is on their computer. That again is \nthe relationship we have forged with DHS, as offering through \nthe DHS portal, but either tools or instructions on how to \nactually eliminate a given malware.\n    Mr. Meehan. Well, I will look forward to more communication \nwith this as we go into private session and otherwise. But I \nthank all of you for your work. I think it is very important \nfor the American people to recognize these issues and don't \nthink of them always as just remotely affecting just big \nbusinesses or corporations, that everyday Americans, as you \nsaid, affecting not just our Nation, but our neighborhoods. I \nthink this is part of our responsibility, is to open up an \nawareness and appreciation for the very scope and nature of \nthis threat.\n    Thank you for your testimony. Look forward to hearing more \nat a later time. Yield back.\n    Mr. King. Thank you, Chairman Meehan.\n    Ranking Member Clarke.\n    Ms. Clarke. Thank you, Mr. Chairman.\n    Monday's indictment of the five Chinese military hackers \nfor computer hacking and economic espionage was the sort of \nlegal action taken by the AG as a standard tactic in espionage. \nIt sends a clear signal to the other side that their actions \nhave become intolerable. But it is just the beginning of a long \nprocess. The indictment alleged that the defendants conspired \nto hack into American computer systems, maintain authorized \naccess, stealing information to advantage economic competitors \nin China.\n    As I understand, the Department of Homeland Security's role \nin these types of situations is usually led by US-CERT because \nit leads mitigation and forensic efforts in coordination with \nthe FBI, Secret Service, and other Federal agencies. Would you \ndescribe the kind of interagency coordination that is in place \nfor agencies as a collaborative model where DHS' involvement is \nstood up through US-CERT, and does the role go beyond that \njurisdiction?\n    Mr. Zelvin. Ranking Member, thank you for the question. So \nlet me talk about it in broad terms, and we can get into more \nnarrow as you like.\n    When there is an incident now we have a ranking system as \nto the importance of it. There are certain things that are low \nthreshold and certain things are high threshold. It is a high \nthreshold if somebody is into a database system. If there is a \ncompromise of personal identifiable information, if there is a \ndisruption or a destruction event, those are obviously very \nhigh-scale events. Fortunately they don't happen often, but \nthey do happen.\n    On a given day we see between 150 and 200 incidents through \nour EINSTEIN system, which is monitoring the dot-gov through \nintrusion detection and intrusion prevention. At the high level \nwe will make an outreach directly to the victim, and we will \nnotify them of the event and making sure that they are \ntracking. Then we will offer assistance, if needed, to actually \ngo and investigate on their servers and other information \ntechnology capabilities to determine how deep is the \ncompromise.\n    We will do this in full partnership with the FBI, which \nwill be leading law enforcement and domestic intelligence \ncollection, we will do this with our own intelligence community \nmembers so they can develop the tactics, techniques, and \nprocedures to see where else. Then US-CERT will go across the \nFederal community and create that awareness.\n    At the same time, we are creating signatures into the \nintrusion detection system to make sure that these events \ncannot be repeated, and then we are sharing it with the private \nand international partners through the Enhanced Cybersecurity \nServices or ECS, and also through our CISP program. So it is \ninteragency, it is private sector, it is international, and \neven on the lower events we are still doing the notification. \nSo I described the high end as more of an example. Then I would \nask, see if Mr. Demarest wants to offer some thoughts as well.\n    Mr. Demarest. Madam Clarke, so what is great about today is \nthat what Mr. Zelvin and the NCCIC in DHS learns informs the \ninvestigation, and what we learn through the investigation or \nintelligence collection efforts inform the protectors or the \ndefenders, DHS. This is a cycle that has developed mightily, I \nwill say, over the past 2 years where it this effective \ntransfer of knowledge and information that better safeguards \nthe country, but then informs and helps us spearhead and focus, \nfinely focus investigations.\n    Ms. Clarke. Very well. That is a very robust and holistic \napproach, and I think that that will serve our Nation well.\n    My next question is the debate around protecting U.S. \nnetworks is often focused on U.S. critical infrastructure. \nCurrently the Department of Homeland Security from Presidential \nPolicy Directive 21 lists 16 critical infrastructure sectors. \nWhich of these sectors are targeted with probes and intrusions \nmost frequently and what sectors are most at risk?\n    Mr. Zelvin. Ranking Member, it really depends on the \nawareness. I will tell you, our energy sector, our finance \nsector, information technology, communications, transportation, \nwe are seeing a lot of instances. There are other sectors that \nI haven't mentioned where we are not seeing it, but I wonder if \nthat is because they are not being reported, and that is a huge \nchallenge. When it comes to the critical infrastructure in the \nprivate sector, there is no requirement, it is all voluntary, \nso we know what we know, we don't know what we don't know, and \nI really worry about what we don't know.\n    So I have talked to groups and other sectors, and they \nsaid, we really don't have a cybersecurity problem. I said, oh, \nmy gosh, yes, you do, you just don't know about it.\n    I will tell you my experience, and I think Mr. Lemons and \nMr. Demarest will tell you the same thing. Adversaries are \ngoing after any vulnerability they can find. So it doesn't \nmatter what State you are in, what city you are in, what \ncritical infrastructure you are in, if there is an opening, \nthere is an adversary that is going to see where they can go \nand what information they can steal.\n    Mr. Demarest. I would agree with Mr. Zelvin. Depending on \nthe actor sometimes alters the focus or the most threatened \nsector. We talked about our Middle East actor in recent DDoS \nactivity against New York over the past year or so. But again I \nthink it depends on them, but I think Larry has mentioned the \npriority sectors for us today are finance, transportation, \nenergy, IT, or communications.\n    Mr. Lemons. Ranking Member, I think to the point from Mr. \nZelvin and Mr. Demarest also, as we increase our outreach \nefforts within the private sector and our State and local \npartners, we see an increased willingness of people to come \nforward and work with us. So I believe that number continues to \ngo higher and higher as we work with public and private \npartners.\n    Mr. King. Thank the Ranking Member.\n    The gentleman from Georgia, Mr. Broun.\n    Mr. Broun. Thank you, Mr. Chairman.\n    When CISPA was passed--several times now--a lot of people \nthat are concerned about privacy and civil liberties all across \nthe Nation were very fearful of that act because of the \npotential sharing of their own personal private information \nwith the Federal Government. Can you tell me how that kind of \ninformation is being protected or is there any protection on \npeople's privacy or civil liberties under CISPA?\n    Mr. Zelvin. Congressman, at the forefront of everything we \ndo is the protection of people's identifiable information, \nprivacy, and civil liberties. It is an hourly, daily focus for \nus. I will tell you, my folks are trained on a routine basis, \nwe are audited not only internally but also externally as far \nas our processes and procedures on how are we protecting that \ndata.\n    We don't require that as cyber defenders, and that is what \nwe do at DHS, at least in the NCCIC, we do not require \ninformation that is privacy, civil liberties in nature. The \ndefense mechanisms are really those 1's and 0's from an \nattacking IT or malicious software.\n    I will tell you there have been instances, although rare, \nand also small, where we will get something from something that \nwe thought was completely secure, and then we stop everything \nwe do, and we go through a process with attorneys, with privacy \nexperts, with civil liberties experts and making sure that if \nthere is an incursion that we are treating it properly, that \nthere is an ability to mitigate and to make sure that the spill \ndoesn't go beyond what we have already detected, and then, as I \nsaid, go through the process and procedures and see where we \nmay have failed that may have led to that. But as I said, that \nis a very rare occasion.\n    Mr. Broun. So there is no guarantee, though, that privacy \ninformation is not shared either direction, from the company to \nthe Federal Government or the Federal Government to other \nentities?\n    Mr. Zelvin. Congressman, despite our best efforts and every \nprocess and procedure we have, there will be occasions where I \nregret there may be times where there may be spills, where that \ngoes over. I think what is important is that we have the right \nprocesses, procedures, and oversight to make sure that when \nthose occasions occur that we do the right things in accordance \nwith the law, policy, and directives.\n    Mr. Broun. Mr. Chairman, I will wait until the closed \nsession for further questions.\n    Mr. King. Okay. In accordance with the unanimous consent \nrequest at the beginning of the hearing, we will now recess the \nhearing and reconvene in 10 minutes for closed session in HVC-\n302. I would ask the audience if they would just wait and allow \nthe witnesses to leave so we can take them to the location.\n    We stand in recess.\n    [Whereupon, at 11:00 a.m., the subcommittees proceeded in \nclosed session and were subsequently adjourned at 12:18 p.m.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"