b"<html>\n<title> - INVESTING IN CYBERSECURITY: UNDERSTANDING RISKS AND BUILDING CAPABILITIES FOR THE FUTURE</title>\n<body><pre>[Senate Hearing 113-]\n[From the U.S. Government Publishing Office]\n\n\n \n     INVESTING IN CYBERSECURITY: UNDERSTANDING RISKS AND BUILDING \n                      CAPABILITIES FOR THE FUTURE\n\n                              ----------                              \n\n\n                         WEDNESDAY, MAY 7, 2014\n\n                               U.S. Senate,\n                 Subcommittee on Homeland Security,\n                               Committee on Appropriations,\n                                                    Washington, DC.\n    The subcommittee met at 2:01 p.m., in room SD-192, Dirksen \nSenate Office Building, Hon. Mary L. Landrieu (chairman) \npresiding.\n    Present: Senators Landrieu, Coons, Coats, and Cochran.\n\n\n             opening statement of senator mary l. landrieu\n\n\n    Senator Landrieu. Good afternoon, everyone. Let me call our \nmeeting to order, please. This is a meeting of the \nAppropriations Subcommittee for Homeland Security. I appreciate \nbeing joined by my ranking member, Senator Coats, and I \nappreciate all the work of Senator Coons. Thank you for being \nhere as well. You've both been leaders in the area of \ncybersecurity and I appreciate your support and help.\n    I thank our panelists for being here.\n    I'm going to shorten my opening statement, turn it then to \nSenator Coats and Senator Coons if you have a brief opening \nstatement, go right into the panelists. We've had a vote called \nat 3:15, so we're going to try to see if we can work through \nthe next hour and a half and not have to come back after the \nvote. But we are very interested, of course, in the testimony, \nand that will be subject to change as we go.\n    But today we meet to review our level of investment in \ncybersecurity and the results that we have achieved to date. \nOur purpose is to better understand the new and emerging risk \nas well as the capabilities that we need to continue to build \nto secure our networks for the future.\n    Serving on both the Homeland Security subcommittee and the \nEnergy subcommittee, I believe that I have a unique \nperspective, along with other members as well, on the extent \nthat critical infrastructure throughout our country relies more \nand more on our interdependent technologies that we need to \ngrow, innovate, and keep our country thriving. Without the use \nof the Internet and advances in smart grid technology, for \ninstance, America's companies would not be able to keep the \npower on in the most affordable, efficient way our Nation has \never known.\n    Today we will talk about some of the vulnerabilities facing \nthese critical networks, what we're doing through Homeland \nSecurity to help and be supportive of keeping our Government \nand our economy strong and growing. We are all aware of some of \nthe threats that have occurred. We'll talk more specifically \nabout that, but I want to just thank you all for being a part \nof this hearing.\n    We've got a wonderful panel that I'll introduce in just a \nmoment, a first and a second panel. At this point I'm going to \nturn it over to Senator Coats for his opening remarks.\n\n\n                   statement of senator daniel coats\n\n\n    Senator Coats. Madam Chairman, thank you. I'm going to be \nbrief also, given that vote coming up and the fact that we want \nto get to the substance of this hearing.\n    We all know how interconnected we have become and \nunfortunately vulnerable, vulnerable to some bad actors that \nhave not only disrupted a lot of people's personal lives by \nsecuring their private information, but also pose a major \nthreat to our critical infrastructure. This cyber threat has \nbeen labeled by many in the security business and in our \nnational security and military as the number one threat to the \nUnited States. Now, there are a lot of threats out there, but \nthis is serious.\n    A number of us, the three of us on this panel that are here \ntoday and others, have been working for some amount of time \nthrough a couple of different Congresses to try to come up with \nlegislation that strengthens our ability to prevent these types \nof attacks and protect our critical infrastructure as well as \nthe retail outlets and American business and just about \neveryone who's affected with this. In fact, my law school alma \nmater, Indiana University, was hacked. Fortunately, they were \nable to--so this thing runs the gamut. It's not just our \nelectric grid and so forth, but it comes right down to our \nprivate lives and even our educational institutions.\n    So clearly we need to move forward with sensible \nlegislation. The Department of Homeland Security (DHS) plays a \nvery critical role, not only in protecting dot-gov, but also in \nbeing the portal through which a lot of this has to take place \nand work through in order to provide the kind of protections we \nneed. Whether it's information-sharing, whether it's working \ntogether with private sector and public sector, this is \nsomething that is urgent, and the longer we put it off the more \nvulnerable we become.\n    I'm pleased that on the second panel Scott Bowers from \nIndiana will be talking about the impact of this on the private \nsector. I'm glad to have him here.\n    Madam Chairman, I'm looking forward to the testimony and \nthe kind of questions and back and forth we can have to \nhopefully move this thing forward in an expeditious way.\n    Senator Landrieu. Thank you very much, Senator Coats.\n    Senator Coons.\n\n\n               statement of senator christopher a. coons\n\n\n    Senator Coons. Thank you, Madam Chair. I'm grateful to you \nfor your leadership on this, to Senator Coats for your \npartnership and leadership in this. This is a very real threat. \nWe have issues of jurisdiction, of funding, of workforce. We've \ngot a lot of good work to do and I'm really grateful for the \nservice of the folks who are going to be testifying in front of \nus today.\n    Thank you, Madam Chair. I'm eager to hear the testimony.\n    Senator Landrieu. Thank you very much.\n    Let me introduce our first panel: Mrs. Phyllis Schneck, \nDeputy Under Secretary for Cybersecurity, DHS, National \nProtection and Programs Directorate (NPPD); Mr. Peter Edge, \nExecutive Associate Director, Homeland Security Investigations \n(HSI); and Mr. William Noonan, Deputy Special Agent in Charge, \nCriminal Investigations, Cyber Operations, DHS, U.S. Secret \nService.\n    Thank you all, and we'll begin with your 5-minute \ntestimony.\n\nSTATEMENT OF DR. PHYLLIS E. SCHNECK, DEPUTY UNDER \n            SECRETARY FOR CYBERSECURITY, NATIONAL \n            PROTECTION AND PROGRAMS DIRECTORATE, \n            DEPARTMENT OF HOMELAND SECURITY\n    \n    Dr. Schneck. Good afternoon, Chairwoman Landrieu, Ranking \nMember Coats, Senator Coons. Thank you very much for the strong \nsupport that you've provided to the Department of Homeland \nSecurity and to the National Protection and Programs \nDirectorate. First and foremost, we look forward to continuing \nto work with you on these issues and securing our critical \ninfrastructure, our way of life, from that combined physical \nand cyber threat, as we are all connected, as you mentioned.\n    Thank you very much for the opportunity to appear before \nyou today to discuss our efforts for critical infrastructure \nresilience and cybersecurity. We focus very much on this \nthreat, this interconnected threat, as cybersecurity and cyber \nand connectivity connect all of us through our way of life, our \nwater, our banks, our electricity, all of our States. It's a \nprivilege today to sit at the table with my colleagues from the \nU.S. Secret Service, from Homeland Security Investigations, \nrepresenting that cybersecurity at the U.S. Department of \nHomeland Security is a unity of effort. It is one DHS. Along \nwith our colleagues in the U.S. Coast Guard, we also enjoy a \nstrong relationship with our Office of the Chief Information \nOfficer to ensure that our programs also run well on our \nnetwork and we learn from that which tries to attack the sweet \ntarget known as dhs.gov.\n    I'm going to talk about our operations, our major \ninvestments, and our overall strategic vision, starting at our \ncore, our National Cybersecurity and Communications Integration \nCenter (NCCIC), which some of you have been able to visit. \nThat--great analogy, Senator Coons--is our portal. It's our \n24\x1d7 watch center, where we have cyber command and control, \nunderstanding inputs that come in 24\x1d7 from trusted \nrelationships, from partnerships in the inter-agency, law \nenforcement, intelligence community, across DHS, and certainly \ninformation that we learn from our own programs, those things \nthat are protecting our stakeholders, our Federal civilian \nagencies, our State, local, tribal, territorial governments, as \nwell as the private sector.\n    One great example is the recent Heartbleed, a defect in a \npiece of software. When we found out as the U.S. Government \nthat this existed, again the ability for an adversary to \ndecrypt, thus make not confidential, traffic that was thought \nto be confidential through a defect in software--we found this \nout on April 7. Within 24 hours, DHS had full resources out on \nall of our Web sites for all of our stakeholders and was \nbeginning the process of scanning all of the U.S. Government \nagencies to find where that software might be running.\n    For our programs, we work through humans, we work through \nmachines; humans through trusted partnerships, again with our \nstakeholders and certainly across Federal and State government, \nand with our private sector, building that trust across \ninfrastructure, across cyber and communications, so that \ninformation can be shared quickly as we face an adversary that \nworks with great speed, has plenty of money, and has no lawyers \nand no way of life to protect.\n    We also have invested in the critical infrastructure \ncybersecurity community voluntary program to launch the efforts \nof the cybersecurity framework built by the National Institute \nof Standards and Technology (NIST) and DHS all of last year, to \ntake guidelines from cybersecurity and get them into even our \nsmallest companies, so that they can adopt good cybersecurity, \nbring it as a boardroom issue, and enable larger companies to \nnow request better standards of cybersecurity for those \ncompanies that supply them, connect to them, and protect all of \nour private information.\n    On the machine side, our programs protect our Federal \nGovernment agencies from things that come in and try to attack \nthem or vulnerabilities that can cause harm. We can also detect \nthose things. It's ``see something, say something,'' as with \nthe rest of Homeland Security. When those programs spot \nsomething on one agency, we then have the ability through our \nNCCIC, our core, our portal, to spot that behaviorally, like \nyour body fights a cold, and protect all the other agencies and \nthe private sector with that information, at the same time \nproviding all the best in privacy and civil liberties to the \nextent that our law provides, as well as showing the public \neverything we do. Full transparency is on our Web site.\n    So again, we are able to use Government information and \nprotect the private sector, and we roll that out to the \ncritical infrastructure as well as through enhanced \ncybersecurity services, using classified information to protect \nour private-sector entities, all the while combining what we \ncan see only in Government to protect all of our stakeholders.\n    We can also automate, running at machine speed, sending \ninformation about bad cyber behavior to everybody. So again \n``see something, say something,'' with the ability to, using \nour cybersecurity integration center, through human analysis, \nmachine analysis, all kinds of inputs from all kinds of \npartners, injecting that back into both automated programs as \nwell as automated information that we can disseminate as widely \nas possible, as quickly as possible.\n    So I've talked about a lot of high-profile programs. I \ndon't want to forget the importance of our talented workforce \nand building the talent of the future. It is a priority of \nSecretary Johnson and he and I went and visited two \nuniversities and we'll be doing more, and we spoke to students \nin Ph.D. programs as well as undergrad programs. I've also gone \nout and spoken with students at both the high school level and \nthe college level, so that we can begin to truly look at how we \nnot only show the talent of the future what DHS can do and what \nthey can learn from our larger mission, again from the Secret \nService, Homeland Security Investigations, U.S. Coast Guard, \nour CIO, Federal Emergency Management Agency (FEMA), and \nothers, but also we can identify that talent set that we'll \nneed to be training for, so that we can start to look at how we \nbuild that talent going forward.\n    I thank you very much again for your support and look very \nforward to working with you, continuing to work with you, as we \nbuild these programs and certainly, Chairwoman Landrieu, \nRanking Member Coats, and Senator Coons, look very forward to \nyour questions. Thank you.\n    [The statement follows:]\n               Prepared Statement of Dr. Phyllis Schneck\n                              introduction\n    Chairwoman Landrieu, Ranking Member Coats, and distinguished \nmembers of the subcommittee, let me begin by thanking you for the \nstrong support that you have provided the Department of Homeland \nSecurity (DHS) and the National Protection and Programs Directorate \n(NPPD). We look forward to continuing to work with you in the coming \nyear to ensure a homeland that is safe, secure, and resilient against \nterrorism and other hazards.\n    Thank you for the opportunity to appear before the committee today \nto discuss NPPD's efforts to strengthen the Nation's critical \ninfrastructure security and resilience against cyber events and other \ncatastrophic incidents. The President's fiscal year 2015 budget request \nfor NPPD is $2.9 billion, offset by $1.3 billion in collections for the \nFederal Protective Service. This request includes $746 million for \ncybersecurity capabilities and investments.\n    America's national security and economic prosperity are \nincreasingly dependent upon physical and digital critical \ninfrastructure that is at risk from a variety of hazards, including \nattacks via the Internet. I view integrating cyber and physical \nsecurity as integral to the larger goal of infrastructure security and \nresilience. DHS approaches physical security and cybersecurity \nholistically; both to better understand how they integrate and how best \nto mitigate the consequences of attacks that can cascade across all \nsectors of critical infrastructure. This risk management approach helps \ndrive the discussion at the executive level in organizations of all \nsizes across government and industry, where it can have the most impact \non resources and implementation.\n  leveraging integrated capabilities: implementing ppd-21 and eo 13636\n    On February 12, 2013, the President signed Executive Order (EO) \n13636, Improving Critical Infrastructure Cybersecurity and Presidential \nPolicy Directive (PPD) 21, Critical Infrastructure Security and \nResilience, which set out steps to strengthen the security and \nresilience of the Nation's critical infrastructure, and reflect the \nincreasing importance of integrating cybersecurity efforts with \ntraditional critical infrastructure protection. Taken together EO 13636 \nand PPD-21 are foundational efforts for helping drive the security \nmarket and provide a framework for critical infrastructure to increase \ntheir cybersecurity efforts. To implement both EO 13636 and PPD-21, the \nDepartment established an Integrated Task Force to lead DHS \nimplementation and coordinate interagency, public and private sector \nefforts, and to ensure effective integration and synchronization of \nimplementation across the homeland security enterprise.\n    The fiscal year 2015 budget request reflects targeted enhancements \nto continue implementation of the EO and PPD. Enhancements of $14 \nmillion, including 48 positions, is requested for the Critical \nInfrastructure Cyber Community (C\\3\\ or ``C-Cubed'') Voluntary Program; \nEnhanced Cybersecurity Services (ECS); Regional Resiliency Assessment \nProgram; National Coordinating Center (Communications) (NCC) 24\x1d7 \ncommunications infrastructure response readiness. NPPD has partially \noffset these enhancements with $9 million in reductions to realign \nresources to support these key EO and PPD initiatives. The following EO \nand PPD initiatives in the fiscal year 2015 budget specifically enhance \ncyber capabilities:\nC\\3\\ Voluntary Program\n    The C\\3\\ Voluntary Program is a public-private partnership aligning \nbusiness enterprises as well as Federal, State, local, tribal, and \nterritorial (SLTT) governments to existing resources that will assist \ntheir efforts to use the National Institute of Standards and Technology \nCybersecurity Framework to manage their cyber risks as part of an all-\nhazards approach to enterprise risk management. The program emphasizes \nthree elements: converging CI community resources and driving \ninnovation and markets to support cybersecurity risk management and \nresilience through use of the Cybersecurity Framework; connecting CI \nstakeholders to the national resilience effort through cybersecurity \nresilience advocacy, engagement and awareness; and coordinating CI \ncross-sector efforts to maximize national cybersecurity resilience. The \n$6 million enhancement, including 10 positions, is requested to manage \nand support this program and increase the number of evaluations \ncompleted.\nEnhanced Cybersecurity Services\n    The ECS capability enables owners and operators of critical \ninfrastructure to enhance the protection of their networks from \nunauthorized access, exfiltration, and exploitation by cyber threat \nactors. The requested enhancement of 24 positions and $3 million allows \nECS to execute the operational processes and security oversight \nrequired to share sensitive and classified cyber threat information \nwith qualified Commercial Service Providers that will enable them to \nbetter protect their customers who are critical infrastructure \nentities.\nRegional Resiliency Assessment Program (RRAP)\n    The $5 million, including 11 positions, is requested to complete \nfive additional cyber-centric RRAPs. Through these RRAPs, NPPD will \nidentify cross-sector physical and cyber interdependencies and better \nunderstand the consequences of disruptions to lifeline sectors. We \noften observe that physical consequences can have cyber origins and \nanticipate that the findings will provide valuable data about the \nenergy, water, and transportation sectors and their reliance on cyber \ninfrastructure.\nNational Coordinating Center for Communications Operations\n    The proposed increase of three positions and $1 million in funding \nto the NCC will maintain 24\x1d7 communications infrastructure response \nreadiness and requirements coordination between FSLTT and industry \nresponders. Due to the loss of staff previously provided to DHS from \nthe Department of Defense on a non-reimbursable basis, the NCC will no \nlonger be able to provide 24\x1d7 readiness without these additional \nresources.\n                               heartbleed\n    The Department recently responded to a serious vulnerability, known \nas ``Heartbleed,'' in the widely used OpenSSL encryption software that \nprotects the electronic traffic on a large number of Web sites and \ndevices. Although new computer ``bugs'' and malware crop up almost \ndaily, this vulnerability is unusual in its pervasiveness across our \ninfrastructure, its simplicity to exploit, and the depth of information \nit compromises.\n    While the Federal Government was not aware of the vulnerability \nuntil April 7th, DHS responded in less than 24 hours, utilizing the \nNational Cybersecurity and Communications Integration Center (NCCIC) to \nrelease alert and mitigation information to the public, create \ncompromise detection signatures for the EINSTEIN system, and reach out \nto critical infrastructure sectors, Federal departments and agencies, \nSLTT governments, and international partners. Once in place, DHS also \nbegan notifying agencies that EINSTEIN signatures had detected possible \nactivity, and immediately provided mitigation guidance and technical \nassistance. Additionally, DHS worked with civilian agencies to scan \ntheir .gov Web sites and networks for Heartbleed vulnerabilities, and \nprovided technical assistance for issues of concern identified through \nthis process.\n    Of note, the Administration's May 2011 Cybersecurity Legislative \nProposal called for Congress to provide DHS with clear statutory \nauthority to carry out this operational mission, while reinforcing the \nfundamental responsibilities of individual agencies to secure their \nnetworks, and preserving the policy and budgetary coordination \noversight of OMB and the EOP. Even with the rapid and coordinated \nFederal Government response to Heartbleed, the lack of clear and \nupdated laws reflecting the roles and responsibilities of civilian \nnetwork security caused unnecessary delays in the incident response.\n                  integrated cybersecurity operations\n    Along with our operational assistance, DHS has several programs \nthat directly support Federal civilian departments and agencies in \ndeveloping capabilities that will improve their own cybersecurity \nposture. Through the Continuous Diagnostics and Mitigation (CDM) \nprogram, led by the NPPD Federal Network Resilience Branch, DHS enables \nFederal agencies to more readily identify network security issues, \nincluding unauthorized and unmanaged hardware and software; known \nvulnerabilities; weak configuration settings; and potential insider \nattacks. Agencies can then prioritize mitigation of these issues based \nupon potential consequences or likelihood of exploitation by \nadversaries.\n    Available to all Federal civilian agencies, the CDM program \nprovides diagnostic sensors, tools, and dashboards that provide \nsituational awareness to individual agencies and at a summary Federal \nlevel. This allows agencies to target their cybersecurity resources \ntoward the most significant problems, and enables comparison of \nrelative cybersecurity posture between agencies based upon common and \nstandardized information. The CDM contract can also be accessed by \ndefense and intelligence agencies, as well as by State, local, tribal, \nand territorial (SLTT) governments. 108 departments and agencies are \ncurrently covered by Memoranda of Agreement with the CDM program, \nencompassing over 97 percent of all Federal civilian personnel. In \nfiscal year 2014, DHS issued the first delivery order for CDM sensors \nand awarded a contract for the CDM dashboard. The $143 million and 15 \nstaff requested in fiscal year 2015 will support deployment of the \nFederal dashboard and capabilities to Federal agencies.\n    In addition, the National Cybersecurity Protection System (NCPS), a \nkey component of which is referred to as EINSTEIN, is an integrated \nintrusion detection, analytics, information sharing, and intrusion-\nprevention system utilizing hardware, software, and other components to \nsupport DHS responsibilities for protecting Federal civilian agency \nnetworks. In fiscal year 2015, the program will expand intrusion \nprevention, information sharing, and cyber analytic capabilities at \nFederal agencies, marking a critical shift from a passive to an active \nrole in cyber defense and the delivery of enterprise cybersecurity \nservices to decision-makers across cybersecurity communities.\n    In July 2013, EINSTEIN 3 Accelerated (E3A) became operational and \nprovided services to the first Federal Agency. As of February 2014, \nDomain Name System and/or email protection services are being provided \nto a total of seven departments and agencies. Full Operational \nCapability is planned for fiscal year 2016. With the adoption of E3A, \nDHS will assume an active role in defending .gov network traffic and \nsignificantly reduce the threat vectors available to malicious actors \nseeking to harm Federal networks. In fiscal year 2015, $378 million is \nrequested for NCPS. We will continue working with the Internet Service \nProviders to deploy intrusion prevention capabilities, allowing DHS to \nprovide active, in-line defense for all Federal network traffic \nprotocols.\n    It is important to note that the Department has strong privacy, \ncivil rights, and civil liberties standards implemented across its \ncybersecurity programs. DHS integrates privacy protections throughout \nits cybersecurity programs to ensure public trust and confidence. DHS \nis fully responsible and transparent in the way it collects, maintains, \nand uses personally identifiable information.\nOperational Response\n    Increased connectivity has led to significant transformations and \nadvances across our country and around the world. It has also increased \ncomplexity and exposed us to new vulnerabilities that can only be \naddressed by timely action and shared responsibility. Successful \nresponses to dynamic cyber intrusions require coordination among DHS, \nthe Departments of Justice (DOJ), State (DOS) and Defense (DOD), the \nIntelligence Community, the specialized expertise of sector specific \nagencies such as the Department of the Treasury, private sector \npartners--who are critical to these efforts--and SLTT, as well as \ninternational partners, each of which has a unique role to play.\n    DHS is home to the National Cybersecurity and Communications \nIntegration Center (NCCIC), a national nexus of cyber and \ncommunications integration. A 24\x1d7 cyber situational awareness, \nincident response, and management center, NCCIC partners with all \nFederal departments and agencies, SLTT governments, private sector and, \ncritical infrastructure owners and operators, and international \nentities. The NCCIC disseminates cyber threat and vulnerability \nanalysis information and assists in initiating, coordinating, \nrestoring, and reconstituting national security/emergency preparedness \n(NS/EP) telecommunications services and operates under all conditions, \ncrises, or emergencies, including executing Emergency Support Function \n#2--Communications Annex responsibilities under the National Response \nFramework.\n    The NCCIC also provides strategic cyber-threat analysis, through \nits United States Computer Emergency Readiness Team (US-CERT) and the \nIndustrial Control Systems Cyber Emergency Response Team (ICS-CERT) in \nconjunction with the National Infrastructure Coordinating Center \n(NICC), to reduce malicious actors exploiting vulnerabilities. Threat \nmanagement decisions must incorporate cyber threats based on \ntechnological as well as non-technological factors, and consider the \nvarying levels of security required by different activities. Since its \ninception in 2009, the NCCIC has responded to nearly a half million \nincident reports and released more than 37,000 actionable cybersecurity \nalerts to our public and private sector partners. In fiscal year 2013, \nNCCIC received 228,244 public and private sector cyber incident \nreports, a 41-percent increase from 2012, and deployed 23 response \nteams to provide onsite forensic analysis and mitigation techniques to \nits partners. NCCIC issued more than 14,000 actionable cyber alerts in \n2013, used by private sector and government agencies to protect their \nsystems, and had more than 7,000 partners subscribe to the NCCIC/US-\nCERT portal to engage in information sharing and receive cyber threat \nwarning information.\n    Further demonstrating NPPD's commitment to greater unity of effort \nin strengthening and maintaining secure and resilient critical \ninfrastructure against both physical and cyber threats, the NICC has \nmoved its watch operations center to collocate with the NCCIC. The NICC \nis the information and coordination hub of a national network dedicated \nto protecting critical infrastructure essential to the Nation's \nsecurity, health and safety, and economic vitality. In accordance with \nand supporting the physical-cyber integration directives of PPD-21, \nthis new integration will enhance effective information exchange, and \nimprove the alacrity of protection with real-time indicator sharing. \nConcurrently, the NCCIC will refine and clarify the NICC-NCCIC \nrelationship to advance national unity of effort within NPPD and the \nFederal Government.\nData Security Breaches\n    On December 19, 2013, a major retailer publicly announced it had \nexperienced unauthorized access to payment card data from the \nretailer's U.S. stores. The information involved in this incident \nincluded customer names, credit and debit card numbers, and the cards' \nexpiration dates and card verification-value security codes. Another \nretailer also reported a malware incident involving its point of sale \nsystem on January 11, 2014, that resulted in the apparent compromise of \ncredit card and payment information. A direct connection between these \ntwo incidents has not been established.\n    During both incidents, NPPD's NCCIC utilized its unique \ncybersecurity, information sharing and mitigation capabilities to help \nretailers across the country secure their systems to prevent similar \nattacks while simultaneously providing timely analysis to the United \nStates Secret Service (USSS). DHS's ability to provide a cross-\ncomponent response during this incident underscores the importance of \nleveraging complementary missions at the Department. Working closely \ntogether, elements with cyber capabilities such as the USSS, U.S. Coast \nGuard, Immigrations and Customs Enforcement's office of Homeland \nSecurity Investigations, Office of the Chief Information Officer, and \nNPPD are able to increase focus on not just responding to incidents but \nalso reducing vulnerabilities, protecting against future attacks, and \nmitigating consequences.\n    In response to this incident, NCCIC/US-CERT analyzed the malware \nidentified by the USSS as well as other relevant technical data and \nused those findings, in part, to create two information sharing \nproducts. The first product, which is publicly available and can be \nfound on US-CERT's Web site, provides a non-technical overview of risks \nto point of sale systems, along with recommendations for how businesses \nand individuals can better protect themselves and mitigate their losses \nin the event an incident has already occurred. The second product \nprovides more detailed technical analysis and mitigation \nrecommendations, and has been securely shared with industry partners to \nenable their protection efforts. NCCIC's goal is always to share \ninformation as broadly as possible, including by producing actionable \nproducts tailored to specific audiences.\n    While the criminal investigation into the these activities is on-\ngoing, NPPD, through the NCCIC and other organizations, continues to \nbuild shared situational awareness of similar threats among our private \nsector and government partners and the American public at large. At \nevery opportunity, the NCCIC and our private sector outreach program \npublish technical and non-technical products on best practices for \nprotecting businesses and customers against cyber threats and provide \nthe information sharing and technical assistance necessary to address \ncyber threats as quickly as possible. DHS remains committed to ensuring \ncyberspace is supported by a secure and resilient infrastructure that \nenables open communication, innovation, and prosperity while protecting \nprivacy, confidentiality, and civil rights and civil liberties by \ndesign.\n       understanding cyber and physical critical infrastructure \n                           interdependencies\n    One of NPPD's top priorities is providing our government and \nprivate sector partners with the information, analysis, and tools they \nneed to protect our Nation's critical infrastructure in the face of \nphysical and cyber risks. Key to this effort is understanding the \nconsequences of potential disruptions to critical infrastructure, \nincluding interdependencies and cascading impacts, from all hazards to \nbetter equip and prepare our partners and stakeholders. Understanding \nconsequences helps identify potential mitigation measures and \nprioritize the allocation of limited resources for both government and \nprivate sector.\n    In February of 2014, NPPD established the Office of Cyber and \nInfrastructure Analysis to implement elements of PPD-21, which calls \nfor integrated analysis of critical infrastructure, and EO 13636, \nidentifying critical infrastructure where cyber incidents could have \ncatastrophic impacts to public health and safety, the economy, and \nnational security. An Integrated Analysis Cell was established to \nprovide near real-time information to NPPD's two operational centers: \nthe National Infrastructure Coordinating Center (NICC) and National \nCybersecurity and Communications Integration Center (NCCIC). Similarly \nthe work that has been done to implement section 9 of EO 13636 through \nthe Cyber-Dependent Infrastructure Identification Working Group \nexemplifies how the skills that have been developed in NPPD over the \nyears focused on critical infrastructure can similarly be applied to \nthe analyzing cyber infrastructure. $33 million is requested in fiscal \nyear 2015 to support these efforts.\nEngaging with Federal, SLTT, and Private Sector Entities\n    NPPD is committed to engaging with Federal, SLTT, and private \nsector stakeholders. More than 1,100 participants were involved in the \ndevelopment of NIPP 2013, providing thousands of comments reflecting \nour partners' input and expertise. NPPD has become increasingly focused \non engaging stakeholders at the executive level, and working with the \nDOE, will implement a sustained outreach strategy to energy sector \nChief Executive Officers to elevate risk management of evolving \nphysical and cyber threats to the enterprise level. NPPD will also \nexplore similar efforts across the critical infrastructure community.\n    NPPD serves as a principal coordination point for stakeholder \nengagement for Cybersecurity through the Cyber Security Evaluation \nProgram (CSEP). CSEP which provides voluntary evaluations intended to \nenhance cybersecurity capacities and capabilities across all 16 \nCritical Infrastructure Owner/Operators, as well as SLTT governments \nthrough its Cyber Resilience Review (CRR) process. The goal of the CRR \nis to develop an understanding and measurement of key cybersecurity \ncapabilities and provide meaningful maturity indicators to an \norganization's operational resilience and ability to manage risk to its \ncritical services during normal operations and times of operational \nstress and crisis.\n                         vision for the future\n    DHS has a solid foundation upon which to build and enhance future \ncybersecurity capabilities to ensure information resilience against an \nadversary that leverages the best of technology and doesn't lack for \nfunding. DHS continues to strengthen trust and public confidence in the \nDepartment through the foundations of partnership, transparency, and \nprotections for privacy and civil liberties, which is built in to all \nthat we do. Our Department is the lead civilian agency responsible for \ncoordinating the national protection, prevention, mitigation, and \nrecovery from cyber incidents across civilian government, State, local, \ntribal, territorial (SLTT) and private sector entities of all sizes. \nDHS leverages our interagency and industry partnerships as well as the \nbreadth of our cyber capabilities extending from NPPD, Immigration and \nCustoms Enforcement's Homeland Security Investigations, U.S. Coast \nGuard and U.S. Secret Service, to make our NCCIC the source for dynamic \ndata aggregation of for global cyber indicators and activity.\n    We are working to further enable the NCCIC to receive and \ndisseminate information at ``machine speed.'' \\1\\ This enhanced \ncapability will enable networks to be more self-healing, as they use \nmathematics and analytics to mimic restorative processes that are \ncurrently done manually. Ultimately, this will enable us and our \npartners to better recognize and block threats before they reach their \ntargets, thus deflating the goals for success of cyber adversaries and \ntaking botnet response from hours to seconds in certain cases. We are \nworking with the DHS Science & Technology Directorate in many areas to \ndevelop and support these capabilities for NCCIC. The science of \ndecisionmaking is about seeing enough behavior to differentiate the \ngood from the bad, and that comes from the collective information of \nindustry and Government. That is voluntarily provided to us because of \nunderlying trust. This effort is currently being built in our \nStructured Threat Information Expression (STIX) and Trusted Automated \neXchange of Indicator Information (TAXII <SUP>TM</SUP>) programs that \nwe have begun offering as a free method for machine-to-machine sharing \nof cyber threat indicators to others in the Government and private \nsector.\n---------------------------------------------------------------------------\n    \\1\\ Automatically sending and receiving cyber information as it is \nconsumed and augmented based on current threat conditions, creating a \nprocess of automated learning that emulates a human immune system and \ngets smarter as it is exposed to new threats.\n---------------------------------------------------------------------------\n    We must increase data exchange and information flow with industry \nthrough stakeholder engagement to optimize the information shared \nvoluntarily. This must be done in a manner that promotes privacy and \ncivil liberties protections, focusing on the sharing of cyber threat \ninformation that is non-attributable and anonymized to the greatest \nextent feasible.\n    DHS's extensive visibility into attacks on government networks must \nbe fully leveraged to protect all government networks as well as our \ncritical infrastructure and local entities, in a way that is consistent \nwith our laws while preserving the privacy and individual rights of \nthose we protect. Legislation providing a single clear expression of \nDHS cybersecurity authority would greatly enhance and speed up the \nDepartment's ability to engage with affected entities during a major \ncyber incident and dramatically improve the cybersecurity posture of \nFederal agencies and critical infrastructure.\n                               conclusion\n    Infrastructure is the backbone of our Nation's economy, security \nand health. We know it as the power we use in our homes, the water we \ndrink, the transportation that moves us, and the communication systems \nwe rely on for business and everyday life. We have an extremely \ndedicated and talented workforce engaged in activities that advance our \nmission to protect that information and their innovation will continue \nto propel NPPD and DHS forward in fiscal year 2015 and beyond. Each \nemployee is dedicated to a safe, secure, and resilient infrastructure \nthat enables our way of life to thrive.\n    Chairwoman Landrieu, Ranking Member Coats, and distinguished \nmembers of the subcommittee, thank you all for your leadership in \ncybersecurity and for the opportunity to discuss the fiscal year 2015 \nPresident's budget request for NPPD's cybersecurity efforts. I look \nforward to any questions you may have.\n\n    Senator Landrieu. Thank you very much.\n    Mr. Edge.\n\nSTATEMENT OF PETER T. EDGE, EXECUTIVE ASSOCIATE \n            DIRECTOR, HOMELAND SECURITY INVESTIGATIONS, \n            IMMIGRATION AND CUSTOMS ENFORCEMENT, \n            DEPARTMENT OF HOMELAND SECURITY\n    \n    Mr. Edge. Good afternoon, Chairwoman Landrieu, Ranking \nMember Coats, and Senator Coons. Thank you for the opportunity \nto appear before you today to discuss the risks of cyber crime \nand the impact of U.S. Immigration and Customs Enforcement's \nHomeland Security Investigations' role with respect to \nconducting investigations and building capabilities to protect \nour Nation's borders and enhance public safety for the future.\n    The Internet poses a significant challenge to law \nenforcement. When a criminal never has to meet his victim face-\nto-face, but can hide behind what appears to be a legitimate \nWeb site, consumer fraud runs rampant. When criminal \norganizations can employ technical means to steal intellectual \nproperty, American ingenuity is stymied. When money-launderers \ncan utilize non-traditional Internet-based financial services, \ncircumventing regulatory safeguards and public safety, that's a \ndetriment and a danger to our country.\n    Criminal networks are becoming increasingly sophisticated \nin taking advantage of the many ways in which the Internet can \nstreamline communications, financing, and logistics, just as it \ndoes for legal enterprise. As a consequence, law enforcement \nagencies must respond by properly preparing investigators for \nwork in cyber space. As information systems and computer \nnetworks become increasingly prolific, the technical challenges \nfacing law enforcement investigations of criminals operating \nthrough the Internet grow daunting, and the considerations in \ncollecting electronic evidence become increasingly complex.\n    Our Cyber Crime Center, which was established in 1997, \nbrings the full range of Homeland Security Investigations cyber \ninvestigations and computer forensics assets together in a \nsingle location to coordinate global investigations and to \nprovide to our field offices in their efforts to combat cyber-\nenabled crime. The scope of these investigations includes any \ninstance where information technology or computer networks are \nsubstantially employed to facilitate international smuggling, \nmoney-laundering, and Internet-based financial frauds or \nidentity theft, even proliferation of strategic commodities or \nthe digital theft of intellectual property or export-controlled \ntechnical data. Trafficking in child pornography and other \nchild exploitation crimes are also a significant focus for us.\n    The Cyber Crime Center further works to develop tools and \ncapabilities to conduct online cyber investigations, focusing \non collaborative relationships with other Government agencies, \nto include DHS's Science and Technology, our friends at NPPD, \nNational Cybersecurity Communications Integration Center, and \nour domestic and international law enforcement partners, \nespecially our DHS counterpart, the United States Secret \nService, as well as EUROPOL.\n    The Cyber Crime Center's budget has increased by more than \n$30 million since 2011, expending $137 million in fiscal year \n2013. This growth underscores the increasing role the Internet \nplays in criminal activity and the need for skill and diligence \nto thwart crime in cyber space.\n    U.S. Immigration and Customs Enforcement has recognized the \npotential for criminal exploitation and the money-laundering \nthreat posed by virtual currency. We therefore strategically \ndeployed a multi-pronged investigative strategy designed to \ntarget illicit virtual currency, currency exchangers, and \nunderground black markets, such as carding, illegal drugs, \nillegal firearms, and child pornography forums.\n    HSI has established itself as a world leader in online \nexploitation investigations because of the breath of its \nauthorities and presence throughout the world. In fiscal year \n2013 alone, our agency was responsible for more than 2,000 \ncriminal arrests relating to child exploitation, while \nlaunching in excess of 4,000 child exploitation investigations \nworldwide. Both are new records for Homeland Security \nInvestigations and the Department of Homeland Security.\n    In 2013 there were 927 children identified as victims \nduring the course of Immigration and Customs Enforcement (ICE) \nHSI-led joint online child exploitation investigative work.\n    The Cyber Crime Center oversees the agency's computer \nforensics program, which comprises approximately 250 computer \nforensics agents and analysts. Our computer forensics agents \njointly train with the Secret Service and Internal Revenue \nService (IRS) Criminal Investigations. Homeland Security \nInvestigations' computer forensics agents (CFAs) also support \ninvestigations in the use of digital media as well as support \nto Federal, State, and local law enforcement upon request.\n    In fiscal year 2013, HSI-CFA has encountered approximately \n3.9 petabytes of data, equal to approximately 62 billion pages \nof image files or 71 billion pages of Powerpoint files. In \nApril 2013, we engaged in a relationship with the National \nAssociation to Protect Children (PROTECT) to launch the Human \nExploitation Rescue Operative (HERO), Child Rescue Corps. \nDuring the 12-month internship, we hired wounded warriors who \nwere integral in conducting computer forensics law enforcement-\nbased investigations.\n    Senator Landrieu. You have to try to wrap up if you would.\n    Mr. Edge. The Cyber Center will continue to evaluate its \ncyber capabilities, programs, and training, and will make sure \nthe agency can effectively continue combating this ever-\nchanging landscape in the future.\n    Thanks again for the opportunity to appear before you, and \nI look forward to answering any questions you may have.\n    [The statement follows:]\n                  Prepared Statement of Peter T. Edge\n                              introduction\n    On behalf of the men and women of U.S. Immigration and Customs \nEnforcement (ICE), thank you for the opportunity to appear before you \ntoday to discuss cybersecurity and the impact ICE's Cyber Crime Center \n(C\\3\\) makes with respect to protecting our Nation's borders and \nenhancing public safety. C\\3\\ has been in existence since 1997 and was \ncreated to support the investigative mission of the U.S. Customs \nService. Now, 17 years later, C\\3\\ is recognized worldwide as a center \nof excellence in cyber law enforcement. ICE expenditures for cyber \ncrime investigations have increased 39 percent since fiscal year 2010. \nAdditionally, cyber crimes investigations account for 9 percent of \ntotal Domestic Investigations expenditures compared to 6.5 percent in \nfiscal year 2010.\n\n \n----------------------------------------------------------------------------------------------------------------\n                                                                                                   Fiscal year\n                                                                                                  2010 to fiscal\n                        Fiscal year:                           2010     2011     2012     2013      year 2013\n                                                                                                     variance\n----------------------------------------------------------------------------------------------------------------\nCyber Crime & Child Pornography Investigations.............      $92      $98     $109     $119             $28\nCyber Crimes Center........................................       16       17       11       18               2\n                                                            ----------------------------------------------------\n      Total Cyber Crimes Expenditures......................      108      115      120      137              30\n                                                            ====================================================\nPercent of Total Expenditures..............................     6.5%     6.8%     7.0%     8.6%           27.4%\n                                                            ----------------------------------------------------\n      Total HSI Domestic Expenditures......................   $1,648   $1,701   $1,723   $1,596            $(52)\n----------------------------------------------------------------------------------------------------------------\n\n    ICE Homeland Security Investigations (HSI) is the principal \ninvestigative arm of the U.S. Department of Homeland Security (DHS) and \nthe second largest Federal criminal investigative agency, with broad \nlegal authority to enforce more than 400 Federal statutes. HSI has \ntaken a leading role in coordinating domestic and international law \nenforcement actions among our law enforcement partners through several \ncenters of excellence that we lead--including C\\3\\.\n    The Internet poses a significant challenge to law enforcement. When \na criminal never has to meet his victim face to face, but can hide \nbehind what appears to be a legitimate Web site, consumer fraud runs \nrampant. When transnational criminal organizations employ technical \nmeans to steal intellectual property, American ingenuity is stymied. \nWhen money launderers utilize non-traditional, Internet-based financial \nservices, circumventing regulatory safeguards, public safety is further \nthreatened. Criminal networks are becoming increasingly sophisticated \nin taking advantage of the many ways in which the Internet can \nstreamline communications, financing, and logistics--just as it does \nfor legal enterprise. As a consequence, law enforcement agencies must \nrespond by properly preparing investigators for work in cyberspace. As \ninformation systems and computer networks become increasingly prolific, \nthe technical challenges facing law enforcement investigations of \ncriminals operating on, or through, the Internet grow daunting, and the \nconsiderations in collecting electronic evidence become increasingly \ncomplex. A recent HSI enforcement action targeting intellectual \nproperty violations saw the deployment of 5 percent of HSI's Computer \nForensics Agents (CFAs) in a single day. These CFAs were tasked with \nsecuring the electronic evidence from nine Web sites, and they will be \nheavily involved in sorting through the evidence for potential \nprosecutions.\n                          cyber crimes center\n    C\\3\\ brings the full range of ICE cyber investigations and computer \nforensic assets together in a single location to coordinate global \ninvestigations and to provide support to our field offices in their \nefforts combat cyber-enabled crime. C\\3\\ is comprised of three units: \nthe Cyber Crimes Unit, the Computer Forensics Unit, and the Child \nExploitation Investigations. The C\\3\\ facility houses a cyber \ninvestigations training room and a computer forensics laboratory. The \nCenter is staffed by special agents, intelligence research specialists, \ncomputer forensics analysts, and mission support personnel. Each of \nC\\3\\'s units plays an integral role in supporting investigations of \ncybercrime and cyber-enabled crime. The scope of these investigations \nincludes any instance where information technology, or computer \nnetworks are substantially employed to facilitate international \nsmuggling, money laundering, Internet-based financial frauds or \nidentity theft, proliferation of strategic commodities or the theft of \nexport controlled technical data, and trafficking in child pornography \nand other child exploitation crimes. The Cyber Crimes Unit and Child \nExploitation Investigations Unit provide coordination, de-confliction, \nresources, training, and subject matter expertise in these \ninvestigations. The Computer Forensics Unit oversees the agency's \ncomputer forensics program, including the agency's participation in, \nand contributions to, the Treasury Computer Forensics Training Program.\nCyber Crimes Unit\n    The Cyber Crimes Unit supports HSI investigations of cyber enabled \ncriminal activities. The Cyber Crimes Unit provides oversight, \ncoordination, de-confliction, resources, and subject matter expertise \nto HSI offices in the investigation of international smuggling, \nproliferation, fraud, and money laundering activities where information \nsystems, networks, and the Internet serve as significant facilitating \nmechanisms for the crime. The Cyber Crimes Unit particularly focuses \nits efforts towards cyber economic crimes involving financial fraud, \nthe theft of digital intellectual property and technical data \ncontrolled under export laws, and the targeting of cross-border illicit \nInternet marketplaces. The Cyber Crimes Unit also works to develop and \ndeliver training to HSI personnel in the investigation of cyber-enabled \ncrimes. The Cyber Crimes Unit further works to support HSI cyber \ninvestigations through its Emerging Technology program which focuses on \ncollaborative relationships with other government agencies and academic \ninstitutions intended toward development of technical solutions to \ntechnical problem sets facing law enforcement.\nEmerging Technologies\n    The Cyber Crimes Unit is also dedicated to the development of tools \nand capabilities to conduct online cyber investigations. Emerging \ntechnology, such as The Onion Router, also known as TOR, or the \nutilization of virtual currencies, allow the transnational criminal \norganizations to navigate in cyberspace anonymously. C\\3\\ has partnered \nwith DHS Science and Technology to collaborate with academia and other \npartners to develop tools and best practices, to stay abreast of \nemerging technologies and continue to lean in to prevent and deter \nillegal activities.\nVirtual Currency\n    In contrast to traditional currency, monetary instruments, or other \nmethods of transferring value, virtual currencies serve as mediums of \nexchange, but are not accepted as legal tender in any recognized \ngovernment jurisdiction. However, virtual currencies can be used to \nconduct transactions entirely within a virtual economy, transferred \nbetween individuals, or used in lieu of a government-issued currency to \npurchase goods and services.\n    The appeal of virtual currencies, especially ``open'' or \n``convertible'' currencies that can be exchanged for traditional \ncurrency, and vice versa, is that they may allow value to be \ntransferred much more rapidly and cheaply (especially internationally) \nthan through traditional banking payment systems, and often with \ngreater anonymity and reduced oversight.\n    ICE has recognized the potential for criminal exploitation and the \nmoney laundering threat posed by virtual currency. ICE has, therefore, \nstrategically deployed a multi-prong investigative strategy designed to \ntarget illicit virtual currency platforms, currency exchangers, and \nunderground black markets such as ``carding,'' illegal drugs, illegal \nfirearms, and child pornography forums.\n    ICE recognizes that our approach to combating the illicit use of \nvirtual currency systems must include collaboration and coordination \nwith our domestic and international partners. To that end, ICE works \nclosely with our Federal, State, local, and international law \nenforcement partners, and other members of the interagency.\n                         recent investigations\nCrack99\n    Among HSI's broad investigative authority, we are the primary \nenforcer of the Arms Export Control Act and as such has responsibility \nto work with industry to safeguard this data from being exploited and \nsmuggled out of the country. This includes the investigation of Web \nsites that offer the sale of prohibited items as well as transnational \ncriminal organizations that steal the data without the knowledge of \nindustry.\n    HSI Philadelphia learned during a private industry outreach \nmeeting, of an online company known as Crack99, believed to be involved \nin the illegal sale of U.S.-manufactured software products. HSI \ncollaborated with Defense Criminal Investigative Services and conducted \nnumerous undercover purchases of stolen software from Crack99. Once \npayment had been made and accepted in China, the software was posted \nand received, often compressed into specialty files and then \n``cracked'' to overcome the license restrictions. The software programs \nwere used in multiple design and engineering systems that had a broad \nrange of user applications to include: explosive simulation, aircraft \nmission simulation, oil field management, antenna design and radio \nfrequency signaling.\n    Many of the U.S.-manufactured software programs offered by Crack99 \nwere controlled for export and were subject to the Department of \nCommerce's Export Administration Regulations. The estimated monetary \nloss of these illegal software sales conducted by Crack99 was valued at \napproximately $1 million. Crack99 had ``cracked'' the software of \nthousands of U.S. businesses.\n    HSI Special Agents identified the U.S.-based servers and seized all \naccounts, Web sites and domains associated with Crack99's distribution \nof stolen software. Two servers and six domain names were seized. The \nthree main suspects were charged, convicted and sentenced for various \nviolations of conspiracy, fraud, smuggling and copyright infringement.\nMt. Gox\n    In May 2013, through an interagency taskforce led by ICE in \nBaltimore, Maryland, three U.S. bank accounts associated with what was \nthen the world's largest Bitcoin (a specific virtual currency) \nexchanger, Japan-based Mt. Gox, were seized for violations of 18 U.S.C. \nsection 1960, operating a money service business in the United States \nwithout a license. Some of the funds were linked to the illicit \npurchase of drugs, firearms, and child pornography. These and many \nother ongoing criminal investigations have provided ICE with a better \nunderstanding of the risks and challenges posed by virtual currencies.\nOnline Child Exploitation Investigations\n    ICE has established itself as a world leader in online child \nexploitation investigations due to the breadth of its authorities and \npresence throughout the world. Under the auspices Operation Predator, \nHSI child exploitation investigations focuses on the enforcement, \ndisruption and dismantlement of individuals and groups involved in the \npossession, receipt, distribution, transportation, and production of \nchild pornography. Since the launch of Operation Predator in 2003, HSI \nhas initiated more than 30,700 criminal investigations; arrested more \nthan 10,900 child predators; and contributed to more than 8,000 \nindictments and criminal convictions for child exploitation violations. \nIn fiscal year 2013 alone, our agency was responsible for over 2,000 \ncriminal arrests relating to child exploitation, while launching in \nexcess of 4,000 child exploitation investigations worldwide, both new \nrecords for HSI. In fiscal year 2013, there were 927 children \nidentified as victims during the course of ICE HSI-led or joint child \nexploitation and/or child sex tourism investigations. Key to HSI's \nfight against child exploitation is HSI's C\\3\\. C\\3\\ directs HSI in its \nmission to investigate large-scale producers and distributors of child \npornography, as well as individuals who travel abroad for the purpose \nof engaging in sex with minors, also known as Child Sex Tourism (CST). \nC\\3\\ employs the latest technology to collect evidence of persons and \norganized groups who sexually exploit children through the use of Web \nsites, chat rooms, newsgroups and peer-to-peer trading. C\\3\\ also \nprovides assistance to HSI field offices, coordinates major \ninvestigations, and conducts undercover operations throughout the world \nto identify and apprehend violators.\nOperation Round Table\n    In March 2014, HSI completed the largest online child exploitation \ninvestigations in ICE's history, involving victims in 39 States and \nfive countries. Fourteen men operating a child pornography Web site on \nthe Darknet's Onion Router (TOR) were arrested and charged as part of a \nconspiracy to operate a child exploitation enterprise, following an \nextensive international investigation by HSI and the U.S. Postal \nInspection Service (USPIS).\n    To date, investigators have identified 251 minor victims in 39 \nStates and five foreign countries: 228 in the United States and 23 in \nthe United Kingdom, Canada, New Zealand, Australia and Belgium. Eight \nof the victims were female and 243 were male. The majority of victims, \n159, were 13 to 15 years old; 59 victims were 16 and 17; 26 victims \nwere 10 to 12; four victims were 7 to 9; one victim was 4 to 6; and two \nvictims were 3 years old or younger. All victims have been contacted by \nlaw enforcement and U.S. victims have been offered support services \nfrom HSI victim assistance specialists.\nVictim Identification Program\n    Although the traditional law enforcement goal in combating child \nexploitation is normally viewed to be ``arresting and prosecuting \npredators,'' the true goal is to protect children. In furtherance of \nthis goal, HSI launched the Victim Identification Program (VIP) in \nDecember 2011. Its mission is to combine technological and \ninvestigative capabilities and resources to rescue child victims of \nsexual exploitation. The VIP is a simple idea that combines traditional \ninvestigative techniques with cutting edge technology for the purposes \nof rescuing child victims of sexual exploitation. The victim \nidentification process starts with the discovery of new child abuse \nmaterial (images, video, and/or audio) that depicts an unidentified \nminor or minors being sexually abused. HSI analyzes and enhances the \nmaterial in order to identify clues that may lead to the identity of \nthe victim, suspect or geographic location. When enough clues come \ntogether to form a viable lead, the lead is sent out to the appropriate \nHSI field office for follow-up investigation. During its first 2 years \nof operation, the VIP has been responsible for more than 180 victims \nidentified and/or rescued from around the country. HSI is increasingly \nshifting its focus and dedicating more of its time and resources \ntowards identifying and rescuing the victims of child sexual \nexploitation and the prevention of these crimes. This focus on victims \nis not in conflict with ongoing efforts to arrest and prosecute the \nperpetrators of these horrendous crimes as the identification of \nvictims often leads to the arrest of their abusers.\nProject iGuardian\n    In April 2014, ICE launched an educational outreach program called \nProject iGuardian, in conjunction with the National Center for Missing \nand Exploited Children's NetSmartz and the Internet Crimes Against \nChildren (ICAC) Task Forces. Project iGuardian is an outreach awareness \nprogram that aims to educate kids, teens, and parents about online \nsafety and how to stay safe from online sexual predators. HSI \nrecognizes the importance of education and community awareness \nregarding the dangers of online activity. Project iGuardian aims to \ncounter a disturbing fact: many online child predators are able to find \nvictims online because children are not aware of how dangerous online \nenvironments can be.\nVirtual Global Taskforce\n    ICE is a founding member and the U.S. representative of the Virtual \nGlobal Taskforce (VGT), an international alliance of law enforcement \nagencies and private industry sector partners working together to \nprevent and deter online child sexual abuse. In December 2012, HSI was \nappointed chair and secretariat of the VGT. The Deputy Assistant \nDirector of C\\3\\ assumed the duties of chair for a 3-year tenure. At \nthe same time HSI was appointed the chair, the VGT also agreed to \ninclude investigations of CST into its portfolio.\nOperation Predator--Smartphone App\n    In September of 2013, HSI launched a new smartphone app, the first \nof its kind in U.S. Federal law enforcement, designed to seek the \npublic's help with fugitive and unknown suspect child predators. All \ntips can be reported anonymously through the app, by phone or online, \n24 hours a day, 7 days a week. In many cases, HSI has been able to make \nan arrest just hours after issuing a nationwide plea for public \nassistance. These cases demonstrate the power of the press, social \nmedia and the general public in helping solve cases.\nComputer Forensics Program\n    C\\3\\ operates and maintains a robust computer forensics program. \nHSI computer forensic agents/analysts (CFAs) support all HSI \ninvestigations involving the use of digital media, as well as provide \nsupport to Federal, State and local law enforcement upon request. The \ncomputer forensic program is currently comprised of approximately 250 \nCFAs located in over 110 domestic and foreign HSI offices. The CFAs \noperate in various environments, supporting investigations to include \nadvanced mobile device data extraction, hard drive repair, data mining \nof large multi-terabyte data sets, password decryption, border search \nof electronic devices and on-scene computer forensic assistance. For \nexample, HSI CFAs were instrumental in the seizure of closed circuit \nvideo systems that were used in the identification of the Boston \nMarathon bombing suspects and provided key support for the analysis of \nsuspect media related to Operation Round Table detailed above.\n    In fiscal year 2013, HSI CFAs encountered approximately 3.9 \npetabytes of data (equal to approximately 62 billion pages of image \nfiles or 71 billion pages of power point files) and analyzed over 4,400 \nmobile devices; this is a 45-percent increase in the volume of data \nencountered and a 35-percent increase in the number of mobile devices \nanalyzed from the previous fiscal year.\n    HSI is a founding member of the Treasury Computer Forensic Training \nProgram (TCFTP), which is a joint computer forensic training initiative \nbetween HSI, the U.S. Secret Service and the Internal Revenue Service-\nCriminal Investigations. Management of the training program rotates \nevery 2 years, with HSI responsible for administering the program for \n2014 and 2015. For 2014, it is anticipated that approximately 200 \nindividuals will receive basic or advanced computer forensic training \nthrough the joint training program. This program was designed to \nprovide CFAs operating in the field with the skills necessary to \nsupport the ever changing environment of the computer forensic \nrequirements for HSI's investigative mission. In addition to providing \ntraining through the TCFTP, the computer forensic program regularly \nprovides computer forensic training for capacity building efforts to \nforeign law enforcement.\nHuman Exploitation Rescue Operative Chile Rescue Corps\n    In April 2013, ICE, entered into a partnership with U.S. Special \nOperations Command and the National Association to Protect Children \n(PROTECT) to launch the ``Human Exploitation Rescue Operative (HERO) \nChild Rescue Corps'' program. The 12-month internship program is a \nhighly competitive, highly selective non-paid internship, designed for \nwounded, injured and ill Special Operations Forces to receive training \nin high-tech computer forensics and law enforcement skills to assist \nHSI and law enforcement in their efforts to combat child sexual \nexploitation. Upon successful completion of the training, HERO \nparticipants are embedded into computer forensic analyst positions \nwithin HSI offices to receive on-the-job training experience. Fifteen \nHERO participants of the inaugural class have successfully completed \nall aspects of the program thus far and HSI in the process of extending \noffers of employment to all 15 individuals under the Veterans' \nRecruitment Appointment authority. The HERO program is in the process \nof recruiting, interviewing and selecting candidates for the 2nd HERO \nclass, which is scheduled to begin in August 2014.\nDHS Secretary's Honors Program--Cyber Student Initiative\n    The DHS Cyber Student Volunteer Initiative, introduced in 2013 by \nDHS and HSI, offered college students majoring in a cybersecurity-\nrelated field an unpaid volunteer position to gain invaluable hands-on \nexperience at a DHS component agency. HSI was the sole DHS component to \nparticipate in the inaugural program, which was designed to provide \nhigh-performing students with challenging work projects, real-life \nlearning scenarios, and mentoring from cybersecurity professionals at \nvarious HSI field offices. Based on the success of the program, DHS and \nHSI offered the Student Volunteer Initiative program again in 2014, \nwhich was expanded to include new volunteer opportunities at the U.S. \nSecret Service, the U.S. Coast Guard, the Transportation Security \nAdministration, the Office of Intelligence and Analysis, the DHS Office \nof the Chief Information Officer, and State and major urban area fusion \ncenters.\n                               conclusion\n    Thank you again for the opportunity to appear before you to \nhighlight ICE's Cyber Crime Center and the significant role we \ncontribute in combating transnational criminal organizations operating \nin cyberspace and in an increasingly more complex and sophisticated \nvirtual reality. As the cyber world and other new virtual technologies \ncontinue to evolve, ICE will remain vigilant and adapt its \ninvestigative tools and techniques to dismantle those criminal \norganizations that use this platform to hide illicit activity.\n\n    Senator Landrieu. Thank you so much for that excellent \ntestimony.\n    Mr. Noonan.\n\nSTATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN \n            CHARGE, CRIMINAL INVESTIGATIVE DIVISION--\n            CYBER OPERATIONS, SECRET SERVICE, \n            DEPARTMENT OF HOMELAND SECURITY\n   \n   Mr. Noonan. Yes, ma'am. Good afternoon, Chairman Landrieu, \nRanking Member Coats, and Senator Coons. Thank you for the \nopportunity to testify on the Department of Homeland Security's \ninvestments to counter cyber threats and the capabilities the \nSecret Service utilizes and is developing to deter cyber crime \naround the world. I am honored to appear today alongside my \ncolleagues from Immigration and Customs Enforcement and the \nNational Protection and Programs Directorate.\n    While no single agency or department has the personnel and \nresources to eliminate all cyber threats, DHS brings to the \ntable a strong combination of Federal law enforcement \nexperience, established partnerships across Federal, State, and \nlocal governments, international law enforcement, and the \nprivate sector, as well as a workforce that is committed to \nstrengthening the security and resiliency of our Nation's \ncritical infrastructure.\n    When the Secret Service was created as an investigative \ndivision of the Department of Treasury in 1865, its sole focus \nwas to protect the Nation's financial system from the \nproliferation of counterfeit currency. Over the past 149 years \nthe agency's mission has expanded to include protecting the \nPresident, the Vice President, visiting world leaders, and \nnational special security events. Today our integrated mission \naddresses numerous threats, including those originating in \ncyber space.\n    The Secret Service's authorities to investigate cyber crime \ndate back nearly 30 years to when Congress passed the \nComprehensive Crime Control Act of 1984. That law granted the \nSecret Service authority to investigate criminal offenses \nrelated to unauthorized access to computers and the fraudulent \nuse or trafficking of access devices.\n    As the Nation's financial payments systems evolved from \npaper to plastic to electronic transactions, so too has the \nSecret Service's investigative priorities. Advances in computer \ntechnology and greater Internet access to personally \nidentifiable information and sensitive financial data have \ncreated online marketplaces for transnational cyber criminals \nto share stolen information and criminal methodologies.\n    Over the past 10 years, the Secret Service has observed \nmarked increase in the quantity and complexity of cyber crimes \ntargeting private industry, in particular the financial \nservices sector. These crimes include network intrusions, \ninstallation of malicious software, and account takeovers, \nleading to significant data breaches affecting every sector of \nthe world's economy.\n    The widely reported data breaches of Target, Neiman Marcus, \nWhite Lodging, and Michaels are just some of the most recent \nwell-publicized examples of major data breaches perpetrated by \ncyber criminals who are intent on targeting our Nation's \nfinancial payments systems. Over the past 4 years alone, the \nSecret Service cyber crime investigations have resulted in more \nthan 4,900 arrests associated with approximately $1.4 billion \nin fraud losses and the prevention of $11 billion in potential \nfraud losses.\n    Through continued work with our key Federal, State, local, \ninternational, and private-sector partners, we are confident we \nwill continue to bring domestic and transnational cyber \ncriminals to justice.\n    In support of the Secret Service's protective mission, \nspecial agents trained through the agency's Critical Systems \nProtection (CSP) program successfully completed more than 657 \ndomestic and 5 international protective advances since 2010 in \nsupport of the President, Vice President, and national special \nsecurity events. The incorporation of tools and specialized \ntraining to reduce the risk associated with a viable cyber \nthreat during protective operations enhances the Secret \nService's ability to provide complete protective coverage.\n    CSP technology provides visibility into the once unknown \ncyber environment, which gives our agency the tools to identify \ncyber threat actors as well as mitigate potential network \nattacks on the critical infrastructure that supports permanent \nand temporary venues under Secret Service protection.\n    With the subcommittee's support, the Secret Service will \ncontinue to focus on improving our protective investigative \ncapabilities and enhancing the training of our special agent \nworkforce through the Electronic Crimes Special Agent Program, \nas well as provide training for our State and local law \nenforcement partners through the National Computer Forensic \nInstitute. We will also continue to share actionable \ninformation with our partners through DHS's National \nCybersecurity and Communications Integration Center and the \nnetwork of Information-Sharing and Analysis Centers (ISACs), in \nparticular the Financial Services and Multistate ISACs, while \naggressively investigating cases through our domestic \ninternational field offices, as well as our network of \nelectronic crimes task forces.\n    On the basis of the Secret Service's experience with cyber \ninvestigations and protection, I hope today's discussion \nprovides the subcommittee useful information on how to best \ndeter and mitigate the threat of these crimes in the future. \nThis concludes my opening remarks. I look forward to your \nquestions. Thank you.\n    [The statement follows:]\n                  Prepared Statement of William Noonan\n    Good afternoon Chairman Landrieu, Ranking Member Coats, and \ndistinguished members of the subcommittee. I appreciate the opportunity \nto testify on the investments the Department of Homeland Security (DHS) \nis making in cybersecurity, and the capabilities the Secret Service has \nand is developing to deter cyber-crime around the world. I am honored \nto appear today alongside my colleagues from Immigration and Customs \nEnforcement (ICE) and the National Protection and Programs Directorate \n(NPPD). While no single agency or department has the personnel and \nresources to eliminate cyber-threats, DHS brings to the table a strong \ncombination of Federal law enforcement experience, established \npartnerships with the Department of Defense, the Department of Justice \n(DOJ), State and local governments, international law enforcement and \nthe private sector, as well as a workforce committed to strengthening \nthe security and resiliency of our Nation's critical infrastructure.\n    Cyber-threats impact all aspects of the Secret Service's integrated \nmission. When the agency was created as an investigative arm of the \nDepartment of Treasury in 1865, its purpose was to protect the Nation's \nfinancial system from the proliferation of counterfeit currency. No one \nat the time could have foreseen that the Secret Service would one day \nbe responsible for the protection of the President of the United \nStates, let alone that protection would have to take into account the \npotential for computers to affect physical security. Likewise, no one \nat the time could have foreseen that financial crimes would encompass \ncomputer-based attacks on our Nation's financial services sector and \nwould regularly include criminal actors working across international \nborders to perpetrate complex thefts and money laundering schemes.\n    The Secret Service traces its investigations into cyber-crime back \nnearly 30 years, when Congress authored 18 U.S.C. sections 1029 and \n1030 as part of enacting the Comprehensive Crime Control Act of 1984 \n(Public Law 98-473). That law granted the Secret Service authority to \ninvestigate criminal offenses \\1\\ related to the unauthorized access to \ncomputers \\2\\ and the fraudulent use, or trafficking of, access devices \n\\3\\--defined as any piece of information or tangible item that is a \nmeans of account access that can be used to obtain money, goods, \nservices, or other thing of value.\\4\\ As the Nation's financial payment \nsystems evolved from paper to plastic to electronic transactions, so \ntoo has the Secret Service's investigative priorities. Advances in \ncomputer technology and greater access to personally identifiable \ninformation (PII), including sensitive financial data, via the Internet \nhave created online marketplaces for transnational cyber-criminals to \nshare stolen information and criminal methodologies.\n---------------------------------------------------------------------------\n    \\1\\ See 18 U.S.C. section 1029(d) and 1030(d)(1).\n    \\2\\ See 18 U.S.C. section 1030.\n    \\3\\ See 18 U.S.C. section 1029.\n    \\4\\ See 18 U.S.C. section 1029(e)(1).\n---------------------------------------------------------------------------\n    Over the past 4 years alone, Secret Service cyber-crime \ninvestigations have resulted in over 4,900 arrests, associated with \napproximately $1.37 billion in fraud losses and the prevention of over \n$11.24 billion in potential fraud losses. Through continued work with \nour key partners at DOJ, in particular the local U.S. Attorney's \nOffices, the Computer Crime and Intellectual Property Section (CCIPS), \nand the International Organized Crime Intelligence and Operations \nCenter (IOC-2), we are confident we will continue to bring cyber-\ncriminals to justice.\n    Since 2010, in support of the Secret Service's protective mission, \nspecial agents trained through the agency's Critical Systems Protection \n(CSP) program successfully completed more than 657 domestic and five \ninternational protective advances. The incorporation of tools and \nspecialized training to reduce the risks associated with a viable \ncyber-threat during protective operations enhances the Secret Service's \nability to provide complete protective coverage at venues visited by \nthe President, Vice President and other Secret Service protectees.\n    CSP technology provides visibility into the once unknown cyber-\nenvironment, which gives the Secret Service the ability to identify \ncyber-threat actors, as well as mitigate the potential impact of a \nnetwork attack on a protective venue or on the critical infrastructure \nthat supports the venue. CSP-trained special agents also lead the \nCritical Infrastructure Protection Subcommittee during National Special \nSecurity Events (NSSEs). Through their work with Federal, State and \nlocal law enforcement, along with the private sector, CSP-trained \nspecial agents develop a comprehensive operational security plan to \nsafeguard critical infrastructure and key resources associated with \nprotective events and associated venues.\n    Based on the Secret Service's three decades of experience \ninvestigating cyber-crime, in particular the expertise we have \ndeveloped with respect to the transnational organized cyber-crime \nthreat to our Nation, as well as our more recent efforts to protect the \nPresident, Vice President, and NSSEs from a cyber-threat, I hope to \nprovide the subcommittee useful information on how best to deter and \nmitigate the threat of these crimes in the future.\n                  the transnational cyber-crime threat\n    Over the past 10 years, the Secret Service has observed a marked \nincrease in the quality, quantity, and complexity of cyber-crimes \ntargeting private industry, in particular the financial services \nsector. These crimes include network intrusions, hacking attacks, \ninstallation of malicious software, and account takeovers leading to \nsignificant data breaches affecting every sector of the world economy. \nThe widely reported data breaches of Target, Neiman Marcus, White \nLodging, and Michael's are just the most recent, well-publicized \nexamples of this decade-long trend of major data breaches perpetrated \nby cyber-criminals who are intent on targeting our Nation's banks and \nfinancial payment systems.\n    In partnership with the Secret Service, Verizon published their \nmost recent Data Breach Investigations Report (Verizon Report) in 2014 \nto examine current trends and criminal tactics used to conduct data \nbreaches. The analysis included in the 2014 Verizon Report covered more \nthan 63,000 security incidents, including 1,367 confirmed data breaches \noccurring in calendar year 2013. The report identified three primary \nmotives for the criminals committing these acts: (1) financial gain; \n(2) espionage; and (3) activism.\n    Cyber-criminals, motivated by greed, perpetrated the majority of \nthe breaches studied each of the past 5 years through the Verizon \nReports. These criminals primarily use a combination of sophisticated \nhacking techniques and the deployment of malicious software to \naccomplish their objective of obtaining sensitive financial information \nto use as part of increasingly sophisticated frauds. The victims of the \ncrimes studied in the 2014 Verizon Report span 95 different countries, \nwith 34 percent of all reported incidents affecting financial \ninstitutions. The study revealed that point-of-sale (POS) intrusions, \nlike the recently reported events, are primarily attributed to \norganized criminal groups operating out of Eastern Europe. More \nconcerning, in 88 percent of POS intrusions, the data is exfiltrated in \na matter of minutes. However, in 98 percent of the breaches it took \nweeks or months to discover the crime.\n    The increasing level of collaboration among cyber-criminals allows \nthem to compartmentalize their operations, greatly increasing the \nsophistication of their criminal endeavors as they develop specialized \nskills to carry out cyber-attacks against the Nation's financial and \nother critical infrastructures. These specialties increase both the \ncomplexity of investigating these cases, as well as the level of \npotential harm to companies and individuals. For example, illicit \nunderground cyber-crime marketplaces allow criminals to buy, sell and \ntrade malicious software, access to sensitive networks, spamming \nservices, payment card data, PII, bank account information, brokerage \naccount information, hacking services, and counterfeit identity \ndocuments. These illicit digital marketplaces vary in size, with some \nof the more popular sites boasting membership of approximately 80,000 \nusers. Within these digital marketplaces, criminals often use various \ndigital currencies to conduct transactions, such as paying for stolen \ninformation, requesting various criminal services, or laundering \nillicit proceeds.\n    As a part of our cyber-crime investigations, the Secret Service \ntargets the most capable cyber-criminals and the individuals who \noperate illicit infrastructure that supports transnational organized \ncyber-criminals. For example, in May 2013, as part of a joint \ninvestigation through the Global Illicit Financial Team, the Secret \nService shut down the digital currency provider Liberty Reserve. \nLiberty Reserve is alleged to have had more than one million users \nworldwide and to have laundered more than $6 billion in criminal \nproceeds. This case is believed to be the largest money laundering case \never prosecuted in the United States and is being jointly prosecuted by \nthe U.S. Attorney's Office for the Southern District of New York and \nDOJ's Asset Forfeiture and Money Laundering Section. In a coordinated \naction with the Department of the Treasury, Liberty Reserve was \nidentified as a financial institution of primary money laundering \nconcern under Section 311 of the USA PATRIOT Act (Public Law 107-56), \neffectively cutting it off from the U.S. financial system.\n    The Secret Service has successfully investigated many underground \ncyber-criminal marketplaces. In one such infiltration, the Secret \nService initiated and conducted a 3-year investigation that led to the \nindictment of 11 perpetrators allegedly involved in hacking nine major \nAmerican retailers and the theft and sale of more than 40 million \ncredit and debit card numbers. The investigation revealed that \nindividuals from the United States, Estonia, China and Belarus \nsuccessfully obtained credit and debit card numbers by hacking into the \nwireless computer networks of major retailers--including TJ Maxx, BJ's \nWholesale Club, Office Max, Boston Market, Barnes & Noble, Sports \nAuthority and Dave & Buster's. Once inside the networks, those \nindividuals installed ``sniffer'' programs \\5\\ that would capture card \nnumbers, as well as password and account information, as that \ninformation moved through the retailers' credit and debit processing \nnetworks.\n---------------------------------------------------------------------------\n    \\5\\ Sniffers are programs that detect particular information \ntransiting computer networks, and can be used by criminals to acquire \nsensitive information from computer systems.\n---------------------------------------------------------------------------\n    After the data were collected, the alleged conspirators concealed \nthe information in encrypted computer servers they controlled in the \nUnited States and Eastern Europe. The credit and debit card numbers \nwere then sold through online transactions to other criminals in the \nUnited States and Eastern Europe. The accounts associated with the \nstolen numbers were ``cashed out'' by encoding card numbers on the \nmagnetic strips of blank cards. The alleged perpetrators then used \nthese fraudulent cards to withdraw tens of thousands of dollars at a \ntime from ATMs. The illegal proceeds were allegedly concealed and \nlaundered by using anonymous Internet-based digital currencies within \nthe United States and abroad, and by channeling funds through bank \naccounts in Eastern Europe. Card numbers were then sold through online \ntransactions to other criminals in the United States and Eastern \nEurope. The accounts associated with the stolen numbers were ``cashed \nout'' by encoding card numbers on the magnetic strips of blank cards. \nThe alleged perpetrators then used these fraudulent cards to withdraw \ntens of thousands of dollars at a time from ATMs. The illegal proceeds \nwere allegedly concealed and laundered by using anonymous Internet-\nbased digital currencies within the United States and abroad, and by \nchanneling funds through bank accounts in Eastern Europe.card numbers \nwere then sold through online transactions to other criminals in the \nUnited States and Eastern Europe. The accounts associated with the \nstolen numbers were ``cashed out'' by encoding card numbers on the \nmagnetic strips of blank cards. The alleged perpetrators then used \nthese fraudulent cards to withdraw tens of thousands of dollars at a \ntime from ATMs. The illegal proceeds were allegedly concealed and \nlaundered by using anonymous Internet-based digital currencies within \nthe United States and abroad, and by channeling funds through bank \naccounts in Eastern Europe.\\6\\\n---------------------------------------------------------------------------\n    \\6\\ Additional information on the criminal use of digital \ncurrencies can be referenced in testimony provided by U.S. Secret \nService Special Agent in Charge Edward Lowery before the Senate \nHomeland Security and Governmental Affairs Committee in a hearing \ntitled, ``Beyond Silk Road: Potential Risks, Threats, and Promises of \nVirtual Currencies'' (November 18, 2013).\n---------------------------------------------------------------------------\n    The impact of these criminal acts extends well beyond the companies \ncompromised, potentially affecting millions of people. Cyber-crime \ndirectly impacts the our economy by requiring additional investment in \nimplementing enhanced security measures, inflicting reputational damage \non American companies, and dealing with the financial losses from \nfraud--all costs that are ultimately passed on to consumers. Proactive \nand swift law enforcement action protects consumers by preventing and \nlimiting the fraudulent use of payment card data, stolen PII, or both.\n                          cyber investigations\n    The Secret Service proactively investigates cyber-crime using a \nvariety of investigative means to infiltrate transnational cyber-\ncriminal groups. As a result of these proactive investigations, the \nSecret Service is often the first to learn of planned or ongoing data \nbreaches and is quick to notify financial institutions and the victim \ncompanies with actionable information to mitigate the damage from the \ndata breach and terminate the criminal's unauthorized access to their \nnetworks. One of the most poorly understood facts regarding data \nbreaches is that it is rarely the victim company that first discovers \nthe criminal's unauthorized access to their network; rather it is law \nenforcement, financial institutions, or other third parties that \nidentify and notify the likely victim company of the data breach by \nidentifying the common point of origin of the sensitive data being \ntrafficked in cyber-crime marketplaces.\n    When the Secret Service identifies a potential network intrusion, \nthe agency contacts the owner of the suspected compromised computer \nsystem in order to assess the data breach and to stop the continued \ntheft of sensitive information and the exploitation of their networks. \nAfter the victim of a data breach confirms that unauthorized access to \ntheir networks has occurred, the Secret Service works with the local \nU.S. Attorney's office, or appropriate State and local officials, to \nbegin a criminal investigation into the matter.\n    During the course of these criminal investigations, the Secret \nService identifies the malware and means of access used to acquire data \nfrom the victim's computer network. In order to enable other companies \nto mitigate their cyber-risk based on current cyber-crime methods, we \nquickly share information concerning the cybersecurity incident with \nthe widest audience possible, while protecting grand jury information, \nthe integrity of ongoing criminal investigations, and the victims' \nprivacy and confidentiality. The Secret Service shares this \ncybersecurity information through:\n      --DHS's National Cybersecurity & Communications Integration \nCenter (NCCIC);\n      --The Information Sharing and Analysis Centers (ISACs);\n      --The public, private, and academic partnerships established \nthrough our Electronic Crimes Task Forces (ECTFs);\n      --The publication of joint industry notices; and\n      --Contributions to leading industry and academic reports like the \nVerizon Report, the Trustwave Global Security Report, and the Carnegie \nMellon CERT Insider Threat Study.\n    As we share cybersecurity information discovered in the course of \nour criminal investigations, we also continue our pursuit of the \nindividuals responsible for the crimes. Due to the inherent challenges \nin investigating transnational crime, particularly the lack of \ncooperation of some countries with law enforcement investigations, it \ncan take years to apprehend the top tier criminals responsible for \ncyber-crimes.\n    collaboration with other federal agencies and international law \n                              enforcement\n    While cyber-criminals operate in a world without borders, the law \nenforcement community does not. The transnational nature of cyber-crime \ncases has increased the time and resources needed for successful \ninvestigation, arrest and adjudication. The partnerships developed \nthrough our ECTFs, the support provided by our Criminal Investigative \nDivision, the liaison established by our 24 international offices, and \nthe training provided to our special agents via the Electronic Crimes \nSpecial Agent Program (ECSAP) are all instrumental to the Secret \nService's success in these investigations.\n    To strengthen our ability to investigate transnational cyber-crime, \nthe Secret Service maintains ECTFs in London and Rome, has assigned \nagents to INTERPOL and EUROPOL, and operates cyber-crime working groups \nin the Netherlands, Estonia, Lithuania, Latvia, Ukraine, and Germany. \nThe Secret Service also trains numerous international partners on \ninvestigating cyber-crime; in the past 3 years, the Secret Service has \ntrained over 500 law enforcement officials representing over 90 \ncountries in investigating cyber-crimes.\n    The Secret Service's investigations of transnational crime are \nfacilitated by the dedicated efforts of both the Department of State \nand the DOJ's Office of International Affairs to execute Mutual Legal \nAssistance Treaties and other forms of international law enforcement \ncooperation, in addition to the relationships that develop between \nSecret Service agents and their foreign counterparts through the above-\nmentioned working groups and training efforts.\n    Within DHS, the Secret Service benefits from a close relationship \nwith ICE's Homeland Security Investigations (ICE-HSI). Since 1997, the \nSecret Service, ICE-HSI (and its predecessor organization, the U.S. \nCustoms Service), and the Internal Revenue Service have jointly trained \non computer investigations through ECSAP. ICE-HSI is also a member of \nSecret Service ECTFs, and has been a valued partner on numerous cyber-\ncrime investigations including the recent take down of the \naforementioned digital currency, Liberty Reserve.\n    To further its cybersecurity information sharing efforts, the \nSecret Service also has a strong relationship with NPPD, including \nDHS's NCCIC. As the Secret Service identifies malware, suspicious IP \naddresses and other information through its criminal investigations, it \nshares information with the NCCIC which pushes actionable information \nout to the broader cybersecurity community to protect their systems \nfrom harm. The Secret Service continues to build upon its full-time \npresence at NCCIC to coordinate its cyber programs with other Federal \nagencies. In addition to the close partnership with the NCCIC, the \nSecret Service also has an effective relationship with NPPD's \nprotective security advisors (PSAs) and cybersecurity advisors in \nadvancement of our cyber protection activities. Currently, 66 percent \nof all PSAs are co-located in Secret Service field offices around the \ncountry.\n                            cyber protection\n    The Secret Service is world-renowned for the physical protection it \nprovides to the President and Vice President, visiting foreign heads of \nstate and government, the White House and other protected sites, and \nNSSEs. In order to ensure a secure environment for our protectees, the \nSecret Service integrates a variety of innovative technologies and \nmaintains a highly skilled workforce.\n    The Secret Service's protective mission is comprehensive and goes \nwell beyond surrounding a protectee with well-trained special agents \nand Uniformed Division officers. Over the years, the agency's \nprotective methodologies have become more sophisticated, incorporating \nsuch tools as airspace interdiction systems, and enhanced chemical, \nbiological, radiological, and nuclear (CBRN) detection systems through \nthe Operational Mission Support program. As part of the Secret \nService's continuous goal of preventing an incident before it occurs, \nthe agency relies on meticulous advance work and threat assessments to \nidentify potential risks to our protectees. Since much of our Nation's \ncritical infrastructure is becoming increasingly interdependent, the \nthreat of a cyber-attack directed toward our protective interests \ncannot be ignored.\n    The Secret Service's CSP program identifies, assesses, and \nmitigates risk posed by information systems to persons and facilities \nprotected by the Secret Service. The program supports a full spectrum \nof protective operations to include domestic and foreign trips, as well \nas NSSEs. It accomplishes its mission in support of the Presidential, \nVice Presidential and Dignitary Protective Divisions by assessing the \nlevel of risk caused by the disruption, damage or destruction of \nprocess control systems critical to an event or venue. The CSP program \nimplements preventative, detective, and corrective controls to reduce \nrisk from a viable cyber-threat during protective operations. The \nresult is situational awareness of the overall cybersecurity \nenvironment during protective operations.\n    For example, since 2012, the Secret Service has deployed cyber \nprotection tools in support of 7 of the 16 DHS designated critical \ninfrastructure sectors. Most recently, during the 2014 State of the \nUnion Address (SOTU), the Secret Service deployed its cybersecurity \nprotection platform to defend critical infrastructure and key resources \nin the National Capital Region.\n                      investments in cybersecurity\n    The President's fiscal year 2015 budget request for DHS includes \n$1.25 billion in discretionary spending for cybersecurity activities. \nThe Secret Service's budget request accounts for $100.4 million, or \nroughly 8 percent of the total amount requested. The majority of this \nfunding is requested under Domestic Field Operations to support the \nstaffing associated with Secret Service cyber-crime investigations; \ntraining for our State and local law enforcement partners through the \nNational Computer Forensics Institute (NCFI); training for special \nagents through ECSAP; and funding for the operational costs associated \nwith our ECTFs. Within the amount requested, funding is also proposed \nto enhance the CSP program through the Cyber Security Presidential \nProtection Measures (CSPPM) program; support the staffing associated \nwith international cyber-crime investigations; and continue the \nupgrades necessary to protect Secret Service data and systems from \nintrusion or intercept through the multi-year Information Integration \nand Technology Transformation (IITT) program. For the purposes of \ntoday's hearing, I would like to highlight a few of these efforts in \nmore detail:\nCyber Protection Activities\n    The President's fiscal year 2015 budget request includes a total of \n$21.3 million for cyber protection, which primarily supports the \nstaffing associated with this activity. Within this amount, the request \nalso includes $3.9 million to enhance the Secret Service's cyber \nprotection capabilities through the CSPPM program. This will enable the \nSecret Service to train an additional 24 special agents in the ECSAP \nnetwork intrusion discipline. This training is a prerequisite for \nspecial agents to advance to the CSP program to fulfill mission \ncritical assignments in cyber protection. The CSPPM request also \nincludes funding to enhance the CSP's cybersecurity protection platform \nto improve cyber-resiliency at Secret Service protective venues, \nincluding those associated with NSSEs.\nNational Computer Forensics Institute\n    The President's fiscal year 2015 budget request includes $4 million \nfor the NCFI, which will enable the Secret Service to train \napproximately 500 State and local law enforcement officers, \nprosecutors, and judges on current trends in cybersecurity and the \npotential obstacles they are likely to encounter during the course of \ntheir investigations. Located in Hoover, Alabama, the NCFI offers State \nand local law enforcement officers and prosecutors the training \nnecessary to perform computer forensics examinations, respond to \nnetwork intrusion incidents, and conduct electronic crimes \ninvestigations, while judges receive general education in these areas.\n    Since opening in 2008, the institute has held over 150 cyber \ninvestigative and digital forensics courses in 16 separate subjects and \ntrained and equipped more than 3,000 State and local officials, \nincluding more than 2,300 police investigators, 840 prosecutors, and \n230 judges from all 50 States and three U.S. territories. These NCFI \ngraduates represent more than 1,000 agencies nationwide.\nElectronic Crimes Task Forces/Electronic Crimes Special Agent Program\n    The President's fiscal year 2015 budget request includes $1.8 \nmillion for the training and operational costs associated with the \nSecret Service's ECTF and ECSAP programs. The requested amount in \nfiscal year 2015 will support equipment purchases and travel expenses \nfor ECTF and ECSAP personnel. In addition to these base funds, the \nSecret Service usesTreasury Executive Office of Asset Forfeiture \n(TEOAF) funding to support the ECTF and ECSAP programs.\n    The Secret Service currently operates 35 ECTFs, including two based \noverseas in Rome, Italy, and London, England. Membership in our ECTFs \nincludes over 4,000 private sector partners; 2,500 international, \nFederal, State, and local law enforcement partners; and 350 academic \npartners. By joining a Secret Service ECTF, our partners benefit from \nthe resources, information, expertise and advanced research provided by \nour international network of members while focusing on issues with \nsignificant regional impact. For example, the New York ECTF, based in \nthe Nation's largest banking center, focuses heavily on safeguarding \nour financial institutions and infrastructure, while the Houston ECTF \nworks closely with partners such as ExxonMobil, Chevron, Shell, and \nMarathon Oil to protect the Nation's vital energy sector.\n                               conclusion\n    Safeguarding and securing cyberspace is a top priority for DHS. As \npart of that effort, the Secret Service is steadfast in its commitment \nto protect the President, Vice President, and NSSEs from the threat of \ncyber-attack, and to protect the Nation's financial payment systems by \ninvestigating and dismantling transnational criminal organizations \ninvolved in cyber-crime. Responding to the growth in these types of \ncrimes, and the level of sophistication these criminals employ, \nrequires significant resources and greater collaboration between law \nenforcement and its public and private sector partners. Accordingly, \nthe Secret Service is focused on improving our protective and \ninvestigative capabilities and techniques, enhancing the training of \nour special agent workforce through ECSAP, providing training for our \nState and local law enforcement partners through the NCFI, sharing \ninformation with our partners and private industry through DHS's NCCIC \nwhile actively investigating cases though our ECTFs, and raising public \nawareness to deter and mitigate the cyber-threats our Nation faces \ntoday.\n\n                  CYBER EDUCATION: BUILDING WORKFORCE\n\n    Senator Landrieu. Thank you very much.\n    Let me begin with you, Secretary. There are many aspects of \ncyber defense that we're going to try to cover in this short \nperiod of time, and of course the time will not allow us to go \nvery in depth. But one of the areas that I've really been \nfocused on because of my general interest in education is \neducating the next generation of cyber warriors or generating--\neducating the next generation of professionals that can step up \nand help fill this important gap.\n    It's been estimated, not by our committee but by others, \nthe Department itself has stated a goal of educating 1.7 \nmillion students by 2021. That would be approximately 200,000 \nstudents a year. The President's budget cut the funding for \ncyber education by 52 percent. When we've inquired, they've \nsaid that DHS would still meet that number, but would use other \nprograms and populations, et cetera, et cetera.\n    So I want to ask you all this question, but particularly \nthe Under Secretary for Homeland. Try to take a minute or two \nand explain as clearly as you can how the Department of \nHomeland Security is working, either with the Department of \nEducation or with DOD or with any partner that you might want \nto identify, to actually produce the 200,000 workers, \nprofessionals, and students at a variety of different ages, and \nwhat are some of the more successful programs that you have and \nsome of the results that you have achieved?\n    Because I'm having a hard time getting a real handle on \nthis. I hear a lot about it. I just can't quite see it.\n    Dr. Schneck. Thank you. First and foremost----\n    Senator Landrieu. You can pull that closer to you so you \ndon't have to lean. I think it'll come closer to you. I feel \nlike you're going to fall off that chair in just a minute. Or \npush yourself a little that way, whatever.\n    Dr. Schneck. The chair's nice and short. I can't fall off. \nThis is good.\n    So thank you. First of all, thanks again for the support, \nand we look forward to working with you on this. This is a big \nchallenge. As I mentioned, the Secretary has stated his \nemphasis on education and on building the next cyber workforce. \nOne of the first things that he did was take me down to two \nuniversities and have us talk with students----\n    Senator Landrieu. Which two were they?\n    Dr. Schneck. We went to Georgia Tech and Morehouse. And he \nsaid we will do this again, and we have a program rolling out \nthat looks at what universities we'll be going to. But that's \none of many.\n    We are bucketing our efforts at this point sort of in three \ndifferent areas, and then I can also go through some of the \nother types of programs we have. I'm going to want to follow up \nwith you with a comprehensive readout. But our buckets simply \nare the following:\n    One is to identify the skill sets that we need. A lot of \ntimes when I go out and talk to students--and I do this a lot, \nof all ages, and leadership at all levels goes out and speaks \nas much as we can to students of all ages, from K through 12 \nactually through the graduate programs. We need them to know \nthe skill sets they need to have, what is a cyber workforce. \nIt's not someone who just operates a firewall. It can be \nanything from policy to highly technical or a combination.\n    The second bucket is to actively get out there and find out \nwhat they're studying, talk to the professors, influence the \ncurricula in the universities, which is one of the things we're \nstarting to do as we speak to the universities.\n    And third is, for example, to award scholarships for \nservice, get involved in helping fund their education, give \nthem a chance then back. They come and work in our labs. \nEspecially at NPPD, we've had interns in cybersecurity and \ncommunications, in that component. And then we give them a \ntaste of what it's like to serve in Government. They get those \nskills from us as well.\n    Then we have several other programs----\n    Senator Landrieu. I think that sounds good, but it's so \ngeneral. What I'm going to continue to press you on is some \nspecifics. Like I asked for the purposes of this hearing to get \nthe document from DOD about what a cyber warrior must have, \nliterally the levels of education and specific skill set that \nDOD is requiring. It is 100 pages or more of very, very \nspecific requirements. I'm going to submit this all to the \nrecord. It's not classified in any way, of course.\n    [The information follows:]\n\n    The proposed funding reduction to National Protection and Programs \nDirectorate (NPPD) Cybersecurity Education in fiscal year 2015 impacts \nthe long-term goal of affecting 1.7 million students in 10 years \nthrough the Integrated Cybersecurity Education Communities (ICEC) \nproject. However, NPPD leads several cybersecurity education projects \nserving a wide audience of students across the Nation, providing \ncybersecurity education programs as flexible and responsive as the \nrapidly changing cybersecurity environment. Each of these projects is \nan integral factor in strengthening the national cyber workforce \npipeline and building a robust national cybersecurity workforce, \nensuring we may sustain a safe, secure and resilient cyberspace. As \nsuch, NPPD proposes these additional projects be applied towards the \n1.7 million student goal, one that can be reached within the 10-year \ntimeframe.\n1. Identify the Skill Sets Needed for a Cyber Workforce\n    In 2012, the Department of Homeland Security (DHS) conducted the \nInformation Technology Workforce Assessment for Cybersecurity (ITWAC) \nin partnership with the Federal Chief Information Officers (CIO) \nCouncil. The ITWAC collected workforce data that identified the \ncomposition and capabilities of the Federal civilian cybersecurity \nworkforce.\n    In 2014, DHS has partnered with academic institutions and the \nDepartment of Defense (DOD) to conduct the National Cybersecurity \nWorkforce Assessment (NCWA). The NCWA is gathering data on the U.S. \nnon-Federal cybersecurity workforce. Like the ITWAC, the NCWA will \nidentify gaps and deficiencies in both the size and capability of the \ncybersecurity workforce. However, the NCWA will go beyond the ITWAC to \ndefine specific occupational categories aligned to the National \nCybersecurity Workforce Framework and the role that government can play \nto remedy the identified deficiencies.\n    DHS also leads the development of the National Cybersecurity \nWorkforce Framework. The Cybersecurity Framework is a national resource \nproviding employers, employees, students, educators, trainers, and \npolicy makers with a common language for describing cybersecurity work. \nThe Cybersecurity Framework includes a detailed listing of knowledge, \nskills, and abilities (KSAs) required for specific cybersecurity \npositions. The KSAs are associated with Specialty Areas included in the \nCybersecurity Framework to clearly define the qualifying service, \neducation, or training needed to successfully perform tasks or \nfunctions associated with that specialty. A detailed listing of all of \nthe KSAs included in the Cybersecurity Framework can be found at http:/\n/niccs.us-cert.gov/training/tc/framework/ksas.\n2. Explore the Cyber Curricula in Universities\n    The National Security Agency (NSA) and DHS jointly sponsor the \nNational Centers of Academic Excellence in Information Assurance \nEducation (CAE/IAE), IA 2-Year Education (CAE/2Y), and IA Research \n(CAE/R) programs. The goal of these programs is to reduce vulnerability \nin our national information infrastructure by promoting higher \neducation and research in IA and producing a growing number of \nprofessionals with IA expertise in various disciplines. There are 181 \nschools (in 43 States, DC, and Puerto Rico) with one or more CAE \ndesignations. Working with these schools through the CAE program \nprovides DHS with an opportunity to influence cybersecurity curricula \nacross the Nation. Each cybersecurity academic program has about 100 \nstudents, and therefore approximately 18,100 students annually are \nstudying cybersecurity through the CAEs. More information on CAEs can \nbe found at http://www.nsa.gov/ia/academic_outreach/nat_cae/\nindex.shtml.\n    Note that DHS is deploying new criteria for designation as a CAE, \nrevised in order to meet the cybersecurity demands of the Nation. The \nnew criteria will rely on knowledge units (an academically oriented \napproach), moving away from the previous information assurance training \nstandards.\n3. Provide Scholarships for Service\n    DHS participates in the Scholarship for Service (SFS) program, \ndesigned to increase and strengthen the cadre of Federal IA \nprofessionals protecting the Government's critical information \ninfrastructure. SFS (through the National Science Foundation) provides \nscholarships that may cover the typical costs to attend a participating \ninstitution, including tuition and education and related fees. In \nexchange, students agree to serve in a cybersecurity role in the \nGovernment for a period equivalent to the length of their scholarship \n(e.g., 2 academic years = 2 calendar years). The U.S. Office of \nPersonnel Management (OPM) manages and tracks SFS placements within \ngovernment. CAE-designated academic institutions may apply to receive \nSFS awards. A total of 51 institutions in 26 States and DC currently \nreceive SFS scholarship awards. Over 450 students receive SFS \nscholarships each year. DHS sponsors the annual in-person SFS Job Fair \n(January in the DC area). SFS has also held virtual job fairs with DHS \nsupport. More information on the SFS program can be found at https://\nwww.sfs.opm.gov/.\n    The Secretary's Honors Program for Cybersecurity (SHPC) is designed \nto develop technically skilled cyber professionals across DHS. Since \nthe Program began in January 2012, there have been 11 participants who \nhave had the opportunity to put their academic achievements to use in a \nhands-on environment while playing a vital role in protecting our \nNation. Through rotational assignments, Honors Program participants \nobserve how each component collaborates on cyber-related issues and \nwork first-hand on critical issues or incidents in a fast-paced, \ngrowing environment. Participants, from SFS or CAE schools, spend 2 \nyears in the program, and then have the opportunity to attain a \npermanent position at DHS.\n4. Integrated Cybersecurity Education Communities Project\n    In fiscal year 2013, DHS/Cybersecurity Education and Awareness \n(CE&A) issued the competitive Cybersecurity Education and Training \nAssistance Program (CETAP) grant in the amount of $5 million to fund \nthe Integrated Cybersecurity Education Communities (ICEC) project. In \nsupport of the National Initiative for Cybersecurity Education (NICE), \nthe ICEC project holds cyber education summer camps in communities \naround the country, with the primary goal of educating high school \nteachers who will then return to their schools and affect numerous \nstudents each year, as well as integrate cyber content into their \nexisting course curricula across multiple academic disciplines. As a \nresult, four communities across the country will hold cyber education \ncamps in the summer of 2014, with at least 36 high schools \nparticipating. Each high school will send six students and two teachers \nand each teacher will affect approximately 120 students over a year. \nTherefore, the anticipated impact will be nearly 9,000 students this \nsummer.\n5. Cyber Competitions\n    DHS/CE&A supports cyber competitions, sponsoring CyberPatriot, \nwhich affects numerous middle and high school students each year and \nsteers them toward cybersecurity careers and studies. The expansion of \nthe CyberPatriot program exposes cybersecurity to 12,000 students \nannually.\n6. National Initiative for Cybersecurity Career Studies Portal\n    DHS/CE&A developed the National Initiative for Cybersecurity \nCareers and Studies (NICCS) portal, an online resource for government, \nindustry, academia, and the general public to learn about cybersecurity \nawareness, education, careers, and workforce development opportunities. \nAn ongoing success for DHS, the NICCS portal is available to the \nAmerican public, assisting users of all ages in locating cybersecurity \nlearning opportunities and careers. The NICCS portal also hosts the \nCybersecurity Training Catalogue, providing a list of all cybersecurity \nor cybersecurity-related education and training courses offered in the \nUnited States.\n    NICCS Web traffic continues to show steady improvement. In May \n2014, 6,280 unique users accessed NICCS, leading to just over 33,090 \nunique users seeking cybersecurity training this calendar year. Since \nits inception, NICCS has had close to 90,000 unique visitors.\n7. Federal Virtual Training Environment (FedVTE) and Federal \n        Cybersecurity Training Exercise (FedCTE)\n    DHS/CE&A continues to support training efforts for Federal and \ncritical infrastructure cybersecurity professionals. The FedVTE is an \nonline training platform, providing Federal cybersecurity and IT \nprofessionals with hands-on labs and training courses. The environment \nis accessible from any Internet-enabled computer and is free to users \nand their organizations. The FedVTE content library includes more than \n800 hours of training, 150 demos, and 3,000+ pieces of content. The \nFedCTE provides training, labs, and competitions for Federal \ncybersecurity professionals. DHS is also piloting courses for State \ngovernment cybersecurity professionals. Classes range from one to three \ndays and are conducted both live and virtually on a variety of \ncybersecurity topics providing training, hands-on experiences, \nknowledge of best practices, and network opportunities. The FedVTE and \nFedCTE are each available to 125,000 Federal/critical infrastructure \ncybersecurity professionals per year.\n    In fiscal year 2014, DHS/CE&A will continue these major efforts and \ninitiate several enhancements, all contributing to the effort to \npromote cybersecurity education across the Nation. DHS/CE&A plans to \napply $5 million to the CETAP grant in fiscal year 2014, enabling the \nsame four communities holding cyber education summer camps in the \nsummer of 2014 to continue the camps in the summer of 2015 leading to \nan effect of nearly 10,000 students that is a combined total of 19,000. \nDHS/CE&A estimates 60 percent of the 9,000 students reached the summer \nof 2014 (5,400 students), plus potentially another 10,000 students will \nbe reached outside of the summer camp, resulting in 34,400 students \nreached by the end of 2015. The grant also supports development of \ncybersecurity-integrated high school curricula, which high schools \nacross the country can adopt and offer to numerous students each year. \nFurther, DHS/CE&A will develop additional and continued interest in \ncybersecurity careers and studies following the summer camps by \npromoting participation in cyber competitions and in virtual \nmentorships and internships. DHS/CE&A will continue participation in \nthe CAE and SFS programs, reaching thousands of community college, 4-\nyear school, and graduate students annually. DHS/CE&A will also launch \na course intended to help professors and students in designated CAE \nschools understand the National Cybersecurity Workforce Framework and \nits relevance to CAEs. Further, DHS/CE&A will release Workforce \nFramework 2.0, codifying cybersecurity workforce roles. Finally, DHS/\nCE&A plans to add a search function to the Training Catalogue, so users \nseeking cybersecurity training on the NICCS portal will be able to \nbrowse courses based on their individual needs, thereby facilitating \naccess to cybersecurity training for countless American students of all \nages and their pursuit of cybersecurity certifications.\n    In summary, DHS/CE&A's programs focus on the cybersecurity \neducation and awareness of the Nation, including students. When \ncombined, the existing DHS/CE&A activities enable DHS to reach, and \npotentially exceed its goal of educating 1.7 million students in \ncybersecurity in 10 years. America's students are pursuing various \nlevels of education and DHS/CE&A has made great strides in facilitating \nthese students' pursuit of cybersecurity education and careers; \nredefining the goal of training 1.7 million students to include all of \nCE&A's activities accurately captures the reach of the program, its \nimpact on the Nation, and the goal of DHS.\n\n    Senator Landrieu. But just one page, page 25, it says a \nperson must normally have 1 to 5 years or more experience in IA \ntechnology in a related field. You have to have a systems \nenvironment, a computing environment. Knowledge applies, basic \nknowledge of IA concepts, practices, procedures, et cetera, et \ncetera.\n    I still think it would be really important for Homeland \nSecurity, probably in conjunction with DOD since they've \nalready done it, and the Department of Education, to come up \nwith a basic framework or a specific certification. Maybe we \nshould do this, Senator Coats, with the private sector as well. \nI'm not sure. But I think at least in my experience, if the \ngoal is to actually educate whatever, 1.5, 1.7, 2.5, you've got \nto measure it, have a way to measure it, to know if you're \nachieving it.\n    I can tell you as chair of this committee, as strongly as I \nfeel in investing in education, I'm not going to invest money \nin programs that I'm not sure get a result. And I'm going to be \nholding through the whole Appropriations Committee the other \nsubcommittees responsible, not holding but pressing them to be \nresponsible, for allocating funding in a way that we can have \nsome confidence that after we've allocated it we're actually \nproducing, in partnership with universities, with the private \nsector, the kind of workforce and warriors we need to protect \nthis country.\n    So I've run out of my time. I do have many more questions, \nbut since that's been my emphasis I'm going to stay with it. \nThere are other things I want to ask. But I'm going to turn it \nover to Senator Coats, and we may get a second round of \nquestioning.\n\n                              CREDIBILITY\n\n    Senator Coats. Dr. Schneck, as you know, DHS has been \nfighting some credibility issues in terms of capability. I was \nvery impressed when I visited the center. You gave a terrific \ntour relative to what you've been able to accomplish. I think \nit looks like DHS has turned the corner on this, gaining \ncredibility.\n    My understanding is that the strategy pretty much involves \nthree things: one, limiting the Internet touch points to \ntrusted Internet connections; establishing an effective \nperimeter capability; and deploying continuous diagnostics for \nmanaging the Federal system activity.\n    So my question is, generally where do we now stand today \nwith the dot-gov domain relative to meeting these, implementing \nthis strategy?\n    Dr. Schneck. Thank you again for your visit that day. We \nappreciate that.\n    On the perimeter side, we are now supporting not just \nintrusion detection, which is the system, see something come in \nand notify us; we're now supporting intrusion prevention under \nthe term you may have heard, E3A, to about a quarter of the \nseats across the U.S. Government. That number will go up as our \nnew service providers come online. For example, the one that \nsupports DHS is just about to come on and will actually be \nengaging DHS in our own program, drinking our own champagne, as \nthe team likes to say.\n    And then, continuous diagnostics and mitigation, which I \ndid not have time to mention in my opening remarks, is a way of \nturning every network into its own ecosystem. So instead of \nhaving the team build a binder, a heavy binder every year, to \ntalk about how secure it is, the system constantly measures how \nhealed up it is and how secure it is, so you always know and \nyou're always aware of behavior that's different.\n    As we grow that system, it'll become more and more like \nyour body's immune system. You don't need to have a conference \ncall to fight a cold. You always know something coming in and \nyou'll be able to see. Because we see, even across the \nperimeter defense, different behaviors across all of the U.S. \nGovernment that can in the future help inform the networks, \nother agencies that are being protected by the external \ndefense, as well as these internal immune systems, can learn to \nrecognize bad behaviors.\n    So our vision is not only operational both in the internal, \nwatching the network behavior, and the internal prevention, but \nalso in using that core that makes DHS unique in NPPD, not only \nour core ability to work with our partners in the Secret \nService and research and development and HSI and Coast Guard \nand others, but our ability to bring in inputs from other \npartners, from trusts through the private sector, to understand \nwhat companies are seeing, and to use all that and get it \nwidely disseminated to protect others across the Government and \nthe private sector in real time.\n    I feel that across the Government we are very much \noperational. We very much have turned a corner. If I could have \none wish, it would be to have been able to act faster on \nHeartbleed, and that would have been for the statutory \nclarification so that we wouldn't have had to get letters of \nauthorization for every unique organization that we scan.\n\n                            RESOURCES NEEDED\n\n    Senator Coats. Well, you just began to answer my second \nquestion, and that was what resources do you need to get to the \npoint where--I know it's a constantly evolving challenge here \nfrom a technological standpoint. But are there resources you \nneed now that could accelerate the process of getting this \nwhole domain in place relative to meeting all these strategies?\n    Dr. Schneck. There are always resources that we could use. \nSo we have made, of course, cuts across all of our high-value \nprograms and, unfortunately, even in education, given the \nbudget picture we were given, to fit that. However, that \nstatutory clarification would help us because it reduces the \namount of time it takes us to act. It makes it very clear what \nour authorities are to help with the information-sharing across \nthe private sector that narrowly targeted liability protection.\n    I came from industry 8 months ago and that's very helpful \nto a company because it speaks to the general counsel and says: \nThis is okay to share with Government and protect others, and \nthe company won't get hurt, the breach notification.\n    But this is the area on the congressional side. On the \nresource side, we do need more talented people and that means \nmanufacturing them and training and educating them. I'm very, \nvery passionate about that as well. I'm a product of that. And \nit also means the ability to hire people faster, on-board them \nwith the competitiveness that some other agencies have, that we \ndo not yet; and certainly to engage with the whole unity of \neffort with the DHS and put more money to this. If we didn't \nhave to cut as much, we'd be able to grow a lot faster, and \nthis is an urgent environment.\n\n       DATA BREACHES: GOVERNMENT, PRIVATE-SECTOR RESPONSIBILITIES\n\n    Senator Coats. I'm going to ask the second panel this also, \nbut I'd just like to get your take. Relative to--there's been \nsome very high-profile data breaches among retail sellers and \nthe business community. Has that resulted in a significant \nuptick in terms of inquiries and outreach and willingness to be \nmore engaged in partnership with the Federal Government that \nyou've noticed as a result of those high-profile breaches?\n    Dr. Schneck. I would say absolutely. Number one, the \nAmerican public is scared. And number two, I met even \nyesterday--I meet all the time with our sector representatives, \nour partners in the private sector. I met yesterday with some \nexecutives from the financial community, and they want to know \nhow to help; they want to know how to contribute their \nresources and their knowledge. It's the same across all \nsectors.\n    So absolutely, this is the time to get this done.\n    Senator Coats. My time has expired. Madam Chairman, I just \nthink that's so critical as we move forward, and to my other \ncolleagues also. What we got hung up on before was the \nreluctance of the private sector to, quote, ``trust'' that they \ncould coordinate with the Federal Government in a way that \nwould protect their privacy and all that. Now they've seen, I \nthink, the capabilities and the necessity of having that \ninteraction between the Federal and the private sector. I'm \nglad to hear your answer on that one.\n    Senator Landrieu. Thank you, Senator Coats, for your \nleadership. You've been working with members of both sides and \nwe think we're making progress, and thank you.\n    But I do want to come back after Senator Coons and ask you \nto restate the specific authorization that you lacked, that you \nsaid you were able to cobble together, but if you had the \nauthorization, at least in dot-gov, you would have been able to \nmove more quickly. I'll come back to you in just a minute.\n    Senator Coons.\n    Senator Coons. Thank you, Madam Chair.\n    Senator Coats, that is an area of interest for me as well, \nas a former in-house counsel for a private sector company that \nfaced security challenges much like the ones you've described. \nI do think we still have undone work in terms of delivering \nclarity.\n    Let me focus on that first, if I might. Jurisdictional \nclarity seems to me particularly important for a cyber event \nbecause, unlike a natural disaster, a cyber event could be a \ncrime, a national security event, an act of war. It could \npossibly be all three at the same time. And governmental \nobjectives might be in conflict, one agency trying to restore \npower, for instance in an attack on the grid, while another \nagency is trying to preserve evidence needed to catch the \nperpetrators and investigate and prosecute the perpetrators.\n    I am concerned about whether we have clear protocols for \nindustry and Government for that response and clear lines of \nresponsibility so that we can do the restoration work that's \nneeded, but without destroying the Government's capacity to \ninvestigate and prosecute. So I'd be interested in whether you \nfeel you have the authority you need to do that today and \nwhether we should be considering some legislation that \nclarifies Federal roles and responsibilities to grant authority \nfor lead during a cyber attack.\n    I'm going to ask my questions first and then see if we've \ngot enough time for an answer.\n    And then second, Dr. Schneck, I just wanted to commend you \nfor your engagement with the workforce and your commitment to \nbeing a great role model and leader. I think we're going to \nhear in the second panel from the University of Maryland. \nThey're doing great work in preparing the cyber workforce. The \nUniversity of Delaware is also working, as are many other \nuniversities.\n    I do want to hear how you think targeted investments in \ncyber education are furthering national security and what more \nwe need to do.\n    Last, the National Guard is a remarkable, nearly unique \nasset that crosses the civilian and military divides and allows \nus access for national security and homeland security purposes \nto a world-class workforce that is trained and funded by the \nprivate sector, but because of their either Guard or Reserve \nrole can be accessed in times of emergency or on an ongoing \nbasis. I wondered if you had any comment, Dr. Schneck, as to \nwhether there are initiatives in place to enhance that \nrelationship.\n    So there are three questions. And, Special Agent Noonan, if \nwe have a moment to talk about IP theft and trade secrets theft \nin the finish, that would be great as well.\n    Please, Dr. Schneck.\n    Dr. Schneck. I'm going to talk very fast because my \ncolleagues have very interesting work and I want you to hear \nthat. So very quickly, statutory clarification. We currently \nhave the authority. We work from a patchwork of different laws, \nincluding the Homeland Security Act of 2002, that tells us that \nour response is response and mitigation. That's our role--\nresponse and mitigation of cyber threats across Federal, \ncivilian, government, State, local tribal, territorial, and \ncritical infrastructure private sector.\n    The problem--and I knew this from the other side in the \nprivate sector--is that when the lawyers get involved, and to \ntheir credit they're protecting the company, and they don't \nreally know if we're supposed to be scanning. This even \nhappened with the Cabinet agencies that we had to scan for \nHeartbleed to ensure that our citizens who use external-facing \nWeb sites, who use a highly credible piece of software called \nOpen SSL that happened to have a defect--we didn't want them to \nget hurt.\n    So as fast as we could, we went door to door and got a \nletter of authorization from each agency, working with each \nlawyer, to make sure that we could scan it. That cost us 5 to 6 \nprecious days in some cases, because the whole world knew about \nthis vulnerability and all the information that it could \ncapture while we were lawyering. So had we had the \nclarification in the law that this was our role, we would have \ngotten started a lot faster.\n\n                 CYBER EDUCATION: TARGETED INVESTMENTS\n\n    On your second question, I'm happy to follow up after in \nwriting. I just want to leave time for my colleagues. Targeted \ninvestments in cybersecurity. I am a big believer in \ninnovation. It's not just that I worked for a Silicon Valley \ncompany. It's that my father was a scientist and I like to \nlearn. If we can enable other students to have that and to take \non cybersecurity as something that is fun, we get our national \nand our global leadership back as a country. You target that \ninnovation.\n    I've spent a lot of time in Silicon Valley talking to \nventure capitalists and others about the importance of \nprotecting your investment. But if we could target that toward \nthe universities, target our research toward that, as we do \nwith our partners in science and technology and R and D, if we \ncould advance a lot of that, I think that we would move forward \nboth as a country and in cybersecurity.\n\n                             NATIONAL GUARD\n\n    Finally, on the National Guard, that's a DOD asset. \nHowever, we believe in collaboration, so we welcome that. As \nyou and I talked before, homeland security is local; the \nresponse needs to be local. What we can add is the \ncollaboration. Let them plug into the other areas, whether it's \nus or Secret Service or HSI or Coast Guard, the other \nresponses. Let that be plug and play. Let us all work together. \nThe added energy will do nothing but help us, and we can learn \nfrom them. So it's a welcome asset. It's not one we control, \nbut it's certainly one that could fit right into our input of \nthreat information and certainly those that we would output to \nand welcome to work with.\n    Senator Landrieu. Senator Coons, thank you so much. You and \nI think are co-sponsoring a bill related to the role of the \nNational Guard, and I would describe the National Guard as well \npositioned to be of great help to our country in this \nparticular line of defense, because they have the expertise of \nthe military, but their base is homeland, and they draw from a \nwide variety of industry by their nature. It's part-time \nwarrior. That is very interesting.\n    So I look forward, Senator Coons, to continuing to work \nwith you on that possible enhanced partnership.\n    Senator Cochran.\n\n                   STATEMENT OF SENATOR THAD COCHRAN\n\n    Senator Cochran. Madam Chair, I got in a little late, but \nI'm glad I was here to at least express the appreciation of \nthis committee to our witnesses for helping us better \nunderstand what the limitations are and what the opportunities \nare that we have in Congress for making good quality decisions \nabout Federal regulation, rules, laws, how do you protect \nprivacy. Is there a privacy any more? I guess not.\n    So it's kind of scary. So you're all we've got. What I'm \ntalking about is that the Federal Government's agencies aren't \nprepared to police the use of assets and equipment and \nknowledge and information, and would we want that anyway? These \nare all big questions, and we thank you very much for coming \nhere and helping us understand that.\n\n                        DATA BREACHES: DISCOVERY\n\n    Senator Landrieu. Senator Cochran, thank you for your \nleadership.\n    Let me ask, if you don't mind--and if you have an \nadditional question, our time will allow it. The votes have \nbeen pushed back slightly.\n    But I do have a question for Mr. Noonan. One of the most \npoorly understood facts regarding data breaches is that it's \nrarely the victim company that first discovers the criminal, in \nthe case that it is criminal--let's assume and I think, Senator \nCoons, it could be all the above--but a criminal unauthorized \naccess to their networks. Rather, it's law enforcement, \nfinancial institutions, or third parties that identify and \nnotify the victim company of the data breach.\n    Without going into any specifics, this speaks to the \nimportance of timely and trusted information shared between law \nenforcement and the private sector. We've touched on this, but \neveryone is now aware, or most everyone, of the situation at \nTarget and what happened when the third party, hired by Target, \nnotified them their systems had been breached, what happened \ninternally in Target. I think just this week someone has \nstepped aside, because that is still going on.\n    So could you explain right now in America, who is the one \nthat normally finds out the breach has occurred? And it's \nusually not the victim, as in this case. It's usually who, a \nthird party, an Internet provider, you guys, ICE, FBI, Secret \nService? Who wants to take that?\n    Mr. Noonan. Yes, ma'am. From the Secret Service's approach, \nwe have a proactive approach to going after cyber criminals. \nIt's generally a source of information that we're able to \nobtain, and we obtain it in a number of different ways, whether \nit's through confidential informants, other sources, undercover \noperations, or trusted partners within the industry.\n    We're able to take those data, we're able to crunch those \ndata, and determine where there's a vulnerability and who \npotentially has been victimized. In many cases, in just this \nyear, we've made notifications to actually two other financial \ninstitutions about their compromise. And I'm telling you that \nif it were not for that notification by law enforcement, the \nSecret Service, to those two financial institutions, they would \nnot be in business today.\n    So when we talk about potential----\n    Senator Landrieu. Can you repeat that, please?\n    Mr. Noonan. Yes, ma'am. We've made notification to two \nfinancial institutions in this year, at which time they didn't \nknow that they had an intrusion. We believe that those \ninstitutions would have gone under if it were not for \nnotification to those institutions. They did not lose a single \ndollar because of that advance warning.\n    Senator Landrieu. And if some of these institutions that \nwould go, could potentially go under, are big enough, you could \nassume lots of other companies and individuals they could take \ndown with them, correct?\n    Mr. Noonan. Yes. The people who we're talking about the \ncyber criminals, the transnational cyber criminals who have the \ncapability to do this, they're very advanced cyber criminals. \nThey're going after financial institutions. Their motivation is \ngreed. So whatever they can get their hands on to monetize in \nthe criminal underground, that's what they're attacking.\n    In this particular case--I'm just giving you those two \nparticular examples. There are many other examples. There are \nother retailers that we've made notification to this year as \nwell that they had potential issues, and we were able to--and \nyou've got to understand, that's an advantage because we're \ngoing out ahead of them losing anything and we're allowing them \nto see and look closer at their systems by information and \nevidence that we're learning in our other cases to say, ``Hey, \ninstitution, you have a problem, please look in this arena.''\n    That's where the advantage of law enforcement is in this \nfight against cyber crime. Law enforcement has a way to go \noutside the fence, if you will, to determine what the criminal \nactors are doing. We're able to look at their criminal network. \nWe're able to look at their criminal infrastructure, and \nsometimes ahead of time determine what they're going to do or \nwhat actions they may take, and in doing so we do make \nnotifications to those trusted partners.\n    Senator Landrieu. Does ICE want to have anything to answer \nor comment on, Mr. Edge?\n    Mr. Edge. With regard to the intrusions that we're \ndiscussing here, we don't duplicate the efforts that the Secret \nService initiates. In fact, if we were to discover such an \nintrusion, we would contact our counterparts at Secret Service \nand work with them on the investigative effort that would take \nplace.\n    We also would assist in the computer forensics analytic \nportion of it as well. So it's a total team effort here. Most \nof the work that we're doing in the cyber space is pursuant to \nthe investigative areas in which we work--child exploitation, \ncounterproliferation--where we work very closely with DOD and \nwe communicate very closely with DOD and try to disrupt and \ndismantle those organizations that are off of our shores, where \nwe can certainly make a difference and prevent them from \ncontinuing to affect our country.\n    Senator Landrieu. Okay, thank you all.\n    I think we're going to move to our second panel. I just \nwant to underscore one additional item. To you, Dr. Schneck: I \nknow that you're aware of the extraordinary contribution \nLouisiana Tech has played in developing an education program \nfor middle and high schools, also with their college level as \nwell. We were one of the universities that received one of the \nfirst grants in the country, and I look forward to continuing \nto work with you on developing and network of universities and \nprograms that are actually meeting the need that's been \nexpressed.\n    I thank you, Mr. Edge, for recognizing the HERO Child \nRescue Corps Program, very innovative, that U.S. Immigration \nand Customs is working with Special Operations to use wounded \nwarriors while they are convalescing and are unable to perform \ntheir primary function. They're well trained and suited to be \nwarriors on the Internet, and I really think that's using our \nassets really well and I look forward to continuing to support \nthat effort.\n    I thank you all and we'll move to our second panel.\n                       NONDEPARTMENTAL WITNESSES\n\n    Senator Landrieu. As the panel is getting situated and the \nClerk is helping to seat them, I wanted to let the members know \nthat Senator Coats and I thought it would be a good idea to \nhave some independent voices at the table to give some critique \nand some different perspective to the Government agencies and \nentities. We really want to know if our agencies and entities \nthat we're funding are doing the kind of job that you as \nexperts in the field believe they should be doing.\n    We know that sometimes you work with these agencies, so \nsometimes it is difficult to criticize them. But we hope that \nyou will do it constructively, and we hope that you will do so. \nWe want to know what's working in your view, what's not \nworking, what progress we're making in these fields, and what \nwe're not.\n    We've got I think a very excellent panel. First we have Mr. \nMahon, vice president and chief security officer of \nCenturyLink. I think it's the third largest Internet provider \nin the country, and I'm very proud that it actually is located \nin Monroe, Louisiana, and is growing. It started out as a very \nsmall telephone company maybe 45, 50 years ago with a handful \nof employees and now it's multi-thousands and just really an \nextraordinary success story.\n    Scott Bowers, vice president, government relations, Indiana \nStatewide Rural Electric. Scott, welcome. Mr. Bowers, welcome, \nand we look forward to hearing from you representing the \nhundreds and thousands of coops in this country that are part \nof this effort.\n    Christopher Peters, vice president of North American \nElectric Reliability Corporation (NERC)-Critical Infrastructure \nProtection Compliance, Entergy Corporation. Then I think we \nhave Dr. Katz from UMD Cybersecurity Center. Thank you all very \nmuch.\n    Why don't we start with you, Mr. Mahon, with CenturyLink. \nBut, Dan, did you want to say anything particularly about your \nwitness?\n    Senator Coats. Well, you talked about his credentials. \nScott is just someone that comes from the private sector, but \nclearly part of the private sector that deals with critical \ninfrastructure. We have these coops all over the United States, \nas you know. I'm sure you have many in Louisiana. We talk about \nDuke Energy and we talk about AEP and so forth and so on, but \nin reaching out to particularly smaller town America and rural \nAmerica, these coops are absolutely essential, and they're very \nmuch part of the grid.\n    So we need to not only be thinking of the big guys, but \nalso the little guys. That applies on the retail side and the \ncommercial side also. We read about Neiman Marcus and Target \nand so forth. There are thousands, of not hundreds of \nthousands, of smaller businesses out there that are providing \nvery necessary services and they are also vulnerable to these \nkind of intrusions.\n    So I want to make sure that we cover the whole gamut and \nnot just focus on the people at the top.\n    Senator Landrieu. Thank you so much.\n    We'll start with CenturyLink.\nSTATEMENT OF R. DAVID MAHON, VICE PRESIDENT AND CHIEF \n            SECURITY OFFICER, CENTURYLINK\n    Mr. Mahon. Thank you, Chairman Landrieu, Ranking Member \nCoats----\n    Senator Landrieu. You have to lean into the microphone and \npush it right close to you. There you go.\n    Mr. Mahon. Chairman Landrieu, Ranking Member Coats, and \nSenator Cochran, thank you for this opportunity to testify \nbefore you today.\n    My way of background, CenturyLink has grown through \nacquisition and innovation over the course of their history and \ntoday is a commercial entity with $18.3 billion in revenue, 13 \nmillion customers, 47,000 employees. We are a tier one backbone \nprovider and we have 55 data centers around the world.\n    It's within this context that I would like to speak to you \nabout cybersecurity risks, and I would like to talk to you in \nthree specific areas. First is the adversary; second, DHS \nprograms that have been successful; and third, developing the \nnext generation workforce.\n    If I can leave you with one thing today, what I would like \nto tell you is: Do not think about cybersecurity risks within \nthe context of malware, viruses, or other tactics. What I would \nask you to think about is the adversary, the people behind the \ncomputers that are breaching our networks and stealing our \ndata.\n    The CenturyLink security team divides these groups into \nfive very specific areas: nation-state-sponsored; criminal \nenterprises; hactivists; terrorists and sabotage; as well as \nthe insider threat. It's important to understand this within \nthe context of their objectives and their tactics. Each can \nvary very differently.\n    For example, a criminal enterprise that is interested in \nstealing credit cards will attack point of sale systems with a \nparticular type of malware. That is quite different to \ndefending against a nation-state that is interested in stealing \nintellectual property, maybe about a smartphone operating \nsystem.\n    The reason that this is important is we at CenturyLink are \ntasked with protecting our network, our data, and our customers \nfrom all of these adversaries, and each one is very different \nand we require very specific information to develop our \nprotections and countermeasures. What has happened is the \ncontext in which we conduct our risk assessments allows us to \naccess open source information to better inform our risk \nassessments, to help us deploy our capital as we expand and \nprotect our network. But our risk assessments are only as good \nas the information that is available to us.\n    The Federal Government is in possession of very sensitive \nand frequently classified information that could be very \nhelpful to us in our risk assessments as we defend against \nthese bad actors. Two of the programs that at the Department of \nHomeland Security I feel have become very successful are the \nEnhanced Cybersecurity Services (ECS) program and the Einstein \n3A (E3A) program. In each of these programs DHS came together \nwith corporate America and resolved the traditional hurdles \nthat one encounters, whether they be legal, technical, \noperational, and most importantly, cultural.\n    It became very difficult in the early days of developing \ninformation-sharing programs to acquire information from the \nFederal Government because of the context or the fear that they \nhad that corporate America would not be able to protect \nclassified information. On the corporate side, there's always \nthe concern that if we discuss our vulnerabilities with the \nFederal Government there would be some type of regulatory \nresponse to our answers.\n    Therefore, I believe the value of ECS and E3A has been to \nbring together the private industry and the Department of \nHomeland Security and the representative agencies within the \nDepartment of Homeland Security to effectively begin to combat \ncyber crime. I do believe it has to go much further. There is \nadditional information that the Federal Government frequently \nhas around the strategy of these organizations, these nation-\nstates, and even independent actors, that would be very helpful \nto know if we are going to better protect our networks, our \ndata, and our customers.\n    Regarding the next generation cyber workforce \nprofessionals, I believe it is very important to encourage the \nDepartment of Homeland Security to begin with the K-12 \neducational programs that you may have heard about throughout \nthe country in various capacities. But specifically the STEM \nprograms and other technical programs that first generate the \ninterest is what we need. I think CenturyLink, Louisiana Tech, \nand the Cyber Innovation Center in Bossier City have become an \nexample of what we can do to better protect the corporate \ninfrastructures as well as the Government infrastructures.\n    I thank you for your determination to lead DHS in its \nmission and we look forward to supporting you. Thank you.\n    [The statement follows:]\n                  Prepared Statement of R. David Mahon\n    Chairwoman Landrieu, Ranking Member Coats and members of the \ncommittee, thank you for the opportunity to testify today on an issue \nthat is of critical importance to national security, the U.S. economy \nand homeland security. CenturyLink appreciates the leadership role the \nDepartment of Homeland Security plays in facilitating the cybersecurity \nof the nation's critical infrastructure, with the oversight and \nguidance of this Committee. In today's testimony, I would like to cover \nthree key areas where the fiscal year 2015 budget offers worthwhile \nopportunities to strengthen the nation's cyber defenses:\n      --Further improving the quality of public-private information \nsharing related to cybersecurity;\n      --Leveraging classified cyber threat information to protect \ncritical infrastructure and the networks of Federal, State and local \ngovernments through the Einstein 3 Accelerated and Enhanced \nCybersecurity Service programs; and\n      --Investing in our cybersecurity workforce.\n    CenturyLink was founded nearly 85 years ago as a small rural \ntelephone company with just 75 paid subscribers and a manual switch in \nthe front parlor of the Williams family home in Oak Ridge, Louisiana. \nOur recent and rapid evolution through acquisition and innovation to \nbecome an $18.3 billion communications, data and cloud company with \n47,000 employees, 13 million customers, a Tier 1 Internet backbone, and \n55 data centers around the world makes us a prime example of how \ntechnology and communications infrastructure are driving our economy.\n    Effective cybersecurity is now central to everything we do, not \nonly as a provider, but also as a customer of others. That includes our \nresidential and enterprise broadband service, the secure communications \nservices we provide to the Department of Defense, U.S. embassies and \nFederal Communications Commission, our cloud computing platforms, and \nthe managed security services we provide to critical infrastructure \nowners.\n    As the company has grown, we've benefited from excellent State and \nlocal support, enabling us to cultivate talent in northern Louisiana \nand the many local markets we serve in almost every State. This \nincludes developing partnerships with the University of Louisiana--\nMonroe (ULM), Louisiana Tech University, the Cyber Innovation Center in \nBossier City and other institutions. In fact, we are nearing completion \nof a 250,000-square-foot Technology Center of Excellence on our Monroe \nheadquarters campus that will house an additional 800 innovation \nprofessionals devoted to network monitoring, research and development, \nas well as IT and engineering support to our international service \nfootprint.\n    In addition to our company-specific cybersecurity and risk \nmanagement programs, CenturyLink has had a productive experience \nparticipating in the public-private partnerships established to share \ninformation and work collaboratively on industry-wide security \nchallenges. Our executives serve on the President's National Security \nTelecommunications Advisory Committee (NSTAC), the Communications \nSector Coordinating Council (CSCC), the Communications Information \nSharing and Analysis Center (ISAC), and the FCC's Communications \nSecurity, Reliability and Interoperability Council (CSRIC), among \nothers. Through these efforts, we supported DHS in the creation of the \nNational Cybersecurity and Communications Integration Center (NCCIC) \nand CenturyLink maintains a permanent presence on the NCCIC floor.\n    We support the voluntary, industry-led approach to protecting the \nsecurity of critical infrastructure networks operated by the private \nsector, and appreciate the work the National Institute of Standards and \nTechnology (NIST) has undertaken to create the Cybersecurity Framework, \nas well as DHS's Critical Infrastructure Cyber Community (C\\3\\) \nVoluntary Program to educate stakeholders and promote the framework's \nuse. CenturyLink has found the Framework useful in affirming many of \nthe practices that we and other larger carriers already had in place. \nWe are also using the Framework as a tool to help our enterprise \nclients assess their own threat level and implement risk-based \ncybersecurity protections.\n            the cybersecurity threat and information sharing\n    If I could leave the Committee with one thought about cybersecurity \nrisks, it is this: Don't limit your thinking to only addressing the \nissues of malware, viruses, denial of service attacks, social \nengineering, botnets or any of the other tactics used. Instead, think \nof cybersecurity in terms of the adversaries--the people on the other \nside of the computer, wherever they may be, who conceive and execute \nthe breaches.\n    Especially where critical infrastructure is concerned, our \nadversaries are constantly studying their targets, probing networks, \npaying attention to the defenses we put up, and searching for the \nweakest link in the chain--even tracking Federal efforts to promote \nsecurity. Whether it's hacking the Web site of a technical conference \nso targeted employees will download malware when they register, or \nusing the compromised systems of an HVAC contractor as an attack \nvector, they are adaptable. This makes the threat more formidable, but \nalso offers a clue about how to build our cyber defenses.\n    As a general matter, CenturyLink's security team divides cyber \nthreats into several key groups, each with varying levels of \nsophistication:\n      --Nation-State-Sponsored.--Which are often the most \nsophisticated, and generally motivated by economic and political \nespionage. Combating government-sponsored adversaries requires an \nadvanced information security program. These data breaches can go \ncompletely undetected by the victim organization.\n      --Criminal Activity, Including Organized Crime.--These attacks \nhave a wide range of sophistication, and are generally focused on \ncapturing information that can be monetized.\n      --Terrorism and Sabotage.--These are most concerned with doing \ndamage, including physical damage, to the target entities.\n      --Hacktivism.--Generally less sophisticated, these groups will \nuse ``soft targets'' with less sophisticated information security \npractices to garner publicity and make their political points.\n      --Insider Threats.--These can be the toughest to guard against \nbecause they are ``inside the perimeter'' of the target itself.\n    Adversaries tend to cluster around an industry sector, based on the \ngoals they want to achieve. For example, a criminal cartel that wants \nto exploit consumer credit card information will, perhaps, stand up a \nnetwork of infected computers and launch a particular type of attack on \npoint-of-sale systems across numerous retailers, using similar malware, \nattack vectors and tactics for covering their tracks. But a nation-\nstate that wants to exfiltrate confidential technical specs about a \nsmartphone operating system will use a completely different strategy. \nEspecially for the more sophisticated adversaries, the best long-run \ndefense is to build closely coordinated defensive alliances around the \ntargeted industries and our partners in government, and to study our \nadversaries as closely as they study us.\n    To draw an analogy, the cat-and-mouse nature of cybersecurity \nresembles offensive and defensive schemes in the National Football \nLeague. Every season, coaches devise new ``attacks'' to move the ball \ndown the field, whether it's the old ``west coast offense'' or last \nyear's ``read option.'' If they're successful, defenses that rely on \nthe comfort of understanding past, predictable plays won't be prepared \nto stop them, at least for a while. But the minute a new offensive \nscheme succeeds, every defensive coordinator in the league starts \nworking on countermeasures to shut it down. And while the short-term \ncountermeasure might be a zone blitz or a few tough hits on the \nquarterback, the long-term solution has everything to do with \ncontinually studying the game tapes and evolving the defense.\n    In the world of cybersecurity, we don't have the luxury of watching \nthe ``game'' every Sunday, but the never-ending need to study the \nopposition and update defenses is the same. For DHS and the nation's \ncritical infrastructure providers, this means continuously refining the \ninformation sharing relationships to get actionable, tailored \ninformation to the targeted sectors in as close to real time as \npossible. This will ultimately lead to automating the information \nsharing mechanisms that will allow a targeted entity to use the cyber \nthreat information to defend itself without compromising the sources \nand methods of the information provider. This is as much a cultural \nchallenge as it is a technical one, because the information at issue is \nso sensitive and the teams are not accustomed to sharing their \nproverbial playbooks.\n    In our experience, the DHS leaders are fully aware of the challenge \nand committed to strengthening the partnerships, but doing so is often \nan iterative, painstaking process that involves continuously building \ntrust, sophistication and technological capabilities, and we appreciate \nthe Committee's continued support for that mission. In the words of \nBear Bryant, ``defense wins championships.''\n enhanced cybersecurity services (ecs) and einstein 3 accelerated (e3a)\n    One of the most critical roles the Department of Homeland Security \ncan play is to leverage the classified cyber threat indicators the \nFederal Government gathers through law enforcement, intelligence \ncollection and other Government-specific functions to protect private \nsector critical infrastructure and government networks. This is no \nsmall task because the cyber indicators themselves must be protected \nfrom our adversaries in an end-to-end secure environment and put to use \nin the field without compromising the sources and methods that yielded \nthem in the first pace. To do this, DHS has developed two programs:\n      --Enhanced Cybersecurity Services (ECS) for private sector \ncritical infrastructure providers as well as State and local \ngovernments, and\n      --Einstein 3 Accelerated (E3A) for Federal civilian networks.\n    With both programs, Internet service providers like CenturyLink, \nunder the direction of DHS personnel, administer intrusion prevention \nand threat-based protections on traffic entering and leaving the \nnetworks of participating organizations. Participation is voluntary, \nand non-Federal participants in ECS must first be validated by DHS, but \nthose who do participate receive an elevated level of protection from \nthe most sophisticated cyber intruders.\n    CenturyLink has worked extensively with the Federal Government to \ndevelop these programs, and provide important protections against the \nmost advanced threats while educating the Government on practical \naspects of providing such services to private industry. Expanding the \nscale and automating the information gleaned within ``circles of \ntrust'' is the next critical step in providing effective and time \ncritical cybersecurity protections to Government and critical \ninfrastructure providers.\n    State and local governments administer many functions that are \nimportant to public safety and the protection of critical \ninfrastructure, however, they continue to lag in funding mechanisms. \nDHS has taken the lead to fill this gap temporarily in their support \nfor MS-ISAC services, but additional funding for additional services \nsuch as ECS would help State governments avoid becoming the ``weak \nlink'' with their Federal partners.\n                 developing the cybersecurity workforce\n    CenturyLink appreciates the Department of Homeland Security's \nleadership on developing the nation's cybersecurity workforce, \nincluding its support for teacher training and university research and \ncurriculum development in Louisiana. Especially in the last year, \nCenturyLink has focused on developing and attracting a broad range of \ninnovation professionals, including engineers, senior IT personnel, \nproduct managers, researchers and others to help staff our Technology \nCenter of Excellence, which will open early next year.\n    Our headquarters are located along the I-20 Corridor that spans \nnorthern Louisiana and is home to a number of innovation hubs, \nincluding the National Center for Academic in Information Assurance \nEducation at Louisiana Tech University, the Cyber Information \nTechnology program at Bossier Parish Community College, and the Cyber \nInnovation Center, a research park and nonprofit organization devoted \nto building the knowledge-based workforce in the region. Computer \nSciences Corporation recently announced plans to bring 800 new jobs to \nthe Cyber Innovation Center, and we are hopeful that as businesses step \nup investment in the region, we can work together to cultivate a world \nclass cyber workforce. We would encourage this Committee and DHS to \nplace a renewed emphasis on workforce development in the cyber arena by \naddressing the potential shortage of qualified and skilled employees \nthat will be needed.\n    We also support the National Integrated Cyber Education Research \nCenter (NICERC) at the Cyber Innovation Center, which focuses on \ncurriculum design, professional development, and collaboration in K-12 \nand college education. NICERC has organized programs to give teachers \nthe training and tools to prepare students for a career in \ncybersecurity, including problem-solving, critical thinking and \ncommunication skills. Of special note, NICERC is the lead technical \ninstitution for DHS's Cybersecurity Education and Training Assistance \nProgram (CETAP)--so the teacher-focused cybersecurity education model \nfirst developed and implemented by NICERC in Louisiana can benefit \nschool districts across the nation.\n                               conclusion\n    While the challenge of building a cyber workforce and protecting \nthe nation's critical infrastructure from growing threats is a daunting \nand multifaceted one, we are encouraged by the commitment of the White \nHouse, DHS and this Committee to bring the right resources to bear. We \nappreciate the determination and attention that Chairwoman Landrieu and \nthe committee members have brought to the issue and look forward to \nworking with you and the authorizing committees as you support and \nguide DHS in its mission.\n\n    Senator Landrieu. Thank you very much.\n    Let's go to you now, Dr. Katz, from the University of \nMaryland, that's played quite a leadership role in all of this.\nSTATEMENT OF DR. JONATHAN KATZ, PH.D., DIRECTOR, \n            MARYLAND CYBERSECURITY CENTER, UNIVERSITY \n            OF MARYLAND\n    Dr. Katz. Chairman Landrieu, Ranking Member Coats, Senator \nCochran: I'm going to talk about workforce development and \nspecifically efforts under way within the University System of \nMaryland. Developing an adequately prepared cybersecurity \nworkforce is a daunting challenge. Put simply, demand is far \noutstripping supply. Actually, a great statistic came up \nearlier with mention of the need to educate 200,000 cyber \nprofessionals each year.\n    Now, a critical question is what is meant by cybersecurity \neducation. From my point of view and broadly speaking, there \nare really two aspects to be considered here. The first is a \ngeneral cybersecurity education, not just for computer and \ntechnical students, but for everyone. The same way people come \nin and take English comp or introductory math courses, college \nstudents need to be exposed to the basics of cybersecurity and \ngood cyber hygiene.\n    Second, of course, is to grow a dedicated cybersecurity \nworkforce, professionals that have deep technical knowledge, as \nwell as those with the technical knowledge in core computer \nscience and electrical engineering skills, but also with \nexpertise in the, quote unquote, ``softer'' areas like \neconomics, policy, and psychology.\n    I think it's important to keep this in mind when we're \ntalking about numbers of cybersecurity professionals needed, to \nkeep clear that not every cyber professional is going to be the \nsame and not everyone is going to need the exact same \nbackground in cybersecurity courses.\n    Now, the University System of Maryland (USM) has a number \nof programs in place to augment the existing pipeline of future \ncybersecurity professionals. University of Maryland \ninstitutions are playing their part by not only training \ndedicated cybersecurity professionals, but also educating the \ngeneral public on good cybersecurity practices and policies. \nI'll just mention a few key ways in which USM institutions are \nhelping to combat the shortage in our Nation's cybersecurity \nworkforce. I'll only be able to touch on a few here.\n    USM institutions awarded approximately 4,400 cybersecurity-\nrelated degrees in the 2012-2013 academic year. Four USM \ninstitutions are NSA and DHS centers of academic excellence in \ninformation assurance education. UMD College Park, with support \nfrom Northrop Grumman, launched the Advanced Cybersecurity \nExperience for Students, or ACES, in 2013. This is the Nation's \nfirst undergraduate honors program in cybersecurity and really \nI think serves as a paragon of the way undergraduate \ncybersecurity education should be done.\n    University of Maryland Baltimore County, the Center for \nCybersecurity Training, offers numerous courses for skill \nenhancement and certification opportunities for active \nprofessionals. And the University of Maryland College Park is \ngoing to be offering a series of online courses on \ncybersecurity beginning in the fall, again as a way to reach \nout to the broader public.\n    In addition to these educational offerings, USM \ninstitutions also perform outreach to the wider public to spark \ninterest in the field and to try to grow a pipeline of future \ncybersecurity professionals. Some examples here include \ncybersecurity camps for middle school girls and high school \nstudents, as well as summer camps for high school STEM \nteachers, held as part of the DHS-funded cybersecurity \neducation and training assistance program.\n    Our educational opportunities cannot be created or refined \nin isolation. USM has numerous cybersecurity programs that are \ndeveloped with input from industry and Government sources. \nSharing information about current workforce knowledge gaps and \nhow best to address them is one of the many ways that USM \ninstitutions benefit from our interactions with private \nindustry and the Federal Government.\n    However, as educators we not only train students in the \nproblems of today, but must also ensure that they can master \nkey fundamentals that will provide the foundation for \nunderstanding and remediating the cybersecurity threats of \ntomorrow.\n    Federal and private support to continue to grow the future \ncybersecurity workforce is essential to closing the demand gap \nfor those professionals. Continued or perhaps expanded \ninvestment from Federal agencies like the Department of \nHomeland Security, the National Science Foundation, and the \nNational Security Agency, for example, is critical to \nsustaining the progress that we've already been making.\n    Thank you for the opportunity to appear before the \nsubcommittee and I look forward to answering your questions.\n    [The statement follows:]\n                Prepared Statement of Dr. Jonathan Katz\n    Chairman Landrieu, Ranking Member Coats: Thank you for the \ninvitation, and the opportunity to speak to the subcommittee. It is an \nhonor to be here.\n    As the committee has previously noted, we are continually faced \nwith numerous cybersecurity threats. These threats are not static--in \nfact, the sophistication of attacks cybersecurity seems to change on a \ndaily basis. New vulnerabilities are uncovered, different attack \nvectors are employed to exploit a system or a program, and patches for \ncritical operating systems are deployed on a near-constant basis. As \ndirector of the Maryland Cybersecurity Center (MC2), I am extremely \nfamiliar with the rapidity with which cybersecurity threats continue to \nevolve, and the challenges that these threats present to the Federal \nGovernment, the private sector, and our Nation's academic institutions.\n    Developing an adequately prepared cybersecurity workforce is a \ndaunting challenge. Put simply, demand for talented cybersecurity \nprofessionals is far outpacing the supply. A 2013 (ISC)\\2\\ Global \nInformation Security Workforce Study claims that 56 percent of \ncompanies nationwide report a workforce shortage. Maryland alone had \nmore than 18,000 vacancies for cybersecurity jobs, according to a \nrecent Abell Foundation report. And Federal agencies are having \ndifficulty filling cybersecurity roles as well, something highlighted \nin 2008 and 2010 by the CSIS Commission on Cybersecurity for the 44th \nPresidency.\n    The University System of Maryland (USM), which includes 12 \ncampuses, has a number of programs in place to augment the existing \npipeline of future cybersecurity professionals. Maryland institutions \nare playing their part by not only training dedicated cybersecurity \nprofessionals, but also educating the general public on good \ncybersecurity practices and policies.\n    Below are some key ways in which USM institutions are helping to \ncombat the shortage in our Nation's cybersecurity workforce:\n      --USM institutions offer a broad range of degrees in \ncybersecurity-related fields, and approximately 4,400 cybersecurity-\nrelated degrees (BS, MS, and PhD combined) were awarded in the 2012-\n2013 academic year.\n      --Four USM institutions (UMD, UMUC, UMBC, and Bowie State) are \nNSA and DHS Centers of Academic Excellence in Information Assurance \nEducation.\n      --UMD College Park, with support from Northrop Grumman, launched \nthe Advanced Cybersecurity Experience for Students (ACES) in 2013. This \nis the Nation's first undergraduate honors program in cybersecurity.\n      --UMBC's Center for Cybersecurity Training offers numerous \ncourses for skill enhancement and certification opportunities.\n      --Multiple USM campuses offer MS programs in cybersecurity, cyber \npolicy, and/or digital forensics.\n    In addition to our current educational offerings, USM institutions \nalso perform outreach to the general public to spark interest in the \nfield and communicate cybersecurity best practices. Examples include:\n      --Cybersecurity camps for middle-school girls and high-school \nstudents at UMCP.\n      --Summer camps for high-school STEM teachers held at UB as part \nof the DHS-funded Cybersecurity Education and Training Program.\n      --``Tech talks'' given by undergraduate cybersecurity-club \nmembers to the broader undergraduate student body.\n    Educational opportunities cannot be created or refined in \nisolation. USM has numerous cybersecurity programs that are developed \nwith input from industry and government sources. Sharing information \nabout current workforce knowledge gaps, and how to best address them, \nis one of the many ways that USM institutions benefit from our \nsustained and regular interactions with private industry and the \nFederal Government. However, as educators, we must not only train \nstudents in the problems of today, but must also ensure that they \nmaster key fundamentals that will provide the foundation for \nunderstanding and remediating cybersecurity threats of tomorrow.\n    Federal and private support to continue to grow the future \ncybersecurity workforce is essential to closing the ``demand gap'' for \nthose professionals. Continued--and perhaps expanded--investment from \nFederal agencies, like the Department of Homeland Security, the \nNational Science Foundation, and the National Security Agency, for \nexample, is critical to sustaining the progress that has already been \nmade.\n    Again, thank you for the opportunity to appear before the \nsubcommittee. I look forward to answering your questions.\n    Senator Landrieu. Thank you very much.\n    Mr. Bowers.\nSTATEMENT OF SCOTT R. BOWERS, VICE PRESIDENT OF \n            GOVERNMENT RELATIONS, INDIANA STATEWIDE \n            ASSOCIATION OF RURAL\n\n                         ELECTRIC COOPERATIVES\n\n    Mr. Bowers. Madam Chair, Senator Coats: Thank you for the \nopportunity to address you regarding cybersecurity. I'm here on \nbehalf of Indiana Electric Cooperatives (IEC). Currently, IEC \nrepresents 39 electric distribution cooperatives that serve \nover 1.3 million Hoosiers in 89 of the State's 92 counties. \nCollectively, our member cooperatives employ more than 1,500 \nindividuals and represent the second largest electric provider \nin Indiana.\n    Indiana's electric cooperatives recognize your concerns \nrelated to cybersecurity. We have taken steps, often \nindependent of Government regulation, to provide the security \nand reliability required for our consumers. Due to our \nconstruct and the areas we serve, most people do not recognize \nthe leadership role electric cooperative assumed, specifically \nin the areas of renewable energy sources, energy efficiency, \nand cybersecurity.\n    Our 39 distribution cooperatives generally do not own bulk \nelectric system assets. Therefore they focus largely on the \nreliability and security of their distribution systems, \nprotecting member data, and their data business systems where \ndata is processed and stored.\n    IEC also represents two generation and transmission \ncooperatives, or G&Ts, Hoover Energy Rural Electric Cooperative \nand Wabash Valley Power Association. Both are fully integrated \non the NERC compliance registry by applicable function. As \nsuch, each G&T is required to comply with approved reliability \nstandards related to cybersecurity, operations, and system \nreliability.\n    Today I'd like to specifically recognize the cybersecurity \nefforts of our two G&Ts. Hoosier Energy maintains a thorough \ncybersecurity program that protects facilities critical to the \nreliability of the bulk electric system against a myriad of \nvulnerabilities. Most notably, Hoosier Energy developed an in-\nhouse scanning utility called the Windows Configuration \nManagement Utility (WinCMU) that gives Hoosier Energy complete \nvisibility into its systems and reports any unexpected changes \nto its security team.\n    Knowing what is on a system is the most important step in \nmaintaining a secure environment. During a recent audit by \nNERC, auditors acknowledge this and praised WinCMU and Hoosier \nEnergy for going above and beyond the requirements in NERC's \ncybersecurity standards. Compliance with these standards is \nenforced by NERC and the Federal Energy Regulatory Commission \n(FERC).\n    In addition to complying with such standards, Hoosier \nEnergy's cybersecurity program mitigates and protects against a \nwide range of vulnerabilities, including: one, ignorance, \nindifference, and lack of knowledge of cyber threat protection; \ntwo, information exfiltration; three, network-based cyber \nattacks; four, unmanaged changes to cyber assets and protective \nsystems; and five, direct attacks on cyber assets.\n    Wabash Valley, IEC's second G&T, has a strong cybersecurity \nprogram in place as well. Wabash Valley firmly believes it \ntakes every employee being vigilant to ensure the safety of \ntheir people and their assets. Relative to cybersecurity \nstandards, Wabash Valley awaits the implementation of NERC's \nupdated Critical Infrastructure Protection (CIP) Standards \nVersion 5. Wabash Valley worked proactively to develop its \ncybersecurity plan although it was not required by previous \nversions of the standards.\n    Additionally, Wabash Valley engaged an external consultant \nto assess its CIP program and systems. The consultant \ndetermined Wabash Valley's CIP program was thorough and \nindicated that no changes to its systems were required.\n    Under previous NERC reporting standards, Wabash Valley \nestablished reporting relationships with FBI offices in the \nfour States where it has member cooperatives or facilities. \nAlthough no longer required, Wabash Valley continues to keep \nthe FBI or the Joint Terrorism Task Force in the reporting \nchain for cybersecurity events.\n    Last, Wabash Valley has established procedures in place for \nNERC alert system and energy sector ISAC-provided \ncommunications and alerts. These communications are reviewed by \ncompliance and technical service personnel to assess a \npotential threat to the G&T. If applicable, systems are \nreviewed and, as appropriate, preventive actions implemented.\n    Moving forward, IEC sees several actions and opportunities \nwhere additional focus and improvement benefit access to power. \nThose include: continued improvement in information-sharing to \nensure timeliness and actionability to cyber threats; expanding \nthe number of clearances permitted for cooperative staff and \nallowing for top secret clearance for select senior-level \nexecutive staff; avoiding one size fits all solutions, while \nalso encouraging flexibility; encouraging the continuation and \ncreation of additional partnership opportunities; and improving \nconsistency with the Federal standards application and \ncompliance process.\n    In closing, IEC believe we are on a good path, but \nopportunities to improve still exist. Each of us, not just the \nrespective Federal agencies, must assume our individual \nresponsibilities to work constructively, effectively, and, most \nimportantly, in partnership to address both current and future \ncyber-related threats to the reliability and security of our \nNation's electric grid.\n    Thank you.\n    [The statement follows:]\n                 Prepared Statement of Scott R. Bowers\n    Indiana Electric Cooperatives (IEC), the Nation's first electric \ncooperative service organization, represents 39 electric distribution \ncooperatives that serve over 1.3 million Hoosiers in 89 of the State's \n92 counties. Collectively, our members employ more than 1,500 \nindividuals and represent the second-largest electric power provider in \nIndiana. We serve a diverse expanse of Indiana communities, from rural \nand farming areas, industrial parks and employment zones to burgeoning \nsuburbs. IEC appreciates the opportunity to provide the following \ntestimony before the Senate Appropriations Homeland Security \nSubcommittee regarding ``Investing in Cybersecurity: Understanding \nRisks and Building Capabilities for the Future.''\n    Indiana's electric cooperatives played a foundational role in \ndelivering electricity to communities across Indiana 80 years ago. \nToday, we fuel progress by delivering more than electricity to the \ncommunities we serve. We contribute to economic development, community \ndevelopment and youth and education programs across Indiana. We \ncontinue to deliver safe, secure, reliable and affordable electric \npower across the State, including hard-to-reach rural areas. These same \nelectric cooperatives are at the forefront in the promotion of \nrenewable energy sources, energy efficiency programs and technology, \nensuring electric power sources for future generations.\n                              introduction\n    IEC recognizes your concerns related to the issue of cybersecurity. \nWe have taken steps, sometimes independent of government regulation, to \nprovide the security and reliability required and necessary for our \nconsumers. Due to our construct and the areas we generally serve, most \npeople do not recognize the leadership role electric cooperatives have \nassumed--specifically in the areas of renewable energy sources, energy \nefficiency and cybersecurity.\n    IEC has two generation and transmission cooperative (G&Ts) members, \nHoosier Energy Rural Electric Cooperative (Hoosier Energy) and Wabash \nValley Power Association (Wabash Valley), who provide Indiana \ndistribution cooperatives with wholesale electric power from coal, \nnatural gas and renewable energy sources. Both G&Ts are fully \nintegrated and registered on the North American Electric Reliability \nCorporation (NERC) Compliance Registry by applicable function. As such, \neach of Indiana's G&T cooperatives are required to comply with approved \nReliability Standards related to cybersecurity, operations and system \nreliability.\n    Our 39 distribution cooperatives generally do not own Bulk Electric \nSystem (BES) assets. Therefore, they focus largely on the reliability \nand security of their distribution systems, which brings electricity to \nhomes and businesses, protecting member data and their business systems \nwhere the data is processed and stored.\n    This afternoon, I would like to specifically recognize the \ncybersecurity efforts of our two G&Ts. I will start by discussing \nHoosier Energy's efforts to address the cybersecurity threat.\n                             hoosier energy\n    Hoosier Energy maintains a thorough cybersecurity program that \nprotects facilities that are critical to the reliability of the BES \nagainst a myriad of cyber vulnerabilities. Most notably, Hoosier Energy \ndeveloped an in-house scanning utility called the Windows Configuration \nManagement Utility (WinCMU) which gives Hoosier Energy complete \nvisibility into its systems and reports any unexpected changes to its \nsecurity team. Knowing what is on a system is the most important step \nin maintaining a secure environment. During a recent audit by NERC, \nauditors acknowledged this and praised WinCMU and Hoosier Energy for \ngoing above and beyond the requirements in NERC's cybersecurity \nstandards. Compliance with these standards is enforced by NERC and the \nFederal Energy Regulatory Commission (FERC).\n    In addition to complying with such standards, Hoosier Energy's \ncybersecurity program mitigates and protects against a wide range of \nvulnerabilities including:\n      --Ignorance, Indifference and Lack of Knowledge of Cyber Threat \nProtection;\n      --Information Exfiltration;\n      --Network Based Cyber Attacks;\n      --Unmanaged Changes to Cyber Assets and Protective Systems;\n      --Direct Attack on Cyber Assets; and\n      --Physical Attack on Cyber Assets.\n    (See Appendix A for description of these vulnerabilities.)\n    IEC's other G&T, Wabash Valley, also has a cybersecurity program \nwhich includes some similar elements to Hoosier Energy's program. Next, \nI would like to highlight Wabash Valley's efforts to address the issue \nof cybersecurity.\n                             wabash valley\n    The protection of people and assets are top priorities for Wabash \nValley. As technology continues to evolve, cybersecurity threats become \nmore advanced and increasingly difficult to detect and prevent. Wabash \nValley firmly believes it takes every employee being vigilant to ensure \ntheir personal safety and the safety of Wabash Valley's assets (both \nphysical safety and cybersecurity).\n    Relative to cybersecurity standards, Wabash Valley, along with \nother small entities, awaits the implementation of NERC's Critical \nInfrastructure Protection (CIP) standards, Version 5 (cybersecurity \nstandards). Although not required by previous versions of the CIP \nstandards, Wabash Valley has already developed a cybersecurity plan. In \naddition, an external consultant was hired by Wabash Valley to perform \nan assessment on its CIP program and systems. The consultant determined \nits CIP program was thorough for a small entity and that no changes to \nsystems were required at that point in time.\n    Under NERC's event reporting standards, applicable entities were \nrequired to establish a reporting relationship with the Federal Bureau \nof Investigation (FBI). Wabash Valley established reporting \nrelationships with FBI offices in all States and cities where it has \nmember cooperatives or plant facilities (Indiana, Ohio, Illinois and \nMissouri). Although direct reporting of events to the FBI is no longer \nrequired by the NERC standard, Wabash Valley feels it is important to \ncontinue to keep the FBI or the Joint Terrorism Task Force (JTTF) in \nthe reporting chain for cybersecurity (and other) events. Wabash Valley \nis part of the FBI's Strategic Partnership with businesses. As such, \nWabash Valley receives regular bulletins and communications from the \nFBI to keep them informed about various situations/threats that could \naffect the safety and security of company assets and/or personnel.\n    Through the NERC Alert System and the Electric Sector Information \nSharing and Analysis Center (ES-ISAC) housed within NERC, \ncommunications and alerts related to various potential threats are \nprovided to our industry. It is part of Wabash Valley's established \nprocedures for these communications to be reviewed by compliance and \ntechnical services personnel to assess a potential threat to the G&T. \nIf the threat has potential applicability to Wabash Valley, then \nsystems are reviewed and, as appropriate, preventive actions \nimplemented. If the threat, such as HEARTBLEED, has potential impact \nfor company employees on their computer systems at home, information is \ncommunicated to Wabash Valley employees. On a regular basis, the Wabash \nValley security officer emails pertinent security topics to staff.\n    Wabash Valley welcomes the finalization of the cyber and physical \nsecurity standards in the near future. In the meantime, they will \ncontinue to seek proactive measures to ensure the security of all G&T \npersonnel and assets.\n    So where do we go from here? Beyond just the updating of the CIP \nstandards, there are other actions that can assist us, the owners and \noperators, in assuring access to power. In talking with both our G&Ts, \nthey shared concerns regarding some areas where they see opportunity \nfor improvement.\n                          information sharing\n    While we recognize and appreciate that improvement has been made by \nthe Federal Government in the flow and sharing of cyber and physical \nsecurity related information over time, the need for continued \nimprovement still exists. Our ability to receive timely and actionable \ninformation remains a work in progress. The media remains our primary \nsource of threat-related information. By the time information is shared \nwith us from the Federal agencies, it can be too late for us to address \nthe threat. Under our current situation, the damage is already done and \nwe have moved into mitigation mode if we were impacted by the threat. \nImproving the timeliness of the threat communication would also better \nposition us to take preventive actions on the front end in hopes to \nfend off or, if penetrated, minimize the impact to our system.\n    Additionally, expanding the number of ``secret'' clearances \npermitted for cooperative staff and allowing for ``top secret'' \nclearance for select senior-level executive staff would also be \nbeneficial. This adjustment in security clearance procedures, along \nwith liability protections for information sharing with the Government, \nwould allow for more real-time and actionable information to be shared.\n                              flexibility\n    IEC would strongly encourage Congress and the Federal agencies to \navoid enacting ``one-size-fits-all'' solutions for cyber and physical \nsecurity. Our member cooperatives share a common mission, core \nprinciples and similarities in structure, but they are each independent \nand unique in the tactics, processes and protocols they utilize to \nserve their members. By affording Indiana's electric cooperatives that \nflexibility, each of our member cooperatives would be positioned to \ndeploy the measures, technologies and systems that best fit their \noperations, assets and efforts to combat cyber and physical threats. In \naddition, each cooperative would be able to account for implementation \ncosts, which helps maintain affordability, without compromising the \nsecurity measures.\n                              partnerships\n    Partnerships have been one of the most beneficial and productive \ntools used by Indiana's electric cooperatives in addressing the \ncybersecurity issue. The partnerships that have been most successful \nfor us have generally been cooperative to cooperative based. Indiana's \nelectric cooperatives have also benefited from their relationships with \nother private organizations, i.e. ACES, through their interactions with \ntheir Regional Transmission Organizations (RTO) as well as our national \nassociation, the National Rural Electric Cooperative Association \n(NRECA). While electric cooperatives were born with the assistance of \nthe Federal Government in the 1930s, our approach has generally been to \nwork within the cooperative community or the private sector to find \ncost effective solutions to the issues facing our industry. These types \nof partnerships, along with finding additional opportunities to enhance \nthe working relationship between the responsible Federal agencies and \nour member cooperatives through our members and through the NRECA, \nshould be encouraged as well. The Electricity Sector Coordinating \nCouncil (ESCC) is a great example of one of these partnerships. With \nthe ESCC you see individual cooperative G&Ts, as well as participants \nfrom the Investor Owned Utilities and Municipal Electric Utilities, and \nthe associated trade associations at a table with the Department of \nEnergy (DOE), FERC, NERC and the Department of Homeland Security (DHS) \nworking together to identify and find solutions.\n                              consistency\n    Due to the multiple levels of government oversight concerning \ncybersecurity (e.g. FERC, NERC and NERC's regional entities), finding \nconsistency in the compliance process has had its challenges. The vague \nnature of some of the cybersecurity standards coupled with \ninconsistencies in the interpretation and auditing of those standards \nhave created challenges with cybersecurity compliance for our member \ncooperatives. Refining this process to increase consistency and by \nproviding more clarity with the respective standards would help \nstreamline the process, enhance our effectiveness and provide greater \ncertainty to our cybersecurity initiatives.\n                           physical security\n    While the focus of this hearing was specific to the issue of \ncybersecurity, IEC would like to briefly address the issue of physical \nsecurity. There has been increased discussion surrounding this issue \ndue to recent events and IEC acknowledges the importance of protecting \nour physical assets as well. The current initiative by FERC and NERC to \ndevelop physical security standards for critical assets is viewed as a \npositive step by Indiana's electric cooperatives. There is more to be \naccomplished with this effort and we welcome the opportunity to engage \nand provide our perspective throughout the process.\n                               conclusion\n    My comments today outlining areas of opportunity should not be \nviewed negatively on the interactions Indiana's electric cooperatives \nhave had to date with the Federal agencies engaged in the cybersecurity \narena. Our member cooperatives who work most closely with FERC, NERC, \nDHS and DOE, to name a few, would agree significant improvements and \nadvancements have been made in all of these areas since the effort \nbegan. Our primary message for you today is that we are on a good path, \nbut opportunities to improve still exist. Each of us, not just the \nrespective Federal agencies, must assume our individual responsibility \nto work constructively, effectively and, most importantly, in \npartnership to address both current and future cyber-related threats to \nthe reliability and security of our Nation's electric grid.\n    appendix a: descriptions of referenced cyber security mitigated \n                            vulnerabilities\nIgnorance, Indifference and Lack of Knowledge of Cyber Threat \n        Protection\n    Hoosier Energy's cybersecurity program ensures all levels of the \norganization are appropriately engaged. Responsibilities are clearly \ndelineated among leadership and those responsible for direct \ncybersecurity activities.\n    Training and awareness programs are required for all who have \naccess to cyber assets critical to the reliability of the BES. Training \ncovers why Hoosier Energy's program is important, how it protects us \nand the relevant responsibilities. In addition, Hoosier performs \nawareness exercises exemplified by a Spearphishing exercise in 2013 \nthat reduced click-thru rates from 30 percent to 2 percent.\nInformation Exfiltration\n    Hoosier Energy maintains an information protection program that \nidentifies and classifies critical information, how it can be shared \nand with whom it can be shared.\nNetwork-Based Cyber Attacks\n    Hoosier Energy maintains a separate, isolated network through the \nuse of an electronic security perimeter (ESP) that isolates its \ncritical cyber assets from less secure corporate network and \nneighboring utility connections. All communication is denied by \ndefault. Allowed communications are limited to specific protocols and \napproved sources from outside the ESP.\nDirect Attack on Cyber Assets\n    Like in the ESP, communication is denied by default at each \nindividual cyber asset.\n    In addition:\n      --All relevant security patches are applied judiciously\n      --Malicious software prevention is installed and kept current\n      --Strong passwords are required and changed periodically\n      --Unnecessary physical ports are blocked or disabled\nUnauthorized Access and Changes to Cyber Assets and Protective Systems\n    All access is provisioned on the principle of need-to-know. No \naccess is granted without first successfully completing a background \ncheck.\n    ESP communications are monitored and logged around the clock. Any \nchange in configuration or any attempts at unauthorized access \nautomatically creates an alert.\n    The WinCMU creates a baseline for each protected cyber asset. The \nWinCMU performs a daily comparison of the actual configuration and the \nbaseline to systematically identify and alert on unexpected changes.\nPhysical Attack on Cyber Assets\n    All critical cyber assets are protected within a physical security \nperimeter (PSP) with access controlled using key cards, monitoring and \nlogging.\n\n    Senator Landrieu. Thank you very much for that excellent \ntestimony.\n    Mr. Peters with Entergy.\nSTATEMENT OF CHRISTOPHER PETERS, VICE PRESIDENT NERC/\n            CRITICAL INFRASTRUCTURE PROTECTION \n            COMPLIANCE, ENTERGY CORPORATION\n    Mr. Peters. Good afternoon, Chairwoman Landrieu, Ranking \nMember Coats. Let me begin by thanking you for convening this \npanel and for inviting Entergy to participate. I'm pleased to \nappear here today to discuss Entergy's point of view on cyber \nand physical security threats to our system, the benefits of \nthe public-private partnership process, and our experiences to \ndate interfacing with the Electricity Sector Information-\nSharing and Analysis Center (ES-ISAC).\n    By way of background, Entergy Corporation is an integrated \nenergy company engaged primarily in electric power production \nand retail distribution. For some time now, Entergy has \nrecognized the uptick in cyber and physical threats that have \nthe potential to impact the reliability, safety, and security \nof our operations and the Nation's power grid. We accord such \nthreats the same attention as we have always given the forces \nof nature, including ice storms, tornadoes, hurricanes, floods, \nand extreme heat, all of which can threaten the delivery of \nsafe, reliable power.\n    Entergy supports a comprehensive strategy to managing our \ncyber and physical security defenses. This strategy leverages \nour corporate resources to minimize impacts from intentional \nand unintentional cyber or physical threats to our energy \nportfolio.\n    Importantly, these threats have strong support at the board \nof director and CEO level, which we believe is essential to \nimplementing an enterprise-wide security program with the right \namount of people for a security workforce and sufficient \nfunding of the technologies required to deal with threats and \nbreaches.\n    The threat landscape is inherently unpredictable and \nevolving, which is why mastering the fundamentals of cyber and \nphysical security is best the best defense. In most cases \nattacks exploit lapses in basic operations that have been \neither ignored or which were not fully deployed.\n    One priority for Entergy is threat management. When a new \nthreat emerges, Entergy conducts an internal review of our \ndefense in depth plans to validate the existing security \ncontrol framework and make changes as necessary. Accordingly, \nincreasing physical security threats to energy delivery \ninfrastructures have triggered reviews and updates to our \nsecurity plans and posture, including the implementation of \nadditional physical security controls in key facilities.\n    Public-private partnership participation is a key element \nin our cyber and physical security program and can be a \nsignificant force multiplier when leveraged. To strengthen our \nposture, over the past several years we have participated in a \nnumber of public-private programs. Allow me to highlight one \nprogram we feel is particularly helpful. Since 2008 Entergy has \nreceived and responded to over 40 NERC alerts related to grid \nsecurity threats from the ES-ISAC. Based on the content of each \nalert, we quickly assemble cross-functional teams of subject \nmatter experts to evaluate the highlighted vulnerabilities, \nassess potential impacts, and carry out appropriate mitigation \nsteps.\n    Entergy considers the ES-ISAC a vital partner in achieving \nelectric sector-wide situational awareness, improving national-\nlevel response and coordination, and fostering collaboration \namong key electric sector stakeholders.\n    The public-private partnership model is not perfect and \nwill continue to evolve over time to ensure that the private \nsector can realize maximum value from our federally funded \nprograms and technologies. Every utility must drive the daily \ntransformation of their own cyber and physical security \nprograms to defend against constantly changing threat \nlandscapes.\n    Before concluding, I'd like to add that Entergy is a strong \nadvocate of regulations and legislation that would bolster \ninformation-sharing between public and private entities about \ncybersecurity risks and events, allowing that the protections \nare built in for confidentiality and non-recourse. We believe \naccess to information of this kind will help enhance the \nsecurity posture of utilities.\n    Thank you again for giving Entergy the opportunity to share \nits views and I hope you found these comments helpful. We look \nforward to continuing to work with you in the coming year to \nensure strong public-private relationships aimed at better \nsecuring the energy sector's critical infrastructure. I'm happy \nto answer any questions you may have.\n    [The statement follows:]\n                Prepared Statement of Christopher Peters\n    Good afternoon, Chairwoman Landrieu, Ranking Member Coats, and \ndistinguished members of the subcommittee. Let me begin by thanking you \nfor convening this panel and for inviting Entergy to participate. My \nname is Chris Peters and I am Entergy's vice-president for NERC and \nCritical Infrastructure Protection compliance, reporting to Entergy's \nexecutive vice president and chief operating officer.\n    I am pleased to appear here today to discuss Entergy's point of \nview on cyber and physical security threats to our system, the benefits \nof the public-private partnership process, and our experiences to date \ninterfacing with the Electricity Sector-Information Sharing and \nAnalysis Center (ES-ISAC).\n    By way of background, Entergy Corporation is an integrated energy \ncompany engaged primarily in electric power production and retail \ndistribution. Entergy owns and operates power plants with approximately \n30,000 megawatts of electric generating capacity, including more than \n10,000 megawatts of nuclear power. We deliver electricity to 2.8 \nmillion customers in Arkansas, Louisiana, Mississippi, and Texas. We \nhave approximately 14,000 employees.\n    For some time now, Entergy has recognized the uptick in cyber and \nphysical threats that have the potential to impact the reliability, \nsafety and security of our operations and the Nation's power grid. We \naccord such threats the same attention as we have always given to \nforces of nature, including ice storms, tornadoes, hurricanes, floods, \nand extreme heat--all of which can threaten the delivery of safe, \nreliable power.\n    Entergy supports a comprehensive strategy to managing our cyber and \nphysical security defenses. This strategy leverages our corporate \nresources to minimize impacts from intentional and unintentional cyber \nor physical threats to our energy portfolio. Importantly, these efforts \nhave strong support at the Board and CEO level, which we believe is \nessential to implementing an enterprise-wide security program with the \nright amount of people for a security workforce and sufficient funding \nof the technologies required to deal with threats and breaches.\n    The threat landscape is inherently unpredictable and evolving, \nwhich is mastering the fundamentals of cyber and physical security is \nthe best defense: In most cases successful attacks exploit lapses in \nbasic operations that have been either ignored or which were not fully \ndeployed.\n    One priority for Entergy is threat management. When a new threat \nemerges, Entergy conducts an internal review of our defense-in-depth \nplans to validate the existing security control framework and make \nchanges as necessary. Accordingly, increasing physical security threats \nto energy delivery infrastructures have triggered reviews and updates \nto our security plans and posture, including the implementation of \nadditional physical security controls at key facilities.\n    Public-private partnership participation is a key element in our \ncyber and physical security program and can be a significant force \nmultiplier when leveraged. To strengthen our posture, over the past \nseveral years we have participated in a number of public-private \nprograms:\n      --The Government Forum of Incident Response and Security Team \nConference;\n      --The FBI's Classified Cybersecurity Threat Briefings;\n      --NERC's GridEx and GridEx II sector-wide exercises;\n      --DOE's Electricity Subsector Cybersecurity Capability Maturity \nModel (ES-C2M2) and the Control Systems Cybersecurity Training \ndelivered by Idaho National Labs;\n      --More than a few DHS' initiatives, including: Monthly \nUnclassified Nuclear Sector Threat Teleconferences, the Control Systems \nCybersecurity Program, the Cyber Security Evaluation Tool (CSET), \nClassified Nuclear Cybersecurity Threat Briefings at the National \nSecurity Agency, the Enhanced Critical Infrastructure Protection \nInitiative, and the Cyber Storm III exercise; and\n      --Lastly, Entergy worked closely with NIST and participated in \nseveral workshops during the drafting of the Cybersecurity Framework in \nrelation to Executive Order (EO) 13636: Improving Critical \nInfrastructure Cybersecurity.\n    Allow me to highlight one program we feel is particularly helpful. \nSince 2008, Entergy has received and responded to over 40 NERC alerts \nrelated to grid security threats from the ES-ISAC. Based on the content \nof each alert, we quickly assemble cross-functional teams of subject \nmatter experts (SMEs) to evaluate the highlighted vulnerabilities, \nassess potential impacts, and carry out appropriate mitigation steps. \nEntergy considers the ES-ISAC to be a vital partner in achieving \nelectric sector-wide situational awareness, improving national-level \nresponse and coordination, and fostering collaboration among key \nelectric sector stakeholders.\n    The public-private partnership model is not perfect and will \ncontinue to evolve over time to ensure that the private sector can \nrealize maximum value from federally funded programs and technologies. \nEvery utility must drive the daily transformation of their own cyber \nand physical security programs to defend against constantly changing \nthreat landscapes.\n    Before concluding, I would like to add that Entergy is a strong \nadvocate of regulations and legislation that would bolster information \nsharing between public and private entities about cybersecurity risks \nand events. Allowing that protections are built in for confidentiality \nand non-recourse, we believe access to information of this kind will \nhelp enhance the security posture of utilities.\n    Thank you for giving Entergy the opportunity to share its views and \nI hope you've found these comments helpful. We look forward to \ncontinuing to work with you in the coming year to ensure strong public-\nprivate relationships aimed at better securing the energy sectors' \ncritical infrastructure. I am happy to answer any questions you may \nhave.\n\n    Senator Landrieu. Thank you all very much.\n    Let me begin with a question to each of you, starting with \nDr. Katz. If you could recommend in a minute or less something \nfor the Department of Homeland Security to focus on improving \ntheir current operations--I agree with Senator Coats that the \nDepartment has turned the corner. They have the appropriate, I \nthink, leadership in place on this issue. Lots of initial \nchallenges have been sorted out. But if you could give 1 minute \nof testimony about what you would suggest Homeland Security do; \ntake the next step in a specific area, whether it's in \neducation, whether it's in collaboration, whether it's in \nauthorization, et cetera, et cetera, what would you say?\n    Dr. Katz. From my point of view, I think really focusing on \ncybersecurity workforce development will be very helpful. I \nthink you hit the nail on the head in the previous panel when \nyou mentioned that the requirements for cybersecurity \nprofessionals really need to be laid out precisely, because \nhearing that 200,000 students a year are needed is not very \nhelpful unless we know precisely what kind of background those \nprofessionals need and, really more importantly, without an \nunderstanding of the fact that those 200,000 professionals are \nnot all going to be identical. They're going to be people--\nyou're going to need people with different needs and different \nbackgrounds, and breaking that out further and really \nunderstanding that would be a big step forward and would allow \nthe Nation's academic institutions to better prepare to meet \nthat need.\n    Senator Landrieu. Yes, and I'm going to continue to press \nmy staff and other staffs and any witnesses. If there is such \nan effort going on, in a comprehensive, clear way trying to \nidentify that specifically, I'd like to know about it, because \nI keep looking and haven't found it. For instance, in your \ntestimony you said you've graduated 4,000 in cybersecurity-\nrelated fields. Would that include math? Would that include \ngeneral math or economics, et cetera?\n    Dr. Katz. Actually, I believe it's fairly broad, so 4,000--\n--\n    Senator Landrieu. Is very broad, and it's ``cyber-related \nfields.'' Well, you know, our Nation has a great demand for \nmath teachers that have to go into the classroom to teach \ntraditional math. We can't doublecount. Those are teachers we \nneed for the math classroom. Where are our math graduates going \ninto--this is additional cyber.\n    I really am going to continue to press on this until I can \nget a clear understanding to make sure we're moving in that \ndirection. But thank you for that.\n    What would you say at CenturyLink--and I really appreciate \nunderstanding the role that the Internet providers--and there \nare three main providers, correct, AT&T, Verizon, CenturyLink? \nWho else would you put on that list?\n    Mr. Mahon. We would be the top three.\n    Senator Landrieu. Is it fair to say that everybody's \nbusiness comes through your networks, everybody's?\n    Mr. Mahon. At one point or another, that's an accurate \nstatement.\n    Senator Landrieu. So one thing to consider is the outward \nperimeter, that you're it. If your systems can be secure and \nour Government partnership with the three of you can be very \ngood and solid, together we could do a lot of protection for \nwhat's inside of that perimeter, is kind of the way I'm \nthinking about it. Is that how you talk with Verizon and AT&T, \nand what would you say to the Department of Homeland Security \nabout that?\n    Mr. Mahon. Your assessment is correct. What I would say \nabout the Department of Homeland Security is, while they do \nhave very good programs with ECS and E3A, we do need to move it \nto the next level. The majority of the Homeland Security \ninformation-sharing model is a one-size-fits-all. They get \nbroad-based information from other Government agencies, they \nput it in a format suitable for dissemination across all \nverticals, all infrastructures, small to large corporations. \nWhile that's very helpful, if you are a small to medium-sized \ncompany and don't have a sophisticated information security \nprogram it is of limited value to the larger corporations, \nparticularly the critical infrastructures.\n    The analogy that I often use is that you're invited to a \nwedding and you can bring a gift to the bride. She certainly \nappreciates it, but she would prefer you go to her wedding \nregistry and select something she really needs.\n    That's really where we need to go today. We have very \nspecific collection requirements on how to protect our network. \nWe do not have access to all the threat information, and I \nbelieve the Government, whether it's through the Department of \nHomeland Security or other agencies, would be of better \nassistance to us if we gave them very specific requests to see \nif they could be fulfilled for information.\n    Senator Landrieu. Thank you. That's very helpful.\n    Mr. Bowers, what would you say?\n    Mr. Bowers. I would say that our exposure to DHS has been \nfairly limited. Most of what we have done has been primarily \nthrough FERC, NERC, and the regional entities that work \nunderneath NERC.\n    Senator Landrieu. The reason for that, just to clarify--you \nof course know it--is that this grid or this infrastructure is \nthe only mandatory regulated infrastructure, to my \nunderstanding, the electric grid, through FERC and NERC. So the \nother private sector companies that have financial \ninfrastructure or other energy infrastructure are not. And it's \nbeen the problem or the challenge, as Senator Coats has pointed \nout, it's hard to get the groups together to figure that out.\n    But you in the electric sector are working through it \nfairly well. I know there have been problems, but would you say \nthat that's generally correct?\n    Mr. Bowers. Yes, I would agree with that. We've certainly \nseen tremendous progress over the 7 years. I think as we've \nworked with the respective Federal agencies and as they've \ngotten to know us better, as we've gotten to know them better, \nit's certainly created a much more productive partnership.\n    As it relates to funding or areas of emphasis, I'll go back \nto a couple of things that I mentioned. Obviously, providing \nfunds to help bolster and streamline the information-sharing \nprocess. One of the things is being able to get real-time \ninformation that is actionable. A lot of times that's not the \nsituation, and I know that's not the goal. The goal is for \neveryone involved to be able to try to avoid these types of \nsituations, and when they do occur obviously to then mitigate \nthem to the best of our ability.\n    In addition, I mentioned supporting or the expansion of \nsecurity clearances. I think that will be beneficial to the \ninformation-sharing component. Then also, just as we've \ncontinued to work through these various standards, bringing \nthat level of consistency, both in the standards, the \ninterpretation, as well as the auditing consistency, would be \nareas of emphasis for our perspective.\n    Senator Landrieu. Mr. Peters, and then we'll get to Senator \nCoats for his questions.\n    Mr. Peters. Senator, I think DHS has done a great job at \nraising awareness around control system security, and it's my \nunderstanding that 80 percent of the control systems that are \ncoming on line have been tested for various types of cyber \nintrusions and basic security features. As we look to upgrade \nour legacy control systems to next generation, that increased \nfunding and support for R&D for control systems that have \nadvanced cyber features would be very beneficial. I know \nthere's been a tremendous amount of success between DHS, the \nIdaho National Labs, and various control systems vendors in \nthis area. So I would recommend championing continued support \nfor that area.\n    Senator Coats. Mr. Mahon, how do you work with the smaller \nbusinesses, the community banks, the smaller retails, smaller \ninvestment houses, and so forth? Obviously, the bigs--and we \njust have to look at the response of Target and, say, Neiman \nMarcus and others--have spent a very considerable amount of \nmoney to upgrade their systems, to put more security in place, \nat very, very considerable cost.\n    But the smaller entities really can't afford to do that. \nYet they have the same vulnerabilities, maybe not to as many \npeople, but to sizable--and Scott, I think I would ask you \nalso. You know, you're serving more rural communities, \ncustomers and so forth. How do you find the resources to do \nwhat you need to do and keep everybody on an even keel?\n    Mr. Mahon. Well, the small to mid-sized businesses have \nconcluded, Senator, exactly what you just stated, that the cost \nof IT and the type of cybersecurity protections they need they \ncannot afford. One of our lines of products and services is \nreferred to as Managed Security Services. We spend the time \nwith those customers explaining our information security \nprogram, the security across our core network, and our Managed \nSecurity Services products.\n    When they look at these types of products they can acquire \nthrough companies like CenturyLink, they can frequently make \nthe informed decision that it is better actually to outsource \nyour security to companies like CenturyLink, because we can \nprovide them with subject matter experts and a scale model that \nthey could not have an equivalent model of should they decide \nto build it on their own.\n    They are also suffering from the same shortage of \nprofessionals in the industry. The larger corporations \nobviously are able to attract them away with a little bit more \nsophisticated work in some situations. So they also suffer from \nworkforce development issues.\n    Senator Coats. Scott.\n    Mr. Bowers. Senator, I think it ultimately comes back to \nwhat our mission is, and our mission is to provide safe, \nreliable, and affordable electricity to the members that we \nserve. I would throw ``secure'' into that as well, based on the \ndynamics of the last decade plus.\n    With that, our distribution cooperatives are our first \nline. They work very closely with their two G&Ts. The G&Ts take \nand have more interaction with the Federal Government as it \nrelates to these issues, but with the G&Ts and the distribution \ncooperatives, they work very closely together to make sure that \nthey are making--that the distribution systems are secure.\n    Our distribution cooperatives obviously are very concerned \nabout the security of our member personal data. Those are \nthings as foundational of who we are and that we are member-\nowned. It's very near and dear to us and ultimately to who we \nare, and we have to make sure that we provide the reliability \nand security and make those investments, while also trying to \nbalance the affordability aspect on top of that.\n    Senator Coats. I'll take a response from anybody on the \npanel. How do you provide for security against insider access, \nthe equivalent of a Snowden, but within the retail sector or \nthe financial sector or whatever here, not the intelligence \nsector? What types of security procedures and hiring procedures \nand security clearances and so forth and monitoring that, of \ncourse?\n    We hear today that, as has been indicated, there are just \nindependent actors that somehow want to cause some chaos, \nwhether for personal gain or whether for just the sport of it. \nHow do you monitor all that and ensure that you don't fall \nvictim to something like that?\n    Mr. Mahon. We have an insider threat program at \nCenturyLink. It depends upon where you are in the organization. \nIf you're working classified work, you have security clearances \nand the Government process around that, as you know, is pretty \nrigorous.\n    But also, there are other positions within the company that \nyou also have to be super-vigilant around. We have some \nbaseline background checks we do on all employees as they enter \nthe organization. But really the insider threat is just the \nproblem, the fact that they're an insider. So really it becomes \nmore of a training program for your managers and your \nsupervisors to spot concerning behavior, so they understand \nwhen someone is performing in a manner that is out of the norm.\n    These types of events that we frequently see in the media \nof an insider doing extensive damage, if you were to do an \nafter-action on them you would learn most typically that there \nwere signs of behavior that came to the attention of key \nsupervisors, other employees, or managers. They just either \nweren't trained to spot it, they didn't realize the \nsignificance of it, or they didn't have a way to report it to \nthe appropriate organization that could do something about it.\n    So there is a very formal insider training program in a lot \nof corporations like CenturyLink and they are effective. Do you \nstill have problems? Obviously, you can't spot everyone who's \nan insider. But there are ways to manage those risks to an \nacceptable level.\n    Senator Coats. Anybody else want to address that?\n    [No response.]\n    Senator Coats. My time has run out and our time I think has \nrun out. We can submit questions for further response, but I \nwant to thank all of you and thank the Chair for convening this \nhearing, and thank all of you for participating in this. This \nis a critical issue that we need to get it right, because, as \nour former Homeland Security Secretary once said, the \nperpetrators or the criminals, the actors, the States, et \ncetera, they only have to be successful once; we have to be \nsuccessful 100 percent of the time in trying to stop all their \nefforts. So it's a real challenge. I appreciate all of your \nwork in terms of trying to keep us safe from all these cyber \nattacks and intrusions.\n    Thank you.\n    Senator Landrieu. Yes, and thank you, Senator Coats, for \nyour leadership. We wanted to conduct this hearing jointly and \nthe Senator provided a lot of background to allow us to do \nthat.\n    I thank all of our witnesses for your testimony today. I am \ncommitted to doing all we can in this subcommittee to continue \nto focus on these issues.\n\n                     ADDITIONAL COMMITTEE QUESTIONS\n\n    We're going to leave the record open for 2 weeks. Questions \nshould be submitted to the committee staff by close of business \nWednesday, May 21.\n    [The following questions were not asked at the hearing, but \nwere submitted to the Department subsequent to the hearing:]\n               Questions Submitted to Dr. Phyllis Schneck\n            Questions Submitted by Senator Mary L. Landrieu\n                          workforce development\n    Question. Deputy Under Secretary Phyllis Schneck, has the Secretary \ndecided to reassess all of the cybersecurity education, training, and \noutreach goals of the Department--including the goal to educate 1.7 \nmillion students by 2021?\n    If so, in what timeframe will the reassessment be completed?\n    What analysis and method will be used to create a metric that meets \nthe nature of the threat?\n    Answer. The Department of Homeland Security (DHS) has conducted a \nreassessment of its combined efforts to provide cybersecurity \neducation, training, and outreach throughout the Nation. The Department \ndetermined that it can reach the goal of 1.7 million American students \nof all ages within the original timeframe through a unity of effort \nacross the Department. The 1.7 million students include participants in \na number of programs:\n      --DHS continues the Integrated Cybersecurity Education \nCommunities (ICEC) project and will extend the grant that supports this \nproject, providing an additional $5 million to the grantee to ensure \nthat the project grows in the summer of 2015.\n      --DHS continues to support the National Centers of Academic \nExcellence and Scholarship for Service programs, which collectively \nreaches over 18,000 students per year.\n      --DHS sponsorship of cybersecurity competitions, particularly at \nthe high school level, increases the number of students receiving \nhands-on education in cybersecurity by approximately 12,000 students \neach year.\n      --The Federal Virtual Training Environment and Cybersecurity \nTraining Events are available to 125,000 students each year.\n      --The National Initiative for Cybersecurity Careers and Studies \n(NICCS) portal directs thousands of Americans across the country to \ncybersecurity education and training programs each year.\n    Pertaining to your question on the analysis and methods used to \ncreate a metric that meets the nature of the threat: The cybersecurity \nthreat is dynamic and consists of nation-States, criminal \norganizations, individual actors, and systems degradation. The \nDepartment approaches its cybersecurity and its broader critical \ninfrastructure security and resilience missions from a risk management \nperspective which incorporates associated threats, vulnerabilities and \nconsequences. Under the National Infrastructure Protection Plan (NIPP), \nthe critical infrastructure community evaluates the effectiveness of \nrisk management efforts within sectors and at national, State, local, \nand regional levels by developing metrics for both direct and indirect \nindicator measurement.\n    Within the NIPP structure, sector specific agencies work with \nrepresentatives from private industry (sector coordinating councils or \nSCCs)--to bring insight to both sides in each sector. Such measures \ninform the risk management efforts of partners throughout the critical \ninfrastructure community and help build a national picture of progress \ntoward the vision of the NIPP as well as the National Preparedness \nGoal. Among other functions, the NIPP evaluation process also includes \nthe collection of performance data to assess progress in achieving \nidentified outputs and outcomes, and assessing progress toward \nachievement of the national priorities, goals and vision.\n    DHS also places tremendous value on the effectiveness of our cyber \nspecific programs, and is continuously exploring new ways to increase \ntheir impact. A key focus is on the future of cyber threats, and how to \nquantify mitigations that must be built today in order to be in place \nwhen needed later. For example, NPPD is studying the effectiveness of \ndelivering classified indicators through the Enhanced Cyber Security \nServices (ECS) program to determine the appropriate balance of cost, \nbenefit, and impact per indicator. While this balance can be hard to \ndetermine, it is the only technology that can defend at the network \nperimeter against some of the most crippling threats, such as \ndestructive malware, and is priceless in an instance that could save an \nentire network or organization from a crippling attack.\n   protection of federal networks and working with the private sector\n    Question. Deputy Under Secretary Schneck, what is the Department \ndoing specifically to look long term at the effectiveness of Einstein, \nContinuous Monitoring and Diagnostics, and all the rest of the suite of \nacquisitions and programs to protect networks and plan for major \nprocurements?\n    How do you know programs are continuing to be innovative?\n    How is the Department including industry in this planning so that \nthey can also plan long term for investments in solutions?\n    Answer. Effectiveness of the Continuous Diagnostics and Mitigation \n(CDM) program is monitored through annual performance targets, \nperformance measures, and quarterly reports. Once the program has \nentered the operations and maintenance phase, it will conduct annual \noperational assessments, consistent with applicable DHS requirements \nand OMB Guidance for Information Technology Business Cases (formerly \nknown as Exhibit 300s).\n    The National Cybersecurity Protection System (NCPS) program office \ntracks effectiveness of the ENSTIEN system and the protection it offers \nthrough a number of different means. By analyzing intrusion prevention \nalerts that are generated based on both commercial and Government-\nprovided classified cyber indicators the program office is able to \nbetter understand the effectiveness of the information that is being \nused to take action on malicious traffic. The Cyber Pilot Program (CPP) \nalso works to identify gaps in current capabilities and initiates pilot \nprograms that may bring new value. For example, while signature-based \nsystems will continue to have a place in cyber defense for the \nforeseeable future, there is recognition that behavioral-based systems \nare also required as part of defense in-depth. The NCPS Program Office \nis currently in the process of planning a CPP pilot that is analyzing a \nbehavior-based system in a real-world Department/Agency Security \nOperations Center (SOC).\n    As EINSTEIN and Continuous Diagnostics and Mitigation capabilities \nare deployed across Federal Executive Branch civilian agencies, the \nDepartment will continue to measure the impacts of these capabilities \non the security posture of Federal agencies. Even facing increased \nthreats, impacts can be reduced using real-time action and the ability \nto leverage what was learned in each event to protect ourselves and \nothers from future attempts. Furthermore, over the long term, the \nDepartment recognizes that the cyber threat landscape evolve quickly \nand, as such, it will identify pursue cybersecurity solutions that \nquickly close gaps in network protection.\n    Overall, CDM and EINSTEIN are designed to fuse together in the \nfuture, to create a presence within the .gov for detection of threats \nat the perimeter and inside each network. That presence manifests in \nintrusion detection/prevention and CDM capabilities, but also serves as \ninformation collection across the .gov. This situational awareness can \nleverage the power of the fastest computers to correlate events seen on \ndifferent networks and form intelligence that can mitigate threats that \npreviously would have gone unnoticed.\n    Pertaining to your question on knowing the programs will continue \nbeing innovative: The NCPS and the CDM program are deeply committed to \ncontinued innovation. They are structured to be responsive to the \nconstantly evolving and dynamic threat environment by taking advantage \nof the private sector's business imperative to remain innovative for \ncompetitive purposes. Within NCPS, EINSTEIN's Intrusion Prevention \nSecurity Service (IPSS) will be deployed as a managed commercial \nservice provided by the major Tier 1 Internet Service Providers. \nDeploying IPSS as a managed service allows those services to evolve at \nindustry speed based on best commercial practices.\n    At its inception, the CDM program decided in the interest of \nefficiency, expediency and effectiveness to pursue commercial best fit \nin acquiring necessary tools for continuous diagnostics and mitigation. \nThe CDM Tools/Continuous Monitoring as a Service (CMaaS) blanket \npurchase agreement (BPA) is based on General Services Administration \nSchedule 70 and includes a process by which the BPA can be updated as \nnew commercial off-the-shelf products become available and are judged \nto be technically acceptable to meet the requirements of the CDM \nprogram. Furthermore, a feature of the BPA requires each of the vendor \ncompanies to regularly perform technology refresh of solutions that are \nproposed and delivered to departments and agencies.\n    In an effort to ensure that the program has the ability to evolve \nand adapt to emerging technologies, the NCPS program office has ensured \nthat it has a flexible infrastructure that can accommodate a range of \ntechnologies and scale them to meet real world scenarios. For example, \nin support of the NCPS Block 2.2 Information Sharing capability, the \nprogram office has focused initial efforts on deploying the key \ninfrastructure components necessary to support information sharing such \nas Identity, Credential & Access Management (ICAM), a secure portal to \nprovide a user interface, an enterprise service bus to support data \ntranslation between applications, and a Cross-Domain Solution (CDS) to \nsupport data exchanges at different classification levels. \nAdditionally, as the number of incidents increase, more data is \ncollected from the incidents themselves and is then correlated and \ndisseminated. This information sharing will reduce impacts due to \nbetter real time detection, and our ability to use each event to \nprotect the larger ecosystem.\n    Information sharing takes two forms: human and machine. Human \ninformation sharing includes personal relationships, as well as reports \ngenerated from data collected and correlated by NPPD programs that is \nformed into a human-informative visualization or reports. Information \nin the form of cyber threat indicators can be sent between machines at \nInternet speed, so that when a threat targets a site, that site already \nknows of the threat as it was alerted by an indicator.\n    Overall, CDM and EINSTEIN are designed to fuse together in the \nfuture, to create a presence within the .gov for detection of threats \nat the perimeter and inside each network. That presence manifests in \nintrusion detection/prevention and CDM capabilities, but also serves as \ninformation collection across the .gov. This situational awareness can \nleverage the power of the fastest computers to correlate events seen on \ndifferent networks and form intelligence that can mitigate threats that \npreviously would have gone unnoticed.\n    Pertaining to your question on how the Department is including \nindustry in the planning: CDM has a long history of collaboration with \nindustry, using technologies developed in private sector and \ncontinually reconnecting with their private sector vendors to ensure \nthat the CDM leverages the latest private sector innovations.\n    Prior to release of the original Blanket Purchase Agreement (BPA), \nin June and August 2012, the program held industry days to provide \ninsight into the program's upcoming solicitation approach. Once the BPA \nwas established in August 2013, the program conducted additional \nIndustry Days (regarding the next set of solicitations for CDM tools \nand integration services for up to 60 agencies), training (both \noverview and hardware asset management), special notices, advanced \nnotices, Web sites and considering other means to ensure active \ncollaboration with industry.\n    The CDM program actively collaborates with its Agency stakeholders, \nas well as the 17 vendor companies that hold prime contracts under the \nBPA. The program has an established Leap Ahead technologies program \nthat conducts outreach with industry to be kept apprised of \ntechnological developments as they are made available commercially. The \nProgram is budgeted to manage the procurement and program lifecycle \nactivities to include a BPA recompete starting in fiscal year 2017.\n    The NCPS Program Office utilizes Requests for Information (RFI) and \nactively participates in Industry Days at both the Department and \nprogram level to keep industry informed. Additionally, NSD's Cyber \nPilot Program conducts market research as part of its gap analysis \nprocess.\n                                 ______\n                                 \n              Questions Submitted by Senator Thad Cochran\n    Question. I think we understand the importance of traditional \nranges for testing and exercising with conventional weapons like \naircraft, guns, or missiles.\n    Could you explain to the subcommittee the function and value of \ndeveloping and utilizing ranges in the cyber domain? Are there ongoing \nefforts to connect the cyber ranges so that we can test cyber tools on \nmore realistic virtual ranges and perform larger, more high fidelity \nexercises in the cyber domain?\n    Answer. Ranges in the cyber domain allow cyber professionals to \ntest system operations and their own skills and abilities. Overall, \nranges directly contribute to DHS's commitment to ensuring that \noperational software and/or hardware systems are validated against both \nbest practices and the systems' compliance with Government \nrequirements. NPPD leads the Federal Government's effort to secure \ncivilian Government computer systems, and work with industry and State, \nlocal, tribal, and territorial governments to secure critical \ninfrastructure and information systems. DHS must validate information \nsystem security configurations both prior to and after deploying the \nsystem in an operational environment. With these requirements in mind, \ncyber ranges provide a controlled, predictable environment where \noperational systems can be tested and evaluated against known stressors \nsuch as cyber attacks or improper configuration. For example, a \nsimulated environment could be used to conduct user acceptance training \nand to complete performance and load testing of the National \nCybersecurity Protection System (NCPS) applications. This type of \nenvironment would inject real-world threat data and measurement \ninstruments, offering a valuable realistic training experience for \npersonnel.\n    In addition to NPPD programs, operational elements across the DHS \nenterprise could also leverage a range to validate and test the \ncapabilities of present and future security and forensics products. A \nrange that allows for large-scale testing within an adaptable \nenvironment would provide the capability to verify the potential \nbenefits of products and tools before purchase, test tools against new \nthreats, and allow personnel to familiarize themselves with innovative \ntools.\n    Pertaining to your question on ongoing efforts to connect to cyber \nranges: Yes, the DOD Enterprise Cyber Range Environment Forum has \ndeveloped a charter to federate the cyber ranges across the DOD \nenterprise so that tools testing capability can be integrated with the \nability to conduct exercises.\n    Question. There has been much discussion about how involved the \nFederal Government should be in defending infrastructure owned by non-\nFederal entities.\n    How would you define the threshold for what types of non-Federal \ninfrastructure might qualify as ``critical'' for these purposes?\n    Answer. The Federal Government does not have thresholds for when it \nwould defend non-Federal infrastructure from cyber attacks. The \nDepartment, working with public and private sector partners, has \nidentified infrastructure--both public and private--where a \ncybersecurity incident could reasonably result in catastrophic regional \nor national effects on public health or safety, economic security, or \nnational security. The resulting list of entities, identified under \nExecutive Order 13636, has been briefed to relevant Congressional \nCommittees and the entities themselves have been notified of their \ndesignation.\n    The statutory definition of critical infrastructure is, ``Systems \nand assets, whether physical or virtual, so vital to the United States \nthat the incapacity or destruction of such systems and assets would \nhave a debilitating impact on security, national economic security, \nnational public health or safety, or any combination of those \nmatters.'' 42 U.S.C. section 5195c(e). Cooperation with these entities \nand clearly defining lanes of responsibility across the Federal \nGovernment are vitally important for our engagement with these \nentities.\n    We have heard about the importance of cooperation and clearly \ndefined lanes of responsibility across the Federal Government for our \ncybersecurity efforts.\n    Question. What are your respective roles in receiving and sharing \nthreat information with the private sector?\n    Answer. DHS shares timely and actionable cybersecurity information \nacross its partners and constituents to establish and maintain shared \nsituational awareness. The types of cyber information DHS shares most \noften include alerts and warnings, analysis of actor tactics, \ntechniques and procedures to aid in incident detection, indicators of \nmalicious activity and supporting contextual information, best \npractices, vulnerability information and assessments, and trend \nanalysis.\n    Working across the department with our cyber capabilities housed in \nthe U.S. Secret Service, Coast Guard, CBP, ICE, and others, DHS has \nseveral programs in place to help facilitate the sharing of timely, \nactionable information to and from the private sector:\n      --The National Cybersecurity and Communications Integration \nCenter (NCCIC) is a 24\x1d7 center responsible for providing a common \noperating picture for cyber and communications across the Federal, \nState, and local government, intelligence and law enforcement \ncommunities, and the private sector. The NCCIC is based in DHS's Office \nof Cybersecurity and Communications (CS&C), a component of the National \nProtection & Programs Directorate (NPPD). On both a steady-state and \nemergency basis, it fuses, coordinates, and shares information from its \noperational elements, including the:\n        --The U.S. Computer Emergency Readiness Team (US-CERT), which \nresponds to cybersecurity incidents and analyzes information from \nmultiple sources to develop timely and actionable alert and warning \nproducts for public and private sector partners.\n        --The Industrial Control Systems Cyber Emergency Response Team \n(ICS-CERT), which works to reduce risk to the Nation's critical \ninfrastructure through public-private partnerships and by providing \nonsite support to private sector industrial control systems owners and \noperators for protection against and response to cyber threats, \nincluding incident response, forensic analysis, and site assessments.\n        --The National Coordinating Center for Telecommunications \n(NCC), which leads and coordinates the initiation, restoration, and \nreconstitution of National Security/Emergency Preparedness (NS/EP) \ntelecommunications services or facilities under all conditions.\n        --NCCIC Operations and Integration (NO&I), which leverages \nplanning, coordination, and integration capabilities to synchronize \nanalysis, information sharing, and incident response efforts to ensure \neffective synchronization across capabilities.\n        --Integrating information from all partners--private and public \nsectors, including State, local, tribal and Federal, in both the cyber \nand communications arenas--the NCCIC creates and shares a common \noperational picture, coordinates response activities, and protects our \nNation's critical networks.\n      --Through the Cybersecurity Information Sharing and Collaboration \nProgram (CISCP), DHS has established a systematic approach to cyber \nthreat information sharing and collaboration between DHS and the 16 \ncritical infrastructure sectors.\n        --By sharing unclassified cyber threat indicators, DHS enables \nthe detection, prevention, and mitigation of threats. This builds a \nmore holistic understanding of cyber threat activity occurring across \nthe 16 critical infrastructure sectors and across the Federal \nGovernment.\n        --Through these partnerships, CISCP enables information sharing \nand collaboration with our critical infrastructure partners to share \nnew cyber threat, incident, and vulnerability information This exchange \nis conducted in near-real time to enhance collaboration and to better \nunderstand the threat and improve network defense for the entire \ncommunity.\n        --A key aspect of CISCP is its bi-directional information \nsharing construct. CICSP participants submit indicators of cyber threat \nactivity on their network to DHS that can be shared with other CISCP \nparticipants in an anonymized, aggregated fashion. Furthermore, the \nNCCIC allow cleared sector participants onto the NCCIC floor to ensure \nclose coordination and communication when an event occurs.\n                                 ______\n                                 \n             Questions Submitted by Senator Lisa Murkowski\n    Question. The President's Executive Order (EO) 13636 on \ncybersecurity and its accompanying Presidential Policy Directive (PPD) \n21 directed the National Institute of Standards and Technology to \ndevelop a voluntary cybersecurity framework in partnership with private \nindustry. As you know, the Energy Policy Act of 2005 established \nmandatory cyber and physical security standards for the electric \nindustry through the Federal Energy Regulatory Commission/North \nAmerican Electric Reliability Corporation (FERC/NERC) stakeholder \nprocess. Via the FERC/NERC stakeholder process these cybersecurity \nstandards have been continuously updated and revised since the law's \nenactment to reflect ever-changing cyber threats. The industry is now \non CIP Version 5 which includes 12 new requirements and also \nprioritizes cyber assets.\n    How does the voluntary framework called for in EO 13636 and PPD-21 \ninterface with the mandatory standards already in place for the \nelectric industry? For example, what if a voluntary measure under the \nNIST framework conflicts with a mandatory standard?\n    Answer. Because the Cybersecurity Framework is a voluntary \napproach, organizations can determine how to best use the Framework so \nthat it meets their business requirements. It is designed to be \nsupplemental, not a replacement for industry regulations. If utilities \nare currently regulated, or become subject to regulation, then \nregulations would take compliance precedence and the Framework could be \nused to supplement these requirements.\n    Question. What actions are DHS either currently undertaking or \nplanning to undertake to protect the grid (at both the transmission and \ndistribution level) from cyber threats? To what extent is DHS \nduplicating ongoing grid-protection efforts by FERC, NERC and State \npublic utility commissions?\n    Answer. The Department's National Protection and Programs \nDirectorate (NPPD) supports critical infrastructure owners and \noperators in preparing for, preventing, protecting against, mitigating \nfrom, responding to, and recovering from all-hazards events, such as \ncyber incidents, terrorist attacks, and natural disasters. The National \nInfrastructure Coordinating Center (NICC) and the National \nCybersecurity and Communications Integration Center (NCCIC) fulfill \nthis DHS responsibility within the critical infrastructure partnership.\n    Stakeholders throughout the critical infrastructure community--\nowners and operators; Federal partners; regional consortia; and State, \nlocal, tribal, and territorial governments--can, and do, connect to the \nNICC and NCCIC. In turn, these centers, along with an integrated \nanalysis function, build situational awareness across critical \ninfrastructure sectors based on partner input and provide information \nwith greater depth, breadth, and context than information from any \nindividual partner or sector.\n    As a part of the NCCIC's overall cyber coordination and response \ncapabilities, NCCIC operates the Industrial Control Systems Cyber \nEmergency Response Team (ICS-CERT). ICS-CERT coordinates control \nsystems-related security incidents and information sharing with \ngovernment, and private sector constituents, including vendors, owners \nand operators, and international and private sector CERTs. The focus on \ncontrol systems cybersecurity provides a direct path for coordination \nof activities among all members of the critical infrastructure \nstakeholder community as well as representatives from law enforcement. \nThis effort spans all phases of electric power and includes:\n      --Standards Development.--In 2010, ICS-CERT was a key member of \nthe Smart Grid Interoperability Panel, Cyber Security Working Group \nwhich helped develop and issue the NIST Guidelines for Smart Grid Cyber \nSecurity (NISTIR 7628, September 2010).\n      --Cybersecurity Assessments.--To date, ICS-CERT has directly \nassisted 50 asset owners in the electric subsector by performing these \nassessments and providing strategies for improving their defensive \nposture.\n      --Vulnerability Handling and Dissemination of Mitigation \nStrategies.--To date, ICS-CERT has addressed over 600 vulnerabilities, \nmany of which affect devices and software used in electric grid control \nsystems.\n      --Incident Response Services.--To date, ICS-CERT has provided \nincident response services to 114 electric sector organizations by \nanalyzing malware, reviewing digital media from hard drives and log \nfiles, and recommending strategies for recovery and preventing future \nintrusions.\n      --Training to improve asset owners' cybersecurity skills and \npractices:\n        --ICS-CERT provides cybersecurity training to network \nadministrators and control system professionals. Courses in \ncybersecurity principles and best practices are offered through on-line \ncourses and instructor-led classes.\n      --Situational Awareness.--ICS-CERT provides actionable \nsituational awareness through briefings, alerts, advisories, and \nindicator bulletins. ICS-CERT conducts both unclassified and classified \nbriefings and disseminates information on the Secure Portal and on its \nWeb site.\n    Pertaining to your question on the extent DHS is duplicating \nongoing efforts by FERC, NERC, and State public utility commissions: \nDHS is not duplicating efforts with the Federal Energy Regulatory \nCommission (FERC), the North American Electric Reliability Corporation \n(NERC), or the State public utility commissions but rather ensuring \ncoordination of efforts. As instructed by Presidential Policy Directive \n21, among other authorities, DHS provides cybersecurity information \nsharing, technical assistance and national coordination to enhance the \nsecurity resilience of U.S. critical infrastructure. DHS does not \ndirectly provide the protection but assists critical infrastructure \nowners and operators in securing their own systems and coordinating \ntheir information sharing across sectors and between different \npartners.\n    NCCIC/ICS-CERT coordinates regularly with NERC via the Electricity \nSector Information Sharing and Analysis Center (ES-ISAC) to ensure \nsharing of incident related information and dissemination of \ninformation products. This eliminates duplication of effort when \ntriaging threat and vulnerability information. ICS-CERT also partners \nwith FERC to conduct assessments at utilities to ensure consistent \nmessaging and a unified methodology for assessing cybersecurity. In \naddition, ICS-CERT hosts weekly Secure Video Teleconferences, and \nconducts monthly information sharing sessions with energy sector \nstakeholders via both classified and unclassified means, that are \nattended by the Department of Energy, the non-regulatory Office of \nEnergy Infrastructure Security (OEIS) within the Federal Energy \nRegulatory Commission (FERC), the Nuclear Regulatory Commission (NRC), \nthe Federal Bureau of Investigation (FBI), NERC and the ES-ISAC.\n    Question. You testified that NPPD is working with DOE to implement \na sustained outreach strategy to energy sector chief executive officers \nto elevate risk management of evolving physical and cyber threats to \nthe enterprise level.\n    Please explain more fully. What other sectors has DHS undertaken \nsuch an outreach effort with?\n    Answer. In addition to incident response activities, ICS-CERT and \nthe FBI, in coordination with the Department of Energy (DOE), the \nElectricity Sector Information Sharing and Analysis Center (ES-ISAC), \nTransportation Security Administration (TSA), the Oil and Natural Gas \nand Pipelines Sector Coordinating Council's Cyber Security Working \nGroup, and other partners conducted a series of ``Action Campaign'' \nbriefings at both the Secret and Unclassified levels to provide further \ncontext of a specific threat and to highlight mitigation strategies. \nThe briefing campaign began in June 2013 and covered major markets \nacross the United States. These classified briefings have reached over \n750 private sector attendees, many of whom were directly associated \nwith power grid operations. Outreach activities in the form of risk and \nmitigation briefings play a key role in mitigating risks to critical \ninfrastructure.\n    While the energy sector was the focus for the action campaign \nbriefings, NCCIC/ICS-CERT has always allowed other cleared sector \nparticipants to join these briefings. In addition, ICS-CERT holds \nregular monthly and quarterly classified and unclassified briefings for \nthe nuclear, manufacturing, chemical, dams, water, transportation \nsectors.\n    Question. You testified that ``[l]egislation providing a single \nclear expression of DHS cybersecurity authority would greatly enhance \nand speed up the Department's ability to engage with affected entities \nduring a major cyber incident and dramatically improve the \ncybersecurity posture of Federal agencies and critical \ninfrastructure.'' Such legislation, however, could undermine the \nmandatory cybersecurity standards we already have in place for the \nelectricity industry as a result of the 2005 Energy Policy Act.\n    Please comment. Is DHS proposing to usurp the grid protection \nauthorities already granted by Congress to FERC and NERC?\n    Answer. NERC and FERC have clear functions--one is to increase the \nfunctionality and reliability through standards for grid operations and \nthe other is the U.S. regulator of grid owners and operators. The \nAdministration is not seeking to supplant these efforts. Rather it has \nasked the Congress to codify the existing voluntary cybersecurity \ntechnical assistance and mitigation role the Department of Homeland \nSecurity (DHS) plays in supporting critical infrastructure.\n    DHS is neither a regulator nor a standards body for the electric \nsector, but provides cybersecurity assistance through information \nsharing and technical assistance on a voluntary basis when requested. \nDHS, under PPD-21, is responsible for leading and coordinating the \nnational effort to protect critical infrastructure from all hazards, \nincluding cyber incidents, by managing risk and enhancing resilience \nthrough collaboration with the critical infrastructure community. To \nachieve this end, DHS works with public and private sector partners, \nincluding the Department of Energy, FERC, and NERC, to identify and \npromote effective solutions for security and resilience to manage the \nevolving risk environment.\n\n                         CONCLUSION OF HEARING\n\n    Senator Landrieu. Without further business, the \nsubcommittee is adjourned. Thank you.\n    [Whereupon, at 3:30 p.m., Wednesday, May 7, the hearing was \nconcluded, and the subcommittee was recessed, to reconvene \nsubject to the call of the Chair.]\n</pre></body></html>\n"