[Senate Hearing 113-]
[From the U.S. Government Publishing Office]


 
     INVESTING IN CYBERSECURITY: UNDERSTANDING RISKS AND BUILDING 
                      CAPABILITIES FOR THE FUTURE

                              ----------                              


                         WEDNESDAY, MAY 7, 2014

                               U.S. Senate,
                 Subcommittee on Homeland Security,
                               Committee on Appropriations,
                                                    Washington, DC.
    The subcommittee met at 2:01 p.m., in room SD-192, Dirksen 
Senate Office Building, Hon. Mary L. Landrieu (chairman) 
presiding.
    Present: Senators Landrieu, Coons, Coats, and Cochran.


             opening statement of senator mary l. landrieu


    Senator Landrieu. Good afternoon, everyone. Let me call our 
meeting to order, please. This is a meeting of the 
Appropriations Subcommittee for Homeland Security. I appreciate 
being joined by my ranking member, Senator Coats, and I 
appreciate all the work of Senator Coons. Thank you for being 
here as well. You've both been leaders in the area of 
cybersecurity and I appreciate your support and help.
    I thank our panelists for being here.
    I'm going to shorten my opening statement, turn it then to 
Senator Coats and Senator Coons if you have a brief opening 
statement, go right into the panelists. We've had a vote called 
at 3:15, so we're going to try to see if we can work through 
the next hour and a half and not have to come back after the 
vote. But we are very interested, of course, in the testimony, 
and that will be subject to change as we go.
    But today we meet to review our level of investment in 
cybersecurity and the results that we have achieved to date. 
Our purpose is to better understand the new and emerging risk 
as well as the capabilities that we need to continue to build 
to secure our networks for the future.
    Serving on both the Homeland Security subcommittee and the 
Energy subcommittee, I believe that I have a unique 
perspective, along with other members as well, on the extent 
that critical infrastructure throughout our country relies more 
and more on our interdependent technologies that we need to 
grow, innovate, and keep our country thriving. Without the use 
of the Internet and advances in smart grid technology, for 
instance, America's companies would not be able to keep the 
power on in the most affordable, efficient way our Nation has 
ever known.
    Today we will talk about some of the vulnerabilities facing 
these critical networks, what we're doing through Homeland 
Security to help and be supportive of keeping our Government 
and our economy strong and growing. We are all aware of some of 
the threats that have occurred. We'll talk more specifically 
about that, but I want to just thank you all for being a part 
of this hearing.
    We've got a wonderful panel that I'll introduce in just a 
moment, a first and a second panel. At this point I'm going to 
turn it over to Senator Coats for his opening remarks.


                   statement of senator daniel coats


    Senator Coats. Madam Chairman, thank you. I'm going to be 
brief also, given that vote coming up and the fact that we want 
to get to the substance of this hearing.
    We all know how interconnected we have become and 
unfortunately vulnerable, vulnerable to some bad actors that 
have not only disrupted a lot of people's personal lives by 
securing their private information, but also pose a major 
threat to our critical infrastructure. This cyber threat has 
been labeled by many in the security business and in our 
national security and military as the number one threat to the 
United States. Now, there are a lot of threats out there, but 
this is serious.
    A number of us, the three of us on this panel that are here 
today and others, have been working for some amount of time 
through a couple of different Congresses to try to come up with 
legislation that strengthens our ability to prevent these types 
of attacks and protect our critical infrastructure as well as 
the retail outlets and American business and just about 
everyone who's affected with this. In fact, my law school alma 
mater, Indiana University, was hacked. Fortunately, they were 
able to--so this thing runs the gamut. It's not just our 
electric grid and so forth, but it comes right down to our 
private lives and even our educational institutions.
    So clearly we need to move forward with sensible 
legislation. The Department of Homeland Security (DHS) plays a 
very critical role, not only in protecting dot-gov, but also in 
being the portal through which a lot of this has to take place 
and work through in order to provide the kind of protections we 
need. Whether it's information-sharing, whether it's working 
together with private sector and public sector, this is 
something that is urgent, and the longer we put it off the more 
vulnerable we become.
    I'm pleased that on the second panel Scott Bowers from 
Indiana will be talking about the impact of this on the private 
sector. I'm glad to have him here.
    Madam Chairman, I'm looking forward to the testimony and 
the kind of questions and back and forth we can have to 
hopefully move this thing forward in an expeditious way.
    Senator Landrieu. Thank you very much, Senator Coats.
    Senator Coons.


               statement of senator christopher a. coons


    Senator Coons. Thank you, Madam Chair. I'm grateful to you 
for your leadership on this, to Senator Coats for your 
partnership and leadership in this. This is a very real threat. 
We have issues of jurisdiction, of funding, of workforce. We've 
got a lot of good work to do and I'm really grateful for the 
service of the folks who are going to be testifying in front of 
us today.
    Thank you, Madam Chair. I'm eager to hear the testimony.
    Senator Landrieu. Thank you very much.
    Let me introduce our first panel: Mrs. Phyllis Schneck, 
Deputy Under Secretary for Cybersecurity, DHS, National 
Protection and Programs Directorate (NPPD); Mr. Peter Edge, 
Executive Associate Director, Homeland Security Investigations 
(HSI); and Mr. William Noonan, Deputy Special Agent in Charge, 
Criminal Investigations, Cyber Operations, DHS, U.S. Secret 
Service.
    Thank you all, and we'll begin with your 5-minute 
testimony.

STATEMENT OF DR. PHYLLIS E. SCHNECK, DEPUTY UNDER 
            SECRETARY FOR CYBERSECURITY, NATIONAL 
            PROTECTION AND PROGRAMS DIRECTORATE, 
            DEPARTMENT OF HOMELAND SECURITY
    
    Dr. Schneck. Good afternoon, Chairwoman Landrieu, Ranking 
Member Coats, Senator Coons. Thank you very much for the strong 
support that you've provided to the Department of Homeland 
Security and to the National Protection and Programs 
Directorate. First and foremost, we look forward to continuing 
to work with you on these issues and securing our critical 
infrastructure, our way of life, from that combined physical 
and cyber threat, as we are all connected, as you mentioned.
    Thank you very much for the opportunity to appear before 
you today to discuss our efforts for critical infrastructure 
resilience and cybersecurity. We focus very much on this 
threat, this interconnected threat, as cybersecurity and cyber 
and connectivity connect all of us through our way of life, our 
water, our banks, our electricity, all of our States. It's a 
privilege today to sit at the table with my colleagues from the 
U.S. Secret Service, from Homeland Security Investigations, 
representing that cybersecurity at the U.S. Department of 
Homeland Security is a unity of effort. It is one DHS. Along 
with our colleagues in the U.S. Coast Guard, we also enjoy a 
strong relationship with our Office of the Chief Information 
Officer to ensure that our programs also run well on our 
network and we learn from that which tries to attack the sweet 
target known as dhs.gov.
    I'm going to talk about our operations, our major 
investments, and our overall strategic vision, starting at our 
core, our National Cybersecurity and Communications Integration 
Center (NCCIC), which some of you have been able to visit. 
That--great analogy, Senator Coons--is our portal. It's our 
247 watch center, where we have cyber command and control, 
understanding inputs that come in 247 from trusted 
relationships, from partnerships in the inter-agency, law 
enforcement, intelligence community, across DHS, and certainly 
information that we learn from our own programs, those things 
that are protecting our stakeholders, our Federal civilian 
agencies, our State, local, tribal, territorial governments, as 
well as the private sector.
    One great example is the recent Heartbleed, a defect in a 
piece of software. When we found out as the U.S. Government 
that this existed, again the ability for an adversary to 
decrypt, thus make not confidential, traffic that was thought 
to be confidential through a defect in software--we found this 
out on April 7. Within 24 hours, DHS had full resources out on 
all of our Web sites for all of our stakeholders and was 
beginning the process of scanning all of the U.S. Government 
agencies to find where that software might be running.
    For our programs, we work through humans, we work through 
machines; humans through trusted partnerships, again with our 
stakeholders and certainly across Federal and State government, 
and with our private sector, building that trust across 
infrastructure, across cyber and communications, so that 
information can be shared quickly as we face an adversary that 
works with great speed, has plenty of money, and has no lawyers 
and no way of life to protect.
    We also have invested in the critical infrastructure 
cybersecurity community voluntary program to launch the efforts 
of the cybersecurity framework built by the National Institute 
of Standards and Technology (NIST) and DHS all of last year, to 
take guidelines from cybersecurity and get them into even our 
smallest companies, so that they can adopt good cybersecurity, 
bring it as a boardroom issue, and enable larger companies to 
now request better standards of cybersecurity for those 
companies that supply them, connect to them, and protect all of 
our private information.
    On the machine side, our programs protect our Federal 
Government agencies from things that come in and try to attack 
them or vulnerabilities that can cause harm. We can also detect 
those things. It's ``see something, say something,'' as with 
the rest of Homeland Security. When those programs spot 
something on one agency, we then have the ability through our 
NCCIC, our core, our portal, to spot that behaviorally, like 
your body fights a cold, and protect all the other agencies and 
the private sector with that information, at the same time 
providing all the best in privacy and civil liberties to the 
extent that our law provides, as well as showing the public 
everything we do. Full transparency is on our Web site.
    So again, we are able to use Government information and 
protect the private sector, and we roll that out to the 
critical infrastructure as well as through enhanced 
cybersecurity services, using classified information to protect 
our private-sector entities, all the while combining what we 
can see only in Government to protect all of our stakeholders.
    We can also automate, running at machine speed, sending 
information about bad cyber behavior to everybody. So again 
``see something, say something,'' with the ability to, using 
our cybersecurity integration center, through human analysis, 
machine analysis, all kinds of inputs from all kinds of 
partners, injecting that back into both automated programs as 
well as automated information that we can disseminate as widely 
as possible, as quickly as possible.
    So I've talked about a lot of high-profile programs. I 
don't want to forget the importance of our talented workforce 
and building the talent of the future. It is a priority of 
Secretary Johnson and he and I went and visited two 
universities and we'll be doing more, and we spoke to students 
in Ph.D. programs as well as undergrad programs. I've also gone 
out and spoken with students at both the high school level and 
the college level, so that we can begin to truly look at how we 
not only show the talent of the future what DHS can do and what 
they can learn from our larger mission, again from the Secret 
Service, Homeland Security Investigations, U.S. Coast Guard, 
our CIO, Federal Emergency Management Agency (FEMA), and 
others, but also we can identify that talent set that we'll 
need to be training for, so that we can start to look at how we 
build that talent going forward.
    I thank you very much again for your support and look very 
forward to working with you, continuing to work with you, as we 
build these programs and certainly, Chairwoman Landrieu, 
Ranking Member Coats, and Senator Coons, look very forward to 
your questions. Thank you.
    [The statement follows:]
               Prepared Statement of Dr. Phyllis Schneck
                              introduction
    Chairwoman Landrieu, Ranking Member Coats, and distinguished 
members of the subcommittee, let me begin by thanking you for the 
strong support that you have provided the Department of Homeland 
Security (DHS) and the National Protection and Programs Directorate 
(NPPD). We look forward to continuing to work with you in the coming 
year to ensure a homeland that is safe, secure, and resilient against 
terrorism and other hazards.
    Thank you for the opportunity to appear before the committee today 
to discuss NPPD's efforts to strengthen the Nation's critical 
infrastructure security and resilience against cyber events and other 
catastrophic incidents. The President's fiscal year 2015 budget request 
for NPPD is $2.9 billion, offset by $1.3 billion in collections for the 
Federal Protective Service. This request includes $746 million for 
cybersecurity capabilities and investments.
    America's national security and economic prosperity are 
increasingly dependent upon physical and digital critical 
infrastructure that is at risk from a variety of hazards, including 
attacks via the Internet. I view integrating cyber and physical 
security as integral to the larger goal of infrastructure security and 
resilience. DHS approaches physical security and cybersecurity 
holistically; both to better understand how they integrate and how best 
to mitigate the consequences of attacks that can cascade across all 
sectors of critical infrastructure. This risk management approach helps 
drive the discussion at the executive level in organizations of all 
sizes across government and industry, where it can have the most impact 
on resources and implementation.
  leveraging integrated capabilities: implementing ppd-21 and eo 13636
    On February 12, 2013, the President signed Executive Order (EO) 
13636, Improving Critical Infrastructure Cybersecurity and Presidential 
Policy Directive (PPD) 21, Critical Infrastructure Security and 
Resilience, which set out steps to strengthen the security and 
resilience of the Nation's critical infrastructure, and reflect the 
increasing importance of integrating cybersecurity efforts with 
traditional critical infrastructure protection. Taken together EO 13636 
and PPD-21 are foundational efforts for helping drive the security 
market and provide a framework for critical infrastructure to increase 
their cybersecurity efforts. To implement both EO 13636 and PPD-21, the 
Department established an Integrated Task Force to lead DHS 
implementation and coordinate interagency, public and private sector 
efforts, and to ensure effective integration and synchronization of 
implementation across the homeland security enterprise.
    The fiscal year 2015 budget request reflects targeted enhancements 
to continue implementation of the EO and PPD. Enhancements of $14 
million, including 48 positions, is requested for the Critical 
Infrastructure Cyber Community (C\3\ or ``C-Cubed'') Voluntary Program; 
Enhanced Cybersecurity Services (ECS); Regional Resiliency Assessment 
Program; National Coordinating Center (Communications) (NCC) 247 
communications infrastructure response readiness. NPPD has partially 
offset these enhancements with $9 million in reductions to realign 
resources to support these key EO and PPD initiatives. The following EO 
and PPD initiatives in the fiscal year 2015 budget specifically enhance 
cyber capabilities:
C\3\ Voluntary Program
    The C\3\ Voluntary Program is a public-private partnership aligning 
business enterprises as well as Federal, State, local, tribal, and 
territorial (SLTT) governments to existing resources that will assist 
their efforts to use the National Institute of Standards and Technology 
Cybersecurity Framework to manage their cyber risks as part of an all-
hazards approach to enterprise risk management. The program emphasizes 
three elements: converging CI community resources and driving 
innovation and markets to support cybersecurity risk management and 
resilience through use of the Cybersecurity Framework; connecting CI 
stakeholders to the national resilience effort through cybersecurity 
resilience advocacy, engagement and awareness; and coordinating CI 
cross-sector efforts to maximize national cybersecurity resilience. The 
$6 million enhancement, including 10 positions, is requested to manage 
and support this program and increase the number of evaluations 
completed.
Enhanced Cybersecurity Services
    The ECS capability enables owners and operators of critical 
infrastructure to enhance the protection of their networks from 
unauthorized access, exfiltration, and exploitation by cyber threat 
actors. The requested enhancement of 24 positions and $3 million allows 
ECS to execute the operational processes and security oversight 
required to share sensitive and classified cyber threat information 
with qualified Commercial Service Providers that will enable them to 
better protect their customers who are critical infrastructure 
entities.
Regional Resiliency Assessment Program (RRAP)
    The $5 million, including 11 positions, is requested to complete 
five additional cyber-centric RRAPs. Through these RRAPs, NPPD will 
identify cross-sector physical and cyber interdependencies and better 
understand the consequences of disruptions to lifeline sectors. We 
often observe that physical consequences can have cyber origins and 
anticipate that the findings will provide valuable data about the 
energy, water, and transportation sectors and their reliance on cyber 
infrastructure.
National Coordinating Center for Communications Operations
    The proposed increase of three positions and $1 million in funding 
to the NCC will maintain 247 communications infrastructure response 
readiness and requirements coordination between FSLTT and industry 
responders. Due to the loss of staff previously provided to DHS from 
the Department of Defense on a non-reimbursable basis, the NCC will no 
longer be able to provide 247 readiness without these additional 
resources.
                               heartbleed
    The Department recently responded to a serious vulnerability, known 
as ``Heartbleed,'' in the widely used OpenSSL encryption software that 
protects the electronic traffic on a large number of Web sites and 
devices. Although new computer ``bugs'' and malware crop up almost 
daily, this vulnerability is unusual in its pervasiveness across our 
infrastructure, its simplicity to exploit, and the depth of information 
it compromises.
    While the Federal Government was not aware of the vulnerability 
until April 7th, DHS responded in less than 24 hours, utilizing the 
National Cybersecurity and Communications Integration Center (NCCIC) to 
release alert and mitigation information to the public, create 
compromise detection signatures for the EINSTEIN system, and reach out 
to critical infrastructure sectors, Federal departments and agencies, 
SLTT governments, and international partners. Once in place, DHS also 
began notifying agencies that EINSTEIN signatures had detected possible 
activity, and immediately provided mitigation guidance and technical 
assistance. Additionally, DHS worked with civilian agencies to scan 
their .gov Web sites and networks for Heartbleed vulnerabilities, and 
provided technical assistance for issues of concern identified through 
this process.
    Of note, the Administration's May 2011 Cybersecurity Legislative 
Proposal called for Congress to provide DHS with clear statutory 
authority to carry out this operational mission, while reinforcing the 
fundamental responsibilities of individual agencies to secure their 
networks, and preserving the policy and budgetary coordination 
oversight of OMB and the EOP. Even with the rapid and coordinated 
Federal Government response to Heartbleed, the lack of clear and 
updated laws reflecting the roles and responsibilities of civilian 
network security caused unnecessary delays in the incident response.
                  integrated cybersecurity operations
    Along with our operational assistance, DHS has several programs 
that directly support Federal civilian departments and agencies in 
developing capabilities that will improve their own cybersecurity 
posture. Through the Continuous Diagnostics and Mitigation (CDM) 
program, led by the NPPD Federal Network Resilience Branch, DHS enables 
Federal agencies to more readily identify network security issues, 
including unauthorized and unmanaged hardware and software; known 
vulnerabilities; weak configuration settings; and potential insider 
attacks. Agencies can then prioritize mitigation of these issues based 
upon potential consequences or likelihood of exploitation by 
adversaries.
    Available to all Federal civilian agencies, the CDM program 
provides diagnostic sensors, tools, and dashboards that provide 
situational awareness to individual agencies and at a summary Federal 
level. This allows agencies to target their cybersecurity resources 
toward the most significant problems, and enables comparison of 
relative cybersecurity posture between agencies based upon common and 
standardized information. The CDM contract can also be accessed by 
defense and intelligence agencies, as well as by State, local, tribal, 
and territorial (SLTT) governments. 108 departments and agencies are 
currently covered by Memoranda of Agreement with the CDM program, 
encompassing over 97 percent of all Federal civilian personnel. In 
fiscal year 2014, DHS issued the first delivery order for CDM sensors 
and awarded a contract for the CDM dashboard. The $143 million and 15 
staff requested in fiscal year 2015 will support deployment of the 
Federal dashboard and capabilities to Federal agencies.
    In addition, the National Cybersecurity Protection System (NCPS), a 
key component of which is referred to as EINSTEIN, is an integrated 
intrusion detection, analytics, information sharing, and intrusion-
prevention system utilizing hardware, software, and other components to 
support DHS responsibilities for protecting Federal civilian agency 
networks. In fiscal year 2015, the program will expand intrusion 
prevention, information sharing, and cyber analytic capabilities at 
Federal agencies, marking a critical shift from a passive to an active 
role in cyber defense and the delivery of enterprise cybersecurity 
services to decision-makers across cybersecurity communities.
    In July 2013, EINSTEIN 3 Accelerated (E3A) became operational and 
provided services to the first Federal Agency. As of February 2014, 
Domain Name System and/or email protection services are being provided 
to a total of seven departments and agencies. Full Operational 
Capability is planned for fiscal year 2016. With the adoption of E3A, 
DHS will assume an active role in defending .gov network traffic and 
significantly reduce the threat vectors available to malicious actors 
seeking to harm Federal networks. In fiscal year 2015, $378 million is 
requested for NCPS. We will continue working with the Internet Service 
Providers to deploy intrusion prevention capabilities, allowing DHS to 
provide active, in-line defense for all Federal network traffic 
protocols.
    It is important to note that the Department has strong privacy, 
civil rights, and civil liberties standards implemented across its 
cybersecurity programs. DHS integrates privacy protections throughout 
its cybersecurity programs to ensure public trust and confidence. DHS 
is fully responsible and transparent in the way it collects, maintains, 
and uses personally identifiable information.
Operational Response
    Increased connectivity has led to significant transformations and 
advances across our country and around the world. It has also increased 
complexity and exposed us to new vulnerabilities that can only be 
addressed by timely action and shared responsibility. Successful 
responses to dynamic cyber intrusions require coordination among DHS, 
the Departments of Justice (DOJ), State (DOS) and Defense (DOD), the 
Intelligence Community, the specialized expertise of sector specific 
agencies such as the Department of the Treasury, private sector 
partners--who are critical to these efforts--and SLTT, as well as 
international partners, each of which has a unique role to play.
    DHS is home to the National Cybersecurity and Communications 
Integration Center (NCCIC), a national nexus of cyber and 
communications integration. A 247 cyber situational awareness, 
incident response, and management center, NCCIC partners with all 
Federal departments and agencies, SLTT governments, private sector and, 
critical infrastructure owners and operators, and international 
entities. The NCCIC disseminates cyber threat and vulnerability 
analysis information and assists in initiating, coordinating, 
restoring, and reconstituting national security/emergency preparedness 
(NS/EP) telecommunications services and operates under all conditions, 
crises, or emergencies, including executing Emergency Support Function 
#2--Communications Annex responsibilities under the National Response 
Framework.
    The NCCIC also provides strategic cyber-threat analysis, through 
its United States Computer Emergency Readiness Team (US-CERT) and the 
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in 
conjunction with the National Infrastructure Coordinating Center 
(NICC), to reduce malicious actors exploiting vulnerabilities. Threat 
management decisions must incorporate cyber threats based on 
technological as well as non-technological factors, and consider the 
varying levels of security required by different activities. Since its 
inception in 2009, the NCCIC has responded to nearly a half million 
incident reports and released more than 37,000 actionable cybersecurity 
alerts to our public and private sector partners. In fiscal year 2013, 
NCCIC received 228,244 public and private sector cyber incident 
reports, a 41-percent increase from 2012, and deployed 23 response 
teams to provide onsite forensic analysis and mitigation techniques to 
its partners. NCCIC issued more than 14,000 actionable cyber alerts in 
2013, used by private sector and government agencies to protect their 
systems, and had more than 7,000 partners subscribe to the NCCIC/US-
CERT portal to engage in information sharing and receive cyber threat 
warning information.
    Further demonstrating NPPD's commitment to greater unity of effort 
in strengthening and maintaining secure and resilient critical 
infrastructure against both physical and cyber threats, the NICC has 
moved its watch operations center to collocate with the NCCIC. The NICC 
is the information and coordination hub of a national network dedicated 
to protecting critical infrastructure essential to the Nation's 
security, health and safety, and economic vitality. In accordance with 
and supporting the physical-cyber integration directives of PPD-21, 
this new integration will enhance effective information exchange, and 
improve the alacrity of protection with real-time indicator sharing. 
Concurrently, the NCCIC will refine and clarify the NICC-NCCIC 
relationship to advance national unity of effort within NPPD and the 
Federal Government.
Data Security Breaches
    On December 19, 2013, a major retailer publicly announced it had 
experienced unauthorized access to payment card data from the 
retailer's U.S. stores. The information involved in this incident 
included customer names, credit and debit card numbers, and the cards' 
expiration dates and card verification-value security codes. Another 
retailer also reported a malware incident involving its point of sale 
system on January 11, 2014, that resulted in the apparent compromise of 
credit card and payment information. A direct connection between these 
two incidents has not been established.
    During both incidents, NPPD's NCCIC utilized its unique 
cybersecurity, information sharing and mitigation capabilities to help 
retailers across the country secure their systems to prevent similar 
attacks while simultaneously providing timely analysis to the United 
States Secret Service (USSS). DHS's ability to provide a cross-
component response during this incident underscores the importance of 
leveraging complementary missions at the Department. Working closely 
together, elements with cyber capabilities such as the USSS, U.S. Coast 
Guard, Immigrations and Customs Enforcement's office of Homeland 
Security Investigations, Office of the Chief Information Officer, and 
NPPD are able to increase focus on not just responding to incidents but 
also reducing vulnerabilities, protecting against future attacks, and 
mitigating consequences.
    In response to this incident, NCCIC/US-CERT analyzed the malware 
identified by the USSS as well as other relevant technical data and 
used those findings, in part, to create two information sharing 
products. The first product, which is publicly available and can be 
found on US-CERT's Web site, provides a non-technical overview of risks 
to point of sale systems, along with recommendations for how businesses 
and individuals can better protect themselves and mitigate their losses 
in the event an incident has already occurred. The second product 
provides more detailed technical analysis and mitigation 
recommendations, and has been securely shared with industry partners to 
enable their protection efforts. NCCIC's goal is always to share 
information as broadly as possible, including by producing actionable 
products tailored to specific audiences.
    While the criminal investigation into the these activities is on-
going, NPPD, through the NCCIC and other organizations, continues to 
build shared situational awareness of similar threats among our private 
sector and government partners and the American public at large. At 
every opportunity, the NCCIC and our private sector outreach program 
publish technical and non-technical products on best practices for 
protecting businesses and customers against cyber threats and provide 
the information sharing and technical assistance necessary to address 
cyber threats as quickly as possible. DHS remains committed to ensuring 
cyberspace is supported by a secure and resilient infrastructure that 
enables open communication, innovation, and prosperity while protecting 
privacy, confidentiality, and civil rights and civil liberties by 
design.
       understanding cyber and physical critical infrastructure 
                           interdependencies
    One of NPPD's top priorities is providing our government and 
private sector partners with the information, analysis, and tools they 
need to protect our Nation's critical infrastructure in the face of 
physical and cyber risks. Key to this effort is understanding the 
consequences of potential disruptions to critical infrastructure, 
including interdependencies and cascading impacts, from all hazards to 
better equip and prepare our partners and stakeholders. Understanding 
consequences helps identify potential mitigation measures and 
prioritize the allocation of limited resources for both government and 
private sector.
    In February of 2014, NPPD established the Office of Cyber and 
Infrastructure Analysis to implement elements of PPD-21, which calls 
for integrated analysis of critical infrastructure, and EO 13636, 
identifying critical infrastructure where cyber incidents could have 
catastrophic impacts to public health and safety, the economy, and 
national security. An Integrated Analysis Cell was established to 
provide near real-time information to NPPD's two operational centers: 
the National Infrastructure Coordinating Center (NICC) and National 
Cybersecurity and Communications Integration Center (NCCIC). Similarly 
the work that has been done to implement section 9 of EO 13636 through 
the Cyber-Dependent Infrastructure Identification Working Group 
exemplifies how the skills that have been developed in NPPD over the 
years focused on critical infrastructure can similarly be applied to 
the analyzing cyber infrastructure. $33 million is requested in fiscal 
year 2015 to support these efforts.
Engaging with Federal, SLTT, and Private Sector Entities
    NPPD is committed to engaging with Federal, SLTT, and private 
sector stakeholders. More than 1,100 participants were involved in the 
development of NIPP 2013, providing thousands of comments reflecting 
our partners' input and expertise. NPPD has become increasingly focused 
on engaging stakeholders at the executive level, and working with the 
DOE, will implement a sustained outreach strategy to energy sector 
Chief Executive Officers to elevate risk management of evolving 
physical and cyber threats to the enterprise level. NPPD will also 
explore similar efforts across the critical infrastructure community.
    NPPD serves as a principal coordination point for stakeholder 
engagement for Cybersecurity through the Cyber Security Evaluation 
Program (CSEP). CSEP which provides voluntary evaluations intended to 
enhance cybersecurity capacities and capabilities across all 16 
Critical Infrastructure Owner/Operators, as well as SLTT governments 
through its Cyber Resilience Review (CRR) process. The goal of the CRR 
is to develop an understanding and measurement of key cybersecurity 
capabilities and provide meaningful maturity indicators to an 
organization's operational resilience and ability to manage risk to its 
critical services during normal operations and times of operational 
stress and crisis.
                         vision for the future
    DHS has a solid foundation upon which to build and enhance future 
cybersecurity capabilities to ensure information resilience against an 
adversary that leverages the best of technology and doesn't lack for 
funding. DHS continues to strengthen trust and public confidence in the 
Department through the foundations of partnership, transparency, and 
protections for privacy and civil liberties, which is built in to all 
that we do. Our Department is the lead civilian agency responsible for 
coordinating the national protection, prevention, mitigation, and 
recovery from cyber incidents across civilian government, State, local, 
tribal, territorial (SLTT) and private sector entities of all sizes. 
DHS leverages our interagency and industry partnerships as well as the 
breadth of our cyber capabilities extending from NPPD, Immigration and 
Customs Enforcement's Homeland Security Investigations, U.S. Coast 
Guard and U.S. Secret Service, to make our NCCIC the source for dynamic 
data aggregation of for global cyber indicators and activity.
    We are working to further enable the NCCIC to receive and 
disseminate information at ``machine speed.'' \1\ This enhanced 
capability will enable networks to be more self-healing, as they use 
mathematics and analytics to mimic restorative processes that are 
currently done manually. Ultimately, this will enable us and our 
partners to better recognize and block threats before they reach their 
targets, thus deflating the goals for success of cyber adversaries and 
taking botnet response from hours to seconds in certain cases. We are 
working with the DHS Science & Technology Directorate in many areas to 
develop and support these capabilities for NCCIC. The science of 
decisionmaking is about seeing enough behavior to differentiate the 
good from the bad, and that comes from the collective information of 
industry and Government. That is voluntarily provided to us because of 
underlying trust. This effort is currently being built in our 
Structured Threat Information Expression (STIX) and Trusted Automated 
eXchange of Indicator Information (TAXII TM) programs that 
we have begun offering as a free method for machine-to-machine sharing 
of cyber threat indicators to others in the Government and private 
sector.
---------------------------------------------------------------------------
    \1\ Automatically sending and receiving cyber information as it is 
consumed and augmented based on current threat conditions, creating a 
process of automated learning that emulates a human immune system and 
gets smarter as it is exposed to new threats.
---------------------------------------------------------------------------
    We must increase data exchange and information flow with industry 
through stakeholder engagement to optimize the information shared 
voluntarily. This must be done in a manner that promotes privacy and 
civil liberties protections, focusing on the sharing of cyber threat 
information that is non-attributable and anonymized to the greatest 
extent feasible.
    DHS's extensive visibility into attacks on government networks must 
be fully leveraged to protect all government networks as well as our 
critical infrastructure and local entities, in a way that is consistent 
with our laws while preserving the privacy and individual rights of 
those we protect. Legislation providing a single clear expression of 
DHS cybersecurity authority would greatly enhance and speed up the 
Department's ability to engage with affected entities during a major 
cyber incident and dramatically improve the cybersecurity posture of 
Federal agencies and critical infrastructure.
                               conclusion
    Infrastructure is the backbone of our Nation's economy, security 
and health. We know it as the power we use in our homes, the water we 
drink, the transportation that moves us, and the communication systems 
we rely on for business and everyday life. We have an extremely 
dedicated and talented workforce engaged in activities that advance our 
mission to protect that information and their innovation will continue 
to propel NPPD and DHS forward in fiscal year 2015 and beyond. Each 
employee is dedicated to a safe, secure, and resilient infrastructure 
that enables our way of life to thrive.
    Chairwoman Landrieu, Ranking Member Coats, and distinguished 
members of the subcommittee, thank you all for your leadership in 
cybersecurity and for the opportunity to discuss the fiscal year 2015 
President's budget request for NPPD's cybersecurity efforts. I look 
forward to any questions you may have.

    Senator Landrieu. Thank you very much.
    Mr. Edge.

STATEMENT OF PETER T. EDGE, EXECUTIVE ASSOCIATE 
            DIRECTOR, HOMELAND SECURITY INVESTIGATIONS, 
            IMMIGRATION AND CUSTOMS ENFORCEMENT, 
            DEPARTMENT OF HOMELAND SECURITY
    
    Mr. Edge. Good afternoon, Chairwoman Landrieu, Ranking 
Member Coats, and Senator Coons. Thank you for the opportunity 
to appear before you today to discuss the risks of cyber crime 
and the impact of U.S. Immigration and Customs Enforcement's 
Homeland Security Investigations' role with respect to 
conducting investigations and building capabilities to protect 
our Nation's borders and enhance public safety for the future.
    The Internet poses a significant challenge to law 
enforcement. When a criminal never has to meet his victim face-
to-face, but can hide behind what appears to be a legitimate 
Web site, consumer fraud runs rampant. When criminal 
organizations can employ technical means to steal intellectual 
property, American ingenuity is stymied. When money-launderers 
can utilize non-traditional Internet-based financial services, 
circumventing regulatory safeguards and public safety, that's a 
detriment and a danger to our country.
    Criminal networks are becoming increasingly sophisticated 
in taking advantage of the many ways in which the Internet can 
streamline communications, financing, and logistics, just as it 
does for legal enterprise. As a consequence, law enforcement 
agencies must respond by properly preparing investigators for 
work in cyber space. As information systems and computer 
networks become increasingly prolific, the technical challenges 
facing law enforcement investigations of criminals operating 
through the Internet grow daunting, and the considerations in 
collecting electronic evidence become increasingly complex.
    Our Cyber Crime Center, which was established in 1997, 
brings the full range of Homeland Security Investigations cyber 
investigations and computer forensics assets together in a 
single location to coordinate global investigations and to 
provide to our field offices in their efforts to combat cyber-
enabled crime. The scope of these investigations includes any 
instance where information technology or computer networks are 
substantially employed to facilitate international smuggling, 
money-laundering, and Internet-based financial frauds or 
identity theft, even proliferation of strategic commodities or 
the digital theft of intellectual property or export-controlled 
technical data. Trafficking in child pornography and other 
child exploitation crimes are also a significant focus for us.
    The Cyber Crime Center further works to develop tools and 
capabilities to conduct online cyber investigations, focusing 
on collaborative relationships with other Government agencies, 
to include DHS's Science and Technology, our friends at NPPD, 
National Cybersecurity Communications Integration Center, and 
our domestic and international law enforcement partners, 
especially our DHS counterpart, the United States Secret 
Service, as well as EUROPOL.
    The Cyber Crime Center's budget has increased by more than 
$30 million since 2011, expending $137 million in fiscal year 
2013. This growth underscores the increasing role the Internet 
plays in criminal activity and the need for skill and diligence 
to thwart crime in cyber space.
    U.S. Immigration and Customs Enforcement has recognized the 
potential for criminal exploitation and the money-laundering 
threat posed by virtual currency. We therefore strategically 
deployed a multi-pronged investigative strategy designed to 
target illicit virtual currency, currency exchangers, and 
underground black markets, such as carding, illegal drugs, 
illegal firearms, and child pornography forums.
    HSI has established itself as a world leader in online 
exploitation investigations because of the breath of its 
authorities and presence throughout the world. In fiscal year 
2013 alone, our agency was responsible for more than 2,000 
criminal arrests relating to child exploitation, while 
launching in excess of 4,000 child exploitation investigations 
worldwide. Both are new records for Homeland Security 
Investigations and the Department of Homeland Security.
    In 2013 there were 927 children identified as victims 
during the course of Immigration and Customs Enforcement (ICE) 
HSI-led joint online child exploitation investigative work.
    The Cyber Crime Center oversees the agency's computer 
forensics program, which comprises approximately 250 computer 
forensics agents and analysts. Our computer forensics agents 
jointly train with the Secret Service and Internal Revenue 
Service (IRS) Criminal Investigations. Homeland Security 
Investigations' computer forensics agents (CFAs) also support 
investigations in the use of digital media as well as support 
to Federal, State, and local law enforcement upon request.
    In fiscal year 2013, HSI-CFA has encountered approximately 
3.9 petabytes of data, equal to approximately 62 billion pages 
of image files or 71 billion pages of Powerpoint files. In 
April 2013, we engaged in a relationship with the National 
Association to Protect Children (PROTECT) to launch the Human 
Exploitation Rescue Operative (HERO), Child Rescue Corps. 
During the 12-month internship, we hired wounded warriors who 
were integral in conducting computer forensics law enforcement-
based investigations.
    Senator Landrieu. You have to try to wrap up if you would.
    Mr. Edge. The Cyber Center will continue to evaluate its 
cyber capabilities, programs, and training, and will make sure 
the agency can effectively continue combating this ever-
changing landscape in the future.
    Thanks again for the opportunity to appear before you, and 
I look forward to answering any questions you may have.
    [The statement follows:]
                  Prepared Statement of Peter T. Edge
                              introduction
    On behalf of the men and women of U.S. Immigration and Customs 
Enforcement (ICE), thank you for the opportunity to appear before you 
today to discuss cybersecurity and the impact ICE's Cyber Crime Center 
(C\3\) makes with respect to protecting our Nation's borders and 
enhancing public safety. C\3\ has been in existence since 1997 and was 
created to support the investigative mission of the U.S. Customs 
Service. Now, 17 years later, C\3\ is recognized worldwide as a center 
of excellence in cyber law enforcement. ICE expenditures for cyber 
crime investigations have increased 39 percent since fiscal year 2010. 
Additionally, cyber crimes investigations account for 9 percent of 
total Domestic Investigations expenditures compared to 6.5 percent in 
fiscal year 2010.

 
----------------------------------------------------------------------------------------------------------------
                                                                                                   Fiscal year
                                                                                                  2010 to fiscal
                        Fiscal year:                           2010     2011     2012     2013      year 2013
                                                                                                     variance
----------------------------------------------------------------------------------------------------------------
Cyber Crime & Child Pornography Investigations.............      $92      $98     $109     $119             $28
Cyber Crimes Center........................................       16       17       11       18               2
                                                            ----------------------------------------------------
      Total Cyber Crimes Expenditures......................      108      115      120      137              30
                                                            ====================================================
Percent of Total Expenditures..............................     6.5%     6.8%     7.0%     8.6%           27.4%
                                                            ----------------------------------------------------
      Total HSI Domestic Expenditures......................   $1,648   $1,701   $1,723   $1,596            $(52)
----------------------------------------------------------------------------------------------------------------

    ICE Homeland Security Investigations (HSI) is the principal 
investigative arm of the U.S. Department of Homeland Security (DHS) and 
the second largest Federal criminal investigative agency, with broad 
legal authority to enforce more than 400 Federal statutes. HSI has 
taken a leading role in coordinating domestic and international law 
enforcement actions among our law enforcement partners through several 
centers of excellence that we lead--including C\3\.
    The Internet poses a significant challenge to law enforcement. When 
a criminal never has to meet his victim face to face, but can hide 
behind what appears to be a legitimate Web site, consumer fraud runs 
rampant. When transnational criminal organizations employ technical 
means to steal intellectual property, American ingenuity is stymied. 
When money launderers utilize non-traditional, Internet-based financial 
services, circumventing regulatory safeguards, public safety is further 
threatened. Criminal networks are becoming increasingly sophisticated 
in taking advantage of the many ways in which the Internet can 
streamline communications, financing, and logistics--just as it does 
for legal enterprise. As a consequence, law enforcement agencies must 
respond by properly preparing investigators for work in cyberspace. As 
information systems and computer networks become increasingly prolific, 
the technical challenges facing law enforcement investigations of 
criminals operating on, or through, the Internet grow daunting, and the 
considerations in collecting electronic evidence become increasingly 
complex. A recent HSI enforcement action targeting intellectual 
property violations saw the deployment of 5 percent of HSI's Computer 
Forensics Agents (CFAs) in a single day. These CFAs were tasked with 
securing the electronic evidence from nine Web sites, and they will be 
heavily involved in sorting through the evidence for potential 
prosecutions.
                          cyber crimes center
    C\3\ brings the full range of ICE cyber investigations and computer 
forensic assets together in a single location to coordinate global 
investigations and to provide support to our field offices in their 
efforts combat cyber-enabled crime. C\3\ is comprised of three units: 
the Cyber Crimes Unit, the Computer Forensics Unit, and the Child 
Exploitation Investigations. The C\3\ facility houses a cyber 
investigations training room and a computer forensics laboratory. The 
Center is staffed by special agents, intelligence research specialists, 
computer forensics analysts, and mission support personnel. Each of 
C\3\'s units plays an integral role in supporting investigations of 
cybercrime and cyber-enabled crime. The scope of these investigations 
includes any instance where information technology, or computer 
networks are substantially employed to facilitate international 
smuggling, money laundering, Internet-based financial frauds or 
identity theft, proliferation of strategic commodities or the theft of 
export controlled technical data, and trafficking in child pornography 
and other child exploitation crimes. The Cyber Crimes Unit and Child 
Exploitation Investigations Unit provide coordination, de-confliction, 
resources, training, and subject matter expertise in these 
investigations. The Computer Forensics Unit oversees the agency's 
computer forensics program, including the agency's participation in, 
and contributions to, the Treasury Computer Forensics Training Program.
Cyber Crimes Unit
    The Cyber Crimes Unit supports HSI investigations of cyber enabled 
criminal activities. The Cyber Crimes Unit provides oversight, 
coordination, de-confliction, resources, and subject matter expertise 
to HSI offices in the investigation of international smuggling, 
proliferation, fraud, and money laundering activities where information 
systems, networks, and the Internet serve as significant facilitating 
mechanisms for the crime. The Cyber Crimes Unit particularly focuses 
its efforts towards cyber economic crimes involving financial fraud, 
the theft of digital intellectual property and technical data 
controlled under export laws, and the targeting of cross-border illicit 
Internet marketplaces. The Cyber Crimes Unit also works to develop and 
deliver training to HSI personnel in the investigation of cyber-enabled 
crimes. The Cyber Crimes Unit further works to support HSI cyber 
investigations through its Emerging Technology program which focuses on 
collaborative relationships with other government agencies and academic 
institutions intended toward development of technical solutions to 
technical problem sets facing law enforcement.
Emerging Technologies
    The Cyber Crimes Unit is also dedicated to the development of tools 
and capabilities to conduct online cyber investigations. Emerging 
technology, such as The Onion Router, also known as TOR, or the 
utilization of virtual currencies, allow the transnational criminal 
organizations to navigate in cyberspace anonymously. C\3\ has partnered 
with DHS Science and Technology to collaborate with academia and other 
partners to develop tools and best practices, to stay abreast of 
emerging technologies and continue to lean in to prevent and deter 
illegal activities.
Virtual Currency
    In contrast to traditional currency, monetary instruments, or other 
methods of transferring value, virtual currencies serve as mediums of 
exchange, but are not accepted as legal tender in any recognized 
government jurisdiction. However, virtual currencies can be used to 
conduct transactions entirely within a virtual economy, transferred 
between individuals, or used in lieu of a government-issued currency to 
purchase goods and services.
    The appeal of virtual currencies, especially ``open'' or 
``convertible'' currencies that can be exchanged for traditional 
currency, and vice versa, is that they may allow value to be 
transferred much more rapidly and cheaply (especially internationally) 
than through traditional banking payment systems, and often with 
greater anonymity and reduced oversight.
    ICE has recognized the potential for criminal exploitation and the 
money laundering threat posed by virtual currency. ICE has, therefore, 
strategically deployed a multi-prong investigative strategy designed to 
target illicit virtual currency platforms, currency exchangers, and 
underground black markets such as ``carding,'' illegal drugs, illegal 
firearms, and child pornography forums.
    ICE recognizes that our approach to combating the illicit use of 
virtual currency systems must include collaboration and coordination 
with our domestic and international partners. To that end, ICE works 
closely with our Federal, State, local, and international law 
enforcement partners, and other members of the interagency.
                         recent investigations
Crack99
    Among HSI's broad investigative authority, we are the primary 
enforcer of the Arms Export Control Act and as such has responsibility 
to work with industry to safeguard this data from being exploited and 
smuggled out of the country. This includes the investigation of Web 
sites that offer the sale of prohibited items as well as transnational 
criminal organizations that steal the data without the knowledge of 
industry.
    HSI Philadelphia learned during a private industry outreach 
meeting, of an online company known as Crack99, believed to be involved 
in the illegal sale of U.S.-manufactured software products. HSI 
collaborated with Defense Criminal Investigative Services and conducted 
numerous undercover purchases of stolen software from Crack99. Once 
payment had been made and accepted in China, the software was posted 
and received, often compressed into specialty files and then 
``cracked'' to overcome the license restrictions. The software programs 
were used in multiple design and engineering systems that had a broad 
range of user applications to include: explosive simulation, aircraft 
mission simulation, oil field management, antenna design and radio 
frequency signaling.
    Many of the U.S.-manufactured software programs offered by Crack99 
were controlled for export and were subject to the Department of 
Commerce's Export Administration Regulations. The estimated monetary 
loss of these illegal software sales conducted by Crack99 was valued at 
approximately $1 million. Crack99 had ``cracked'' the software of 
thousands of U.S. businesses.
    HSI Special Agents identified the U.S.-based servers and seized all 
accounts, Web sites and domains associated with Crack99's distribution 
of stolen software. Two servers and six domain names were seized. The 
three main suspects were charged, convicted and sentenced for various 
violations of conspiracy, fraud, smuggling and copyright infringement.
Mt. Gox
    In May 2013, through an interagency taskforce led by ICE in 
Baltimore, Maryland, three U.S. bank accounts associated with what was 
then the world's largest Bitcoin (a specific virtual currency) 
exchanger, Japan-based Mt. Gox, were seized for violations of 18 U.S.C. 
section 1960, operating a money service business in the United States 
without a license. Some of the funds were linked to the illicit 
purchase of drugs, firearms, and child pornography. These and many 
other ongoing criminal investigations have provided ICE with a better 
understanding of the risks and challenges posed by virtual currencies.
Online Child Exploitation Investigations
    ICE has established itself as a world leader in online child 
exploitation investigations due to the breadth of its authorities and 
presence throughout the world. Under the auspices Operation Predator, 
HSI child exploitation investigations focuses on the enforcement, 
disruption and dismantlement of individuals and groups involved in the 
possession, receipt, distribution, transportation, and production of 
child pornography. Since the launch of Operation Predator in 2003, HSI 
has initiated more than 30,700 criminal investigations; arrested more 
than 10,900 child predators; and contributed to more than 8,000 
indictments and criminal convictions for child exploitation violations. 
In fiscal year 2013 alone, our agency was responsible for over 2,000 
criminal arrests relating to child exploitation, while launching in 
excess of 4,000 child exploitation investigations worldwide, both new 
records for HSI. In fiscal year 2013, there were 927 children 
identified as victims during the course of ICE HSI-led or joint child 
exploitation and/or child sex tourism investigations. Key to HSI's 
fight against child exploitation is HSI's C\3\. C\3\ directs HSI in its 
mission to investigate large-scale producers and distributors of child 
pornography, as well as individuals who travel abroad for the purpose 
of engaging in sex with minors, also known as Child Sex Tourism (CST). 
C\3\ employs the latest technology to collect evidence of persons and 
organized groups who sexually exploit children through the use of Web 
sites, chat rooms, newsgroups and peer-to-peer trading. C\3\ also 
provides assistance to HSI field offices, coordinates major 
investigations, and conducts undercover operations throughout the world 
to identify and apprehend violators.
Operation Round Table
    In March 2014, HSI completed the largest online child exploitation 
investigations in ICE's history, involving victims in 39 States and 
five countries. Fourteen men operating a child pornography Web site on 
the Darknet's Onion Router (TOR) were arrested and charged as part of a 
conspiracy to operate a child exploitation enterprise, following an 
extensive international investigation by HSI and the U.S. Postal 
Inspection Service (USPIS).
    To date, investigators have identified 251 minor victims in 39 
States and five foreign countries: 228 in the United States and 23 in 
the United Kingdom, Canada, New Zealand, Australia and Belgium. Eight 
of the victims were female and 243 were male. The majority of victims, 
159, were 13 to 15 years old; 59 victims were 16 and 17; 26 victims 
were 10 to 12; four victims were 7 to 9; one victim was 4 to 6; and two 
victims were 3 years old or younger. All victims have been contacted by 
law enforcement and U.S. victims have been offered support services 
from HSI victim assistance specialists.
Victim Identification Program
    Although the traditional law enforcement goal in combating child 
exploitation is normally viewed to be ``arresting and prosecuting 
predators,'' the true goal is to protect children. In furtherance of 
this goal, HSI launched the Victim Identification Program (VIP) in 
December 2011. Its mission is to combine technological and 
investigative capabilities and resources to rescue child victims of 
sexual exploitation. The VIP is a simple idea that combines traditional 
investigative techniques with cutting edge technology for the purposes 
of rescuing child victims of sexual exploitation. The victim 
identification process starts with the discovery of new child abuse 
material (images, video, and/or audio) that depicts an unidentified 
minor or minors being sexually abused. HSI analyzes and enhances the 
material in order to identify clues that may lead to the identity of 
the victim, suspect or geographic location. When enough clues come 
together to form a viable lead, the lead is sent out to the appropriate 
HSI field office for follow-up investigation. During its first 2 years 
of operation, the VIP has been responsible for more than 180 victims 
identified and/or rescued from around the country. HSI is increasingly 
shifting its focus and dedicating more of its time and resources 
towards identifying and rescuing the victims of child sexual 
exploitation and the prevention of these crimes. This focus on victims 
is not in conflict with ongoing efforts to arrest and prosecute the 
perpetrators of these horrendous crimes as the identification of 
victims often leads to the arrest of their abusers.
Project iGuardian
    In April 2014, ICE launched an educational outreach program called 
Project iGuardian, in conjunction with the National Center for Missing 
and Exploited Children's NetSmartz and the Internet Crimes Against 
Children (ICAC) Task Forces. Project iGuardian is an outreach awareness 
program that aims to educate kids, teens, and parents about online 
safety and how to stay safe from online sexual predators. HSI 
recognizes the importance of education and community awareness 
regarding the dangers of online activity. Project iGuardian aims to 
counter a disturbing fact: many online child predators are able to find 
victims online because children are not aware of how dangerous online 
environments can be.
Virtual Global Taskforce
    ICE is a founding member and the U.S. representative of the Virtual 
Global Taskforce (VGT), an international alliance of law enforcement 
agencies and private industry sector partners working together to 
prevent and deter online child sexual abuse. In December 2012, HSI was 
appointed chair and secretariat of the VGT. The Deputy Assistant 
Director of C\3\ assumed the duties of chair for a 3-year tenure. At 
the same time HSI was appointed the chair, the VGT also agreed to 
include investigations of CST into its portfolio.
Operation Predator--Smartphone App
    In September of 2013, HSI launched a new smartphone app, the first 
of its kind in U.S. Federal law enforcement, designed to seek the 
public's help with fugitive and unknown suspect child predators. All 
tips can be reported anonymously through the app, by phone or online, 
24 hours a day, 7 days a week. In many cases, HSI has been able to make 
an arrest just hours after issuing a nationwide plea for public 
assistance. These cases demonstrate the power of the press, social 
media and the general public in helping solve cases.
Computer Forensics Program
    C\3\ operates and maintains a robust computer forensics program. 
HSI computer forensic agents/analysts (CFAs) support all HSI 
investigations involving the use of digital media, as well as provide 
support to Federal, State and local law enforcement upon request. The 
computer forensic program is currently comprised of approximately 250 
CFAs located in over 110 domestic and foreign HSI offices. The CFAs 
operate in various environments, supporting investigations to include 
advanced mobile device data extraction, hard drive repair, data mining 
of large multi-terabyte data sets, password decryption, border search 
of electronic devices and on-scene computer forensic assistance. For 
example, HSI CFAs were instrumental in the seizure of closed circuit 
video systems that were used in the identification of the Boston 
Marathon bombing suspects and provided key support for the analysis of 
suspect media related to Operation Round Table detailed above.
    In fiscal year 2013, HSI CFAs encountered approximately 3.9 
petabytes of data (equal to approximately 62 billion pages of image 
files or 71 billion pages of power point files) and analyzed over 4,400 
mobile devices; this is a 45-percent increase in the volume of data 
encountered and a 35-percent increase in the number of mobile devices 
analyzed from the previous fiscal year.
    HSI is a founding member of the Treasury Computer Forensic Training 
Program (TCFTP), which is a joint computer forensic training initiative 
between HSI, the U.S. Secret Service and the Internal Revenue Service-
Criminal Investigations. Management of the training program rotates 
every 2 years, with HSI responsible for administering the program for 
2014 and 2015. For 2014, it is anticipated that approximately 200 
individuals will receive basic or advanced computer forensic training 
through the joint training program. This program was designed to 
provide CFAs operating in the field with the skills necessary to 
support the ever changing environment of the computer forensic 
requirements for HSI's investigative mission. In addition to providing 
training through the TCFTP, the computer forensic program regularly 
provides computer forensic training for capacity building efforts to 
foreign law enforcement.
Human Exploitation Rescue Operative Chile Rescue Corps
    In April 2013, ICE, entered into a partnership with U.S. Special 
Operations Command and the National Association to Protect Children 
(PROTECT) to launch the ``Human Exploitation Rescue Operative (HERO) 
Child Rescue Corps'' program. The 12-month internship program is a 
highly competitive, highly selective non-paid internship, designed for 
wounded, injured and ill Special Operations Forces to receive training 
in high-tech computer forensics and law enforcement skills to assist 
HSI and law enforcement in their efforts to combat child sexual 
exploitation. Upon successful completion of the training, HERO 
participants are embedded into computer forensic analyst positions 
within HSI offices to receive on-the-job training experience. Fifteen 
HERO participants of the inaugural class have successfully completed 
all aspects of the program thus far and HSI in the process of extending 
offers of employment to all 15 individuals under the Veterans' 
Recruitment Appointment authority. The HERO program is in the process 
of recruiting, interviewing and selecting candidates for the 2nd HERO 
class, which is scheduled to begin in August 2014.
DHS Secretary's Honors Program--Cyber Student Initiative
    The DHS Cyber Student Volunteer Initiative, introduced in 2013 by 
DHS and HSI, offered college students majoring in a cybersecurity-
related field an unpaid volunteer position to gain invaluable hands-on 
experience at a DHS component agency. HSI was the sole DHS component to 
participate in the inaugural program, which was designed to provide 
high-performing students with challenging work projects, real-life 
learning scenarios, and mentoring from cybersecurity professionals at 
various HSI field offices. Based on the success of the program, DHS and 
HSI offered the Student Volunteer Initiative program again in 2014, 
which was expanded to include new volunteer opportunities at the U.S. 
Secret Service, the U.S. Coast Guard, the Transportation Security 
Administration, the Office of Intelligence and Analysis, the DHS Office 
of the Chief Information Officer, and State and major urban area fusion 
centers.
                               conclusion
    Thank you again for the opportunity to appear before you to 
highlight ICE's Cyber Crime Center and the significant role we 
contribute in combating transnational criminal organizations operating 
in cyberspace and in an increasingly more complex and sophisticated 
virtual reality. As the cyber world and other new virtual technologies 
continue to evolve, ICE will remain vigilant and adapt its 
investigative tools and techniques to dismantle those criminal 
organizations that use this platform to hide illicit activity.

    Senator Landrieu. Thank you so much for that excellent 
testimony.
    Mr. Noonan.

STATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN 
            CHARGE, CRIMINAL INVESTIGATIVE DIVISION--
            CYBER OPERATIONS, SECRET SERVICE, 
            DEPARTMENT OF HOMELAND SECURITY
   
   Mr. Noonan. Yes, ma'am. Good afternoon, Chairman Landrieu, 
Ranking Member Coats, and Senator Coons. Thank you for the 
opportunity to testify on the Department of Homeland Security's 
investments to counter cyber threats and the capabilities the 
Secret Service utilizes and is developing to deter cyber crime 
around the world. I am honored to appear today alongside my 
colleagues from Immigration and Customs Enforcement and the 
National Protection and Programs Directorate.
    While no single agency or department has the personnel and 
resources to eliminate all cyber threats, DHS brings to the 
table a strong combination of Federal law enforcement 
experience, established partnerships across Federal, State, and 
local governments, international law enforcement, and the 
private sector, as well as a workforce that is committed to 
strengthening the security and resiliency of our Nation's 
critical infrastructure.
    When the Secret Service was created as an investigative 
division of the Department of Treasury in 1865, its sole focus 
was to protect the Nation's financial system from the 
proliferation of counterfeit currency. Over the past 149 years 
the agency's mission has expanded to include protecting the 
President, the Vice President, visiting world leaders, and 
national special security events. Today our integrated mission 
addresses numerous threats, including those originating in 
cyber space.
    The Secret Service's authorities to investigate cyber crime 
date back nearly 30 years to when Congress passed the 
Comprehensive Crime Control Act of 1984. That law granted the 
Secret Service authority to investigate criminal offenses 
related to unauthorized access to computers and the fraudulent 
use or trafficking of access devices.
    As the Nation's financial payments systems evolved from 
paper to plastic to electronic transactions, so too has the 
Secret Service's investigative priorities. Advances in computer 
technology and greater Internet access to personally 
identifiable information and sensitive financial data have 
created online marketplaces for transnational cyber criminals 
to share stolen information and criminal methodologies.
    Over the past 10 years, the Secret Service has observed 
marked increase in the quantity and complexity of cyber crimes 
targeting private industry, in particular the financial 
services sector. These crimes include network intrusions, 
installation of malicious software, and account takeovers, 
leading to significant data breaches affecting every sector of 
the world's economy.
    The widely reported data breaches of Target, Neiman Marcus, 
White Lodging, and Michaels are just some of the most recent 
well-publicized examples of major data breaches perpetrated by 
cyber criminals who are intent on targeting our Nation's 
financial payments systems. Over the past 4 years alone, the 
Secret Service cyber crime investigations have resulted in more 
than 4,900 arrests associated with approximately $1.4 billion 
in fraud losses and the prevention of $11 billion in potential 
fraud losses.
    Through continued work with our key Federal, State, local, 
international, and private-sector partners, we are confident we 
will continue to bring domestic and transnational cyber 
criminals to justice.
    In support of the Secret Service's protective mission, 
special agents trained through the agency's Critical Systems 
Protection (CSP) program successfully completed more than 657 
domestic and 5 international protective advances since 2010 in 
support of the President, Vice President, and national special 
security events. The incorporation of tools and specialized 
training to reduce the risk associated with a viable cyber 
threat during protective operations enhances the Secret 
Service's ability to provide complete protective coverage.
    CSP technology provides visibility into the once unknown 
cyber environment, which gives our agency the tools to identify 
cyber threat actors as well as mitigate potential network 
attacks on the critical infrastructure that supports permanent 
and temporary venues under Secret Service protection.
    With the subcommittee's support, the Secret Service will 
continue to focus on improving our protective investigative 
capabilities and enhancing the training of our special agent 
workforce through the Electronic Crimes Special Agent Program, 
as well as provide training for our State and local law 
enforcement partners through the National Computer Forensic 
Institute. We will also continue to share actionable 
information with our partners through DHS's National 
Cybersecurity and Communications Integration Center and the 
network of Information-Sharing and Analysis Centers (ISACs), in 
particular the Financial Services and Multistate ISACs, while 
aggressively investigating cases through our domestic 
international field offices, as well as our network of 
electronic crimes task forces.
    On the basis of the Secret Service's experience with cyber 
investigations and protection, I hope today's discussion 
provides the subcommittee useful information on how to best 
deter and mitigate the threat of these crimes in the future. 
This concludes my opening remarks. I look forward to your 
questions. Thank you.
    [The statement follows:]
                  Prepared Statement of William Noonan
    Good afternoon Chairman Landrieu, Ranking Member Coats, and 
distinguished members of the subcommittee. I appreciate the opportunity 
to testify on the investments the Department of Homeland Security (DHS) 
is making in cybersecurity, and the capabilities the Secret Service has 
and is developing to deter cyber-crime around the world. I am honored 
to appear today alongside my colleagues from Immigration and Customs 
Enforcement (ICE) and the National Protection and Programs Directorate 
(NPPD). While no single agency or department has the personnel and 
resources to eliminate cyber-threats, DHS brings to the table a strong 
combination of Federal law enforcement experience, established 
partnerships with the Department of Defense, the Department of Justice 
(DOJ), State and local governments, international law enforcement and 
the private sector, as well as a workforce committed to strengthening 
the security and resiliency of our Nation's critical infrastructure.
    Cyber-threats impact all aspects of the Secret Service's integrated 
mission. When the agency was created as an investigative arm of the 
Department of Treasury in 1865, its purpose was to protect the Nation's 
financial system from the proliferation of counterfeit currency. No one 
at the time could have foreseen that the Secret Service would one day 
be responsible for the protection of the President of the United 
States, let alone that protection would have to take into account the 
potential for computers to affect physical security. Likewise, no one 
at the time could have foreseen that financial crimes would encompass 
computer-based attacks on our Nation's financial services sector and 
would regularly include criminal actors working across international 
borders to perpetrate complex thefts and money laundering schemes.
    The Secret Service traces its investigations into cyber-crime back 
nearly 30 years, when Congress authored 18 U.S.C. sections 1029 and 
1030 as part of enacting the Comprehensive Crime Control Act of 1984 
(Public Law 98-473). That law granted the Secret Service authority to 
investigate criminal offenses \1\ related to the unauthorized access to 
computers \2\ and the fraudulent use, or trafficking of, access devices 
\3\--defined as any piece of information or tangible item that is a 
means of account access that can be used to obtain money, goods, 
services, or other thing of value.\4\ As the Nation's financial payment 
systems evolved from paper to plastic to electronic transactions, so 
too has the Secret Service's investigative priorities. Advances in 
computer technology and greater access to personally identifiable 
information (PII), including sensitive financial data, via the Internet 
have created online marketplaces for transnational cyber-criminals to 
share stolen information and criminal methodologies.
---------------------------------------------------------------------------
    \1\ See 18 U.S.C. section 1029(d) and 1030(d)(1).
    \2\ See 18 U.S.C. section 1030.
    \3\ See 18 U.S.C. section 1029.
    \4\ See 18 U.S.C. section 1029(e)(1).
---------------------------------------------------------------------------
    Over the past 4 years alone, Secret Service cyber-crime 
investigations have resulted in over 4,900 arrests, associated with 
approximately $1.37 billion in fraud losses and the prevention of over 
$11.24 billion in potential fraud losses. Through continued work with 
our key partners at DOJ, in particular the local U.S. Attorney's 
Offices, the Computer Crime and Intellectual Property Section (CCIPS), 
and the International Organized Crime Intelligence and Operations 
Center (IOC-2), we are confident we will continue to bring cyber-
criminals to justice.
    Since 2010, in support of the Secret Service's protective mission, 
special agents trained through the agency's Critical Systems Protection 
(CSP) program successfully completed more than 657 domestic and five 
international protective advances. The incorporation of tools and 
specialized training to reduce the risks associated with a viable 
cyber-threat during protective operations enhances the Secret Service's 
ability to provide complete protective coverage at venues visited by 
the President, Vice President and other Secret Service protectees.
    CSP technology provides visibility into the once unknown cyber-
environment, which gives the Secret Service the ability to identify 
cyber-threat actors, as well as mitigate the potential impact of a 
network attack on a protective venue or on the critical infrastructure 
that supports the venue. CSP-trained special agents also lead the 
Critical Infrastructure Protection Subcommittee during National Special 
Security Events (NSSEs). Through their work with Federal, State and 
local law enforcement, along with the private sector, CSP-trained 
special agents develop a comprehensive operational security plan to 
safeguard critical infrastructure and key resources associated with 
protective events and associated venues.
    Based on the Secret Service's three decades of experience 
investigating cyber-crime, in particular the expertise we have 
developed with respect to the transnational organized cyber-crime 
threat to our Nation, as well as our more recent efforts to protect the 
President, Vice President, and NSSEs from a cyber-threat, I hope to 
provide the subcommittee useful information on how best to deter and 
mitigate the threat of these crimes in the future.
                  the transnational cyber-crime threat
    Over the past 10 years, the Secret Service has observed a marked 
increase in the quality, quantity, and complexity of cyber-crimes 
targeting private industry, in particular the financial services 
sector. These crimes include network intrusions, hacking attacks, 
installation of malicious software, and account takeovers leading to 
significant data breaches affecting every sector of the world economy. 
The widely reported data breaches of Target, Neiman Marcus, White 
Lodging, and Michael's are just the most recent, well-publicized 
examples of this decade-long trend of major data breaches perpetrated 
by cyber-criminals who are intent on targeting our Nation's banks and 
financial payment systems.
    In partnership with the Secret Service, Verizon published their 
most recent Data Breach Investigations Report (Verizon Report) in 2014 
to examine current trends and criminal tactics used to conduct data 
breaches. The analysis included in the 2014 Verizon Report covered more 
than 63,000 security incidents, including 1,367 confirmed data breaches 
occurring in calendar year 2013. The report identified three primary 
motives for the criminals committing these acts: (1) financial gain; 
(2) espionage; and (3) activism.
    Cyber-criminals, motivated by greed, perpetrated the majority of 
the breaches studied each of the past 5 years through the Verizon 
Reports. These criminals primarily use a combination of sophisticated 
hacking techniques and the deployment of malicious software to 
accomplish their objective of obtaining sensitive financial information 
to use as part of increasingly sophisticated frauds. The victims of the 
crimes studied in the 2014 Verizon Report span 95 different countries, 
with 34 percent of all reported incidents affecting financial 
institutions. The study revealed that point-of-sale (POS) intrusions, 
like the recently reported events, are primarily attributed to 
organized criminal groups operating out of Eastern Europe. More 
concerning, in 88 percent of POS intrusions, the data is exfiltrated in 
a matter of minutes. However, in 98 percent of the breaches it took 
weeks or months to discover the crime.
    The increasing level of collaboration among cyber-criminals allows 
them to compartmentalize their operations, greatly increasing the 
sophistication of their criminal endeavors as they develop specialized 
skills to carry out cyber-attacks against the Nation's financial and 
other critical infrastructures. These specialties increase both the 
complexity of investigating these cases, as well as the level of 
potential harm to companies and individuals. For example, illicit 
underground cyber-crime marketplaces allow criminals to buy, sell and 
trade malicious software, access to sensitive networks, spamming 
services, payment card data, PII, bank account information, brokerage 
account information, hacking services, and counterfeit identity 
documents. These illicit digital marketplaces vary in size, with some 
of the more popular sites boasting membership of approximately 80,000 
users. Within these digital marketplaces, criminals often use various 
digital currencies to conduct transactions, such as paying for stolen 
information, requesting various criminal services, or laundering 
illicit proceeds.
    As a part of our cyber-crime investigations, the Secret Service 
targets the most capable cyber-criminals and the individuals who 
operate illicit infrastructure that supports transnational organized 
cyber-criminals. For example, in May 2013, as part of a joint 
investigation through the Global Illicit Financial Team, the Secret 
Service shut down the digital currency provider Liberty Reserve. 
Liberty Reserve is alleged to have had more than one million users 
worldwide and to have laundered more than $6 billion in criminal 
proceeds. This case is believed to be the largest money laundering case 
ever prosecuted in the United States and is being jointly prosecuted by 
the U.S. Attorney's Office for the Southern District of New York and 
DOJ's Asset Forfeiture and Money Laundering Section. In a coordinated 
action with the Department of the Treasury, Liberty Reserve was 
identified as a financial institution of primary money laundering 
concern under Section 311 of the USA PATRIOT Act (Public Law 107-56), 
effectively cutting it off from the U.S. financial system.
    The Secret Service has successfully investigated many underground 
cyber-criminal marketplaces. In one such infiltration, the Secret 
Service initiated and conducted a 3-year investigation that led to the 
indictment of 11 perpetrators allegedly involved in hacking nine major 
American retailers and the theft and sale of more than 40 million 
credit and debit card numbers. The investigation revealed that 
individuals from the United States, Estonia, China and Belarus 
successfully obtained credit and debit card numbers by hacking into the 
wireless computer networks of major retailers--including TJ Maxx, BJ's 
Wholesale Club, Office Max, Boston Market, Barnes & Noble, Sports 
Authority and Dave & Buster's. Once inside the networks, those 
individuals installed ``sniffer'' programs \5\ that would capture card 
numbers, as well as password and account information, as that 
information moved through the retailers' credit and debit processing 
networks.
---------------------------------------------------------------------------
    \5\ Sniffers are programs that detect particular information 
transiting computer networks, and can be used by criminals to acquire 
sensitive information from computer systems.
---------------------------------------------------------------------------
    After the data were collected, the alleged conspirators concealed 
the information in encrypted computer servers they controlled in the 
United States and Eastern Europe. The credit and debit card numbers 
were then sold through online transactions to other criminals in the 
United States and Eastern Europe. The accounts associated with the 
stolen numbers were ``cashed out'' by encoding card numbers on the 
magnetic strips of blank cards. The alleged perpetrators then used 
these fraudulent cards to withdraw tens of thousands of dollars at a 
time from ATMs. The illegal proceeds were allegedly concealed and 
laundered by using anonymous Internet-based digital currencies within 
the United States and abroad, and by channeling funds through bank 
accounts in Eastern Europe. Card numbers were then sold through online 
transactions to other criminals in the United States and Eastern 
Europe. The accounts associated with the stolen numbers were ``cashed 
out'' by encoding card numbers on the magnetic strips of blank cards. 
The alleged perpetrators then used these fraudulent cards to withdraw 
tens of thousands of dollars at a time from ATMs. The illegal proceeds 
were allegedly concealed and laundered by using anonymous Internet-
based digital currencies within the United States and abroad, and by 
channeling funds through bank accounts in Eastern Europe.card numbers 
were then sold through online transactions to other criminals in the 
United States and Eastern Europe. The accounts associated with the 
stolen numbers were ``cashed out'' by encoding card numbers on the 
magnetic strips of blank cards. The alleged perpetrators then used 
these fraudulent cards to withdraw tens of thousands of dollars at a 
time from ATMs. The illegal proceeds were allegedly concealed and 
laundered by using anonymous Internet-based digital currencies within 
the United States and abroad, and by channeling funds through bank 
accounts in Eastern Europe.\6\
---------------------------------------------------------------------------
    \6\ Additional information on the criminal use of digital 
currencies can be referenced in testimony provided by U.S. Secret 
Service Special Agent in Charge Edward Lowery before the Senate 
Homeland Security and Governmental Affairs Committee in a hearing 
titled, ``Beyond Silk Road: Potential Risks, Threats, and Promises of 
Virtual Currencies'' (November 18, 2013).
---------------------------------------------------------------------------
    The impact of these criminal acts extends well beyond the companies 
compromised, potentially affecting millions of people. Cyber-crime 
directly impacts the our economy by requiring additional investment in 
implementing enhanced security measures, inflicting reputational damage 
on American companies, and dealing with the financial losses from 
fraud--all costs that are ultimately passed on to consumers. Proactive 
and swift law enforcement action protects consumers by preventing and 
limiting the fraudulent use of payment card data, stolen PII, or both.
                          cyber investigations
    The Secret Service proactively investigates cyber-crime using a 
variety of investigative means to infiltrate transnational cyber-
criminal groups. As a result of these proactive investigations, the 
Secret Service is often the first to learn of planned or ongoing data 
breaches and is quick to notify financial institutions and the victim 
companies with actionable information to mitigate the damage from the 
data breach and terminate the criminal's unauthorized access to their 
networks. One of the most poorly understood facts regarding data 
breaches is that it is rarely the victim company that first discovers 
the criminal's unauthorized access to their network; rather it is law 
enforcement, financial institutions, or other third parties that 
identify and notify the likely victim company of the data breach by 
identifying the common point of origin of the sensitive data being 
trafficked in cyber-crime marketplaces.
    When the Secret Service identifies a potential network intrusion, 
the agency contacts the owner of the suspected compromised computer 
system in order to assess the data breach and to stop the continued 
theft of sensitive information and the exploitation of their networks. 
After the victim of a data breach confirms that unauthorized access to 
their networks has occurred, the Secret Service works with the local 
U.S. Attorney's office, or appropriate State and local officials, to 
begin a criminal investigation into the matter.
    During the course of these criminal investigations, the Secret 
Service identifies the malware and means of access used to acquire data 
from the victim's computer network. In order to enable other companies 
to mitigate their cyber-risk based on current cyber-crime methods, we 
quickly share information concerning the cybersecurity incident with 
the widest audience possible, while protecting grand jury information, 
the integrity of ongoing criminal investigations, and the victims' 
privacy and confidentiality. The Secret Service shares this 
cybersecurity information through:
      --DHS's National Cybersecurity & Communications Integration 
Center (NCCIC);
      --The Information Sharing and Analysis Centers (ISACs);
      --The public, private, and academic partnerships established 
through our Electronic Crimes Task Forces (ECTFs);
      --The publication of joint industry notices; and
      --Contributions to leading industry and academic reports like the 
Verizon Report, the Trustwave Global Security Report, and the Carnegie 
Mellon CERT Insider Threat Study.
    As we share cybersecurity information discovered in the course of 
our criminal investigations, we also continue our pursuit of the 
individuals responsible for the crimes. Due to the inherent challenges 
in investigating transnational crime, particularly the lack of 
cooperation of some countries with law enforcement investigations, it 
can take years to apprehend the top tier criminals responsible for 
cyber-crimes.
    collaboration with other federal agencies and international law 
                              enforcement
    While cyber-criminals operate in a world without borders, the law 
enforcement community does not. The transnational nature of cyber-crime 
cases has increased the time and resources needed for successful 
investigation, arrest and adjudication. The partnerships developed 
through our ECTFs, the support provided by our Criminal Investigative 
Division, the liaison established by our 24 international offices, and 
the training provided to our special agents via the Electronic Crimes 
Special Agent Program (ECSAP) are all instrumental to the Secret 
Service's success in these investigations.
    To strengthen our ability to investigate transnational cyber-crime, 
the Secret Service maintains ECTFs in London and Rome, has assigned 
agents to INTERPOL and EUROPOL, and operates cyber-crime working groups 
in the Netherlands, Estonia, Lithuania, Latvia, Ukraine, and Germany. 
The Secret Service also trains numerous international partners on 
investigating cyber-crime; in the past 3 years, the Secret Service has 
trained over 500 law enforcement officials representing over 90 
countries in investigating cyber-crimes.
    The Secret Service's investigations of transnational crime are 
facilitated by the dedicated efforts of both the Department of State 
and the DOJ's Office of International Affairs to execute Mutual Legal 
Assistance Treaties and other forms of international law enforcement 
cooperation, in addition to the relationships that develop between 
Secret Service agents and their foreign counterparts through the above-
mentioned working groups and training efforts.
    Within DHS, the Secret Service benefits from a close relationship 
with ICE's Homeland Security Investigations (ICE-HSI). Since 1997, the 
Secret Service, ICE-HSI (and its predecessor organization, the U.S. 
Customs Service), and the Internal Revenue Service have jointly trained 
on computer investigations through ECSAP. ICE-HSI is also a member of 
Secret Service ECTFs, and has been a valued partner on numerous cyber-
crime investigations including the recent take down of the 
aforementioned digital currency, Liberty Reserve.
    To further its cybersecurity information sharing efforts, the 
Secret Service also has a strong relationship with NPPD, including 
DHS's NCCIC. As the Secret Service identifies malware, suspicious IP 
addresses and other information through its criminal investigations, it 
shares information with the NCCIC which pushes actionable information 
out to the broader cybersecurity community to protect their systems 
from harm. The Secret Service continues to build upon its full-time 
presence at NCCIC to coordinate its cyber programs with other Federal 
agencies. In addition to the close partnership with the NCCIC, the 
Secret Service also has an effective relationship with NPPD's 
protective security advisors (PSAs) and cybersecurity advisors in 
advancement of our cyber protection activities. Currently, 66 percent 
of all PSAs are co-located in Secret Service field offices around the 
country.
                            cyber protection
    The Secret Service is world-renowned for the physical protection it 
provides to the President and Vice President, visiting foreign heads of 
state and government, the White House and other protected sites, and 
NSSEs. In order to ensure a secure environment for our protectees, the 
Secret Service integrates a variety of innovative technologies and 
maintains a highly skilled workforce.
    The Secret Service's protective mission is comprehensive and goes 
well beyond surrounding a protectee with well-trained special agents 
and Uniformed Division officers. Over the years, the agency's 
protective methodologies have become more sophisticated, incorporating 
such tools as airspace interdiction systems, and enhanced chemical, 
biological, radiological, and nuclear (CBRN) detection systems through 
the Operational Mission Support program. As part of the Secret 
Service's continuous goal of preventing an incident before it occurs, 
the agency relies on meticulous advance work and threat assessments to 
identify potential risks to our protectees. Since much of our Nation's 
critical infrastructure is becoming increasingly interdependent, the 
threat of a cyber-attack directed toward our protective interests 
cannot be ignored.
    The Secret Service's CSP program identifies, assesses, and 
mitigates risk posed by information systems to persons and facilities 
protected by the Secret Service. The program supports a full spectrum 
of protective operations to include domestic and foreign trips, as well 
as NSSEs. It accomplishes its mission in support of the Presidential, 
Vice Presidential and Dignitary Protective Divisions by assessing the 
level of risk caused by the disruption, damage or destruction of 
process control systems critical to an event or venue. The CSP program 
implements preventative, detective, and corrective controls to reduce 
risk from a viable cyber-threat during protective operations. The 
result is situational awareness of the overall cybersecurity 
environment during protective operations.
    For example, since 2012, the Secret Service has deployed cyber 
protection tools in support of 7 of the 16 DHS designated critical 
infrastructure sectors. Most recently, during the 2014 State of the 
Union Address (SOTU), the Secret Service deployed its cybersecurity 
protection platform to defend critical infrastructure and key resources 
in the National Capital Region.
                      investments in cybersecurity
    The President's fiscal year 2015 budget request for DHS includes 
$1.25 billion in discretionary spending for cybersecurity activities. 
The Secret Service's budget request accounts for $100.4 million, or 
roughly 8 percent of the total amount requested. The majority of this 
funding is requested under Domestic Field Operations to support the 
staffing associated with Secret Service cyber-crime investigations; 
training for our State and local law enforcement partners through the 
National Computer Forensics Institute (NCFI); training for special 
agents through ECSAP; and funding for the operational costs associated 
with our ECTFs. Within the amount requested, funding is also proposed 
to enhance the CSP program through the Cyber Security Presidential 
Protection Measures (CSPPM) program; support the staffing associated 
with international cyber-crime investigations; and continue the 
upgrades necessary to protect Secret Service data and systems from 
intrusion or intercept through the multi-year Information Integration 
and Technology Transformation (IITT) program. For the purposes of 
today's hearing, I would like to highlight a few of these efforts in 
more detail:
Cyber Protection Activities
    The President's fiscal year 2015 budget request includes a total of 
$21.3 million for cyber protection, which primarily supports the 
staffing associated with this activity. Within this amount, the request 
also includes $3.9 million to enhance the Secret Service's cyber 
protection capabilities through the CSPPM program. This will enable the 
Secret Service to train an additional 24 special agents in the ECSAP 
network intrusion discipline. This training is a prerequisite for 
special agents to advance to the CSP program to fulfill mission 
critical assignments in cyber protection. The CSPPM request also 
includes funding to enhance the CSP's cybersecurity protection platform 
to improve cyber-resiliency at Secret Service protective venues, 
including those associated with NSSEs.
National Computer Forensics Institute
    The President's fiscal year 2015 budget request includes $4 million 
for the NCFI, which will enable the Secret Service to train 
approximately 500 State and local law enforcement officers, 
prosecutors, and judges on current trends in cybersecurity and the 
potential obstacles they are likely to encounter during the course of 
their investigations. Located in Hoover, Alabama, the NCFI offers State 
and local law enforcement officers and prosecutors the training 
necessary to perform computer forensics examinations, respond to 
network intrusion incidents, and conduct electronic crimes 
investigations, while judges receive general education in these areas.
    Since opening in 2008, the institute has held over 150 cyber 
investigative and digital forensics courses in 16 separate subjects and 
trained and equipped more than 3,000 State and local officials, 
including more than 2,300 police investigators, 840 prosecutors, and 
230 judges from all 50 States and three U.S. territories. These NCFI 
graduates represent more than 1,000 agencies nationwide.
Electronic Crimes Task Forces/Electronic Crimes Special Agent Program
    The President's fiscal year 2015 budget request includes $1.8 
million for the training and operational costs associated with the 
Secret Service's ECTF and ECSAP programs. The requested amount in 
fiscal year 2015 will support equipment purchases and travel expenses 
for ECTF and ECSAP personnel. In addition to these base funds, the 
Secret Service usesTreasury Executive Office of Asset Forfeiture 
(TEOAF) funding to support the ECTF and ECSAP programs.
    The Secret Service currently operates 35 ECTFs, including two based 
overseas in Rome, Italy, and London, England. Membership in our ECTFs 
includes over 4,000 private sector partners; 2,500 international, 
Federal, State, and local law enforcement partners; and 350 academic 
partners. By joining a Secret Service ECTF, our partners benefit from 
the resources, information, expertise and advanced research provided by 
our international network of members while focusing on issues with 
significant regional impact. For example, the New York ECTF, based in 
the Nation's largest banking center, focuses heavily on safeguarding 
our financial institutions and infrastructure, while the Houston ECTF 
works closely with partners such as ExxonMobil, Chevron, Shell, and 
Marathon Oil to protect the Nation's vital energy sector.
                               conclusion
    Safeguarding and securing cyberspace is a top priority for DHS. As 
part of that effort, the Secret Service is steadfast in its commitment 
to protect the President, Vice President, and NSSEs from the threat of 
cyber-attack, and to protect the Nation's financial payment systems by 
investigating and dismantling transnational criminal organizations 
involved in cyber-crime. Responding to the growth in these types of 
crimes, and the level of sophistication these criminals employ, 
requires significant resources and greater collaboration between law 
enforcement and its public and private sector partners. Accordingly, 
the Secret Service is focused on improving our protective and 
investigative capabilities and techniques, enhancing the training of 
our special agent workforce through ECSAP, providing training for our 
State and local law enforcement partners through the NCFI, sharing 
information with our partners and private industry through DHS's NCCIC 
while actively investigating cases though our ECTFs, and raising public 
awareness to deter and mitigate the cyber-threats our Nation faces 
today.

                  CYBER EDUCATION: BUILDING WORKFORCE

    Senator Landrieu. Thank you very much.
    Let me begin with you, Secretary. There are many aspects of 
cyber defense that we're going to try to cover in this short 
period of time, and of course the time will not allow us to go 
very in depth. But one of the areas that I've really been 
focused on because of my general interest in education is 
educating the next generation of cyber warriors or generating--
educating the next generation of professionals that can step up 
and help fill this important gap.
    It's been estimated, not by our committee but by others, 
the Department itself has stated a goal of educating 1.7 
million students by 2021. That would be approximately 200,000 
students a year. The President's budget cut the funding for 
cyber education by 52 percent. When we've inquired, they've 
said that DHS would still meet that number, but would use other 
programs and populations, et cetera, et cetera.
    So I want to ask you all this question, but particularly 
the Under Secretary for Homeland. Try to take a minute or two 
and explain as clearly as you can how the Department of 
Homeland Security is working, either with the Department of 
Education or with DOD or with any partner that you might want 
to identify, to actually produce the 200,000 workers, 
professionals, and students at a variety of different ages, and 
what are some of the more successful programs that you have and 
some of the results that you have achieved?
    Because I'm having a hard time getting a real handle on 
this. I hear a lot about it. I just can't quite see it.
    Dr. Schneck. Thank you. First and foremost----
    Senator Landrieu. You can pull that closer to you so you 
don't have to lean. I think it'll come closer to you. I feel 
like you're going to fall off that chair in just a minute. Or 
push yourself a little that way, whatever.
    Dr. Schneck. The chair's nice and short. I can't fall off. 
This is good.
    So thank you. First of all, thanks again for the support, 
and we look forward to working with you on this. This is a big 
challenge. As I mentioned, the Secretary has stated his 
emphasis on education and on building the next cyber workforce. 
One of the first things that he did was take me down to two 
universities and have us talk with students----
    Senator Landrieu. Which two were they?
    Dr. Schneck. We went to Georgia Tech and Morehouse. And he 
said we will do this again, and we have a program rolling out 
that looks at what universities we'll be going to. But that's 
one of many.
    We are bucketing our efforts at this point sort of in three 
different areas, and then I can also go through some of the 
other types of programs we have. I'm going to want to follow up 
with you with a comprehensive readout. But our buckets simply 
are the following:
    One is to identify the skill sets that we need. A lot of 
times when I go out and talk to students--and I do this a lot, 
of all ages, and leadership at all levels goes out and speaks 
as much as we can to students of all ages, from K through 12 
actually through the graduate programs. We need them to know 
the skill sets they need to have, what is a cyber workforce. 
It's not someone who just operates a firewall. It can be 
anything from policy to highly technical or a combination.
    The second bucket is to actively get out there and find out 
what they're studying, talk to the professors, influence the 
curricula in the universities, which is one of the things we're 
starting to do as we speak to the universities.
    And third is, for example, to award scholarships for 
service, get involved in helping fund their education, give 
them a chance then back. They come and work in our labs. 
Especially at NPPD, we've had interns in cybersecurity and 
communications, in that component. And then we give them a 
taste of what it's like to serve in Government. They get those 
skills from us as well.
    Then we have several other programs----
    Senator Landrieu. I think that sounds good, but it's so 
general. What I'm going to continue to press you on is some 
specifics. Like I asked for the purposes of this hearing to get 
the document from DOD about what a cyber warrior must have, 
literally the levels of education and specific skill set that 
DOD is requiring. It is 100 pages or more of very, very 
specific requirements. I'm going to submit this all to the 
record. It's not classified in any way, of course.
    [The information follows:]

    The proposed funding reduction to National Protection and Programs 
Directorate (NPPD) Cybersecurity Education in fiscal year 2015 impacts 
the long-term goal of affecting 1.7 million students in 10 years 
through the Integrated Cybersecurity Education Communities (ICEC) 
project. However, NPPD leads several cybersecurity education projects 
serving a wide audience of students across the Nation, providing 
cybersecurity education programs as flexible and responsive as the 
rapidly changing cybersecurity environment. Each of these projects is 
an integral factor in strengthening the national cyber workforce 
pipeline and building a robust national cybersecurity workforce, 
ensuring we may sustain a safe, secure and resilient cyberspace. As 
such, NPPD proposes these additional projects be applied towards the 
1.7 million student goal, one that can be reached within the 10-year 
timeframe.
1. Identify the Skill Sets Needed for a Cyber Workforce
    In 2012, the Department of Homeland Security (DHS) conducted the 
Information Technology Workforce Assessment for Cybersecurity (ITWAC) 
in partnership with the Federal Chief Information Officers (CIO) 
Council. The ITWAC collected workforce data that identified the 
composition and capabilities of the Federal civilian cybersecurity 
workforce.
    In 2014, DHS has partnered with academic institutions and the 
Department of Defense (DOD) to conduct the National Cybersecurity 
Workforce Assessment (NCWA). The NCWA is gathering data on the U.S. 
non-Federal cybersecurity workforce. Like the ITWAC, the NCWA will 
identify gaps and deficiencies in both the size and capability of the 
cybersecurity workforce. However, the NCWA will go beyond the ITWAC to 
define specific occupational categories aligned to the National 
Cybersecurity Workforce Framework and the role that government can play 
to remedy the identified deficiencies.
    DHS also leads the development of the National Cybersecurity 
Workforce Framework. The Cybersecurity Framework is a national resource 
providing employers, employees, students, educators, trainers, and 
policy makers with a common language for describing cybersecurity work. 
The Cybersecurity Framework includes a detailed listing of knowledge, 
skills, and abilities (KSAs) required for specific cybersecurity 
positions. The KSAs are associated with Specialty Areas included in the 
Cybersecurity Framework to clearly define the qualifying service, 
education, or training needed to successfully perform tasks or 
functions associated with that specialty. A detailed listing of all of 
the KSAs included in the Cybersecurity Framework can be found at http:/
/niccs.us-cert.gov/training/tc/framework/ksas.
2. Explore the Cyber Curricula in Universities
    The National Security Agency (NSA) and DHS jointly sponsor the 
National Centers of Academic Excellence in Information Assurance 
Education (CAE/IAE), IA 2-Year Education (CAE/2Y), and IA Research 
(CAE/R) programs. The goal of these programs is to reduce vulnerability 
in our national information infrastructure by promoting higher 
education and research in IA and producing a growing number of 
professionals with IA expertise in various disciplines. There are 181 
schools (in 43 States, DC, and Puerto Rico) with one or more CAE 
designations. Working with these schools through the CAE program 
provides DHS with an opportunity to influence cybersecurity curricula 
across the Nation. Each cybersecurity academic program has about 100 
students, and therefore approximately 18,100 students annually are 
studying cybersecurity through the CAEs. More information on CAEs can 
be found at http://www.nsa.gov/ia/academic_outreach/nat_cae/
index.shtml.
    Note that DHS is deploying new criteria for designation as a CAE, 
revised in order to meet the cybersecurity demands of the Nation. The 
new criteria will rely on knowledge units (an academically oriented 
approach), moving away from the previous information assurance training 
standards.
3. Provide Scholarships for Service
    DHS participates in the Scholarship for Service (SFS) program, 
designed to increase and strengthen the cadre of Federal IA 
professionals protecting the Government's critical information 
infrastructure. SFS (through the National Science Foundation) provides 
scholarships that may cover the typical costs to attend a participating 
institution, including tuition and education and related fees. In 
exchange, students agree to serve in a cybersecurity role in the 
Government for a period equivalent to the length of their scholarship 
(e.g., 2 academic years = 2 calendar years). The U.S. Office of 
Personnel Management (OPM) manages and tracks SFS placements within 
government. CAE-designated academic institutions may apply to receive 
SFS awards. A total of 51 institutions in 26 States and DC currently 
receive SFS scholarship awards. Over 450 students receive SFS 
scholarships each year. DHS sponsors the annual in-person SFS Job Fair 
(January in the DC area). SFS has also held virtual job fairs with DHS 
support. More information on the SFS program can be found at https://
www.sfs.opm.gov/.
    The Secretary's Honors Program for Cybersecurity (SHPC) is designed 
to develop technically skilled cyber professionals across DHS. Since 
the Program began in January 2012, there have been 11 participants who 
have had the opportunity to put their academic achievements to use in a 
hands-on environment while playing a vital role in protecting our 
Nation. Through rotational assignments, Honors Program participants 
observe how each component collaborates on cyber-related issues and 
work first-hand on critical issues or incidents in a fast-paced, 
growing environment. Participants, from SFS or CAE schools, spend 2 
years in the program, and then have the opportunity to attain a 
permanent position at DHS.
4. Integrated Cybersecurity Education Communities Project
    In fiscal year 2013, DHS/Cybersecurity Education and Awareness 
(CE&A) issued the competitive Cybersecurity Education and Training 
Assistance Program (CETAP) grant in the amount of $5 million to fund 
the Integrated Cybersecurity Education Communities (ICEC) project. In 
support of the National Initiative for Cybersecurity Education (NICE), 
the ICEC project holds cyber education summer camps in communities 
around the country, with the primary goal of educating high school 
teachers who will then return to their schools and affect numerous 
students each year, as well as integrate cyber content into their 
existing course curricula across multiple academic disciplines. As a 
result, four communities across the country will hold cyber education 
camps in the summer of 2014, with at least 36 high schools 
participating. Each high school will send six students and two teachers 
and each teacher will affect approximately 120 students over a year. 
Therefore, the anticipated impact will be nearly 9,000 students this 
summer.
5. Cyber Competitions
    DHS/CE&A supports cyber competitions, sponsoring CyberPatriot, 
which affects numerous middle and high school students each year and 
steers them toward cybersecurity careers and studies. The expansion of 
the CyberPatriot program exposes cybersecurity to 12,000 students 
annually.
6. National Initiative for Cybersecurity Career Studies Portal
    DHS/CE&A developed the National Initiative for Cybersecurity 
Careers and Studies (NICCS) portal, an online resource for government, 
industry, academia, and the general public to learn about cybersecurity 
awareness, education, careers, and workforce development opportunities. 
An ongoing success for DHS, the NICCS portal is available to the 
American public, assisting users of all ages in locating cybersecurity 
learning opportunities and careers. The NICCS portal also hosts the 
Cybersecurity Training Catalogue, providing a list of all cybersecurity 
or cybersecurity-related education and training courses offered in the 
United States.
    NICCS Web traffic continues to show steady improvement. In May 
2014, 6,280 unique users accessed NICCS, leading to just over 33,090 
unique users seeking cybersecurity training this calendar year. Since 
its inception, NICCS has had close to 90,000 unique visitors.
7. Federal Virtual Training Environment (FedVTE) and Federal 
        Cybersecurity Training Exercise (FedCTE)
    DHS/CE&A continues to support training efforts for Federal and 
critical infrastructure cybersecurity professionals. The FedVTE is an 
online training platform, providing Federal cybersecurity and IT 
professionals with hands-on labs and training courses. The environment 
is accessible from any Internet-enabled computer and is free to users 
and their organizations. The FedVTE content library includes more than 
800 hours of training, 150 demos, and 3,000+ pieces of content. The 
FedCTE provides training, labs, and competitions for Federal 
cybersecurity professionals. DHS is also piloting courses for State 
government cybersecurity professionals. Classes range from one to three 
days and are conducted both live and virtually on a variety of 
cybersecurity topics providing training, hands-on experiences, 
knowledge of best practices, and network opportunities. The FedVTE and 
FedCTE are each available to 125,000 Federal/critical infrastructure 
cybersecurity professionals per year.
    In fiscal year 2014, DHS/CE&A will continue these major efforts and 
initiate several enhancements, all contributing to the effort to 
promote cybersecurity education across the Nation. DHS/CE&A plans to 
apply $5 million to the CETAP grant in fiscal year 2014, enabling the 
same four communities holding cyber education summer camps in the 
summer of 2014 to continue the camps in the summer of 2015 leading to 
an effect of nearly 10,000 students that is a combined total of 19,000. 
DHS/CE&A estimates 60 percent of the 9,000 students reached the summer 
of 2014 (5,400 students), plus potentially another 10,000 students will 
be reached outside of the summer camp, resulting in 34,400 students 
reached by the end of 2015. The grant also supports development of 
cybersecurity-integrated high school curricula, which high schools 
across the country can adopt and offer to numerous students each year. 
Further, DHS/CE&A will develop additional and continued interest in 
cybersecurity careers and studies following the summer camps by 
promoting participation in cyber competitions and in virtual 
mentorships and internships. DHS/CE&A will continue participation in 
the CAE and SFS programs, reaching thousands of community college, 4-
year school, and graduate students annually. DHS/CE&A will also launch 
a course intended to help professors and students in designated CAE 
schools understand the National Cybersecurity Workforce Framework and 
its relevance to CAEs. Further, DHS/CE&A will release Workforce 
Framework 2.0, codifying cybersecurity workforce roles. Finally, DHS/
CE&A plans to add a search function to the Training Catalogue, so users 
seeking cybersecurity training on the NICCS portal will be able to 
browse courses based on their individual needs, thereby facilitating 
access to cybersecurity training for countless American students of all 
ages and their pursuit of cybersecurity certifications.
    In summary, DHS/CE&A's programs focus on the cybersecurity 
education and awareness of the Nation, including students. When 
combined, the existing DHS/CE&A activities enable DHS to reach, and 
potentially exceed its goal of educating 1.7 million students in 
cybersecurity in 10 years. America's students are pursuing various 
levels of education and DHS/CE&A has made great strides in facilitating 
these students' pursuit of cybersecurity education and careers; 
redefining the goal of training 1.7 million students to include all of 
CE&A's activities accurately captures the reach of the program, its 
impact on the Nation, and the goal of DHS.

    Senator Landrieu. But just one page, page 25, it says a 
person must normally have 1 to 5 years or more experience in IA 
technology in a related field. You have to have a systems 
environment, a computing environment. Knowledge applies, basic 
knowledge of IA concepts, practices, procedures, et cetera, et 
cetera.
    I still think it would be really important for Homeland 
Security, probably in conjunction with DOD since they've 
already done it, and the Department of Education, to come up 
with a basic framework or a specific certification. Maybe we 
should do this, Senator Coats, with the private sector as well. 
I'm not sure. But I think at least in my experience, if the 
goal is to actually educate whatever, 1.5, 1.7, 2.5, you've got 
to measure it, have a way to measure it, to know if you're 
achieving it.
    I can tell you as chair of this committee, as strongly as I 
feel in investing in education, I'm not going to invest money 
in programs that I'm not sure get a result. And I'm going to be 
holding through the whole Appropriations Committee the other 
subcommittees responsible, not holding but pressing them to be 
responsible, for allocating funding in a way that we can have 
some confidence that after we've allocated it we're actually 
producing, in partnership with universities, with the private 
sector, the kind of workforce and warriors we need to protect 
this country.
    So I've run out of my time. I do have many more questions, 
but since that's been my emphasis I'm going to stay with it. 
There are other things I want to ask. But I'm going to turn it 
over to Senator Coats, and we may get a second round of 
questioning.

                              CREDIBILITY

    Senator Coats. Dr. Schneck, as you know, DHS has been 
fighting some credibility issues in terms of capability. I was 
very impressed when I visited the center. You gave a terrific 
tour relative to what you've been able to accomplish. I think 
it looks like DHS has turned the corner on this, gaining 
credibility.
    My understanding is that the strategy pretty much involves 
three things: one, limiting the Internet touch points to 
trusted Internet connections; establishing an effective 
perimeter capability; and deploying continuous diagnostics for 
managing the Federal system activity.
    So my question is, generally where do we now stand today 
with the dot-gov domain relative to meeting these, implementing 
this strategy?
    Dr. Schneck. Thank you again for your visit that day. We 
appreciate that.
    On the perimeter side, we are now supporting not just 
intrusion detection, which is the system, see something come in 
and notify us; we're now supporting intrusion prevention under 
the term you may have heard, E3A, to about a quarter of the 
seats across the U.S. Government. That number will go up as our 
new service providers come online. For example, the one that 
supports DHS is just about to come on and will actually be 
engaging DHS in our own program, drinking our own champagne, as 
the team likes to say.
    And then, continuous diagnostics and mitigation, which I 
did not have time to mention in my opening remarks, is a way of 
turning every network into its own ecosystem. So instead of 
having the team build a binder, a heavy binder every year, to 
talk about how secure it is, the system constantly measures how 
healed up it is and how secure it is, so you always know and 
you're always aware of behavior that's different.
    As we grow that system, it'll become more and more like 
your body's immune system. You don't need to have a conference 
call to fight a cold. You always know something coming in and 
you'll be able to see. Because we see, even across the 
perimeter defense, different behaviors across all of the U.S. 
Government that can in the future help inform the networks, 
other agencies that are being protected by the external 
defense, as well as these internal immune systems, can learn to 
recognize bad behaviors.
    So our vision is not only operational both in the internal, 
watching the network behavior, and the internal prevention, but 
also in using that core that makes DHS unique in NPPD, not only 
our core ability to work with our partners in the Secret 
Service and research and development and HSI and Coast Guard 
and others, but our ability to bring in inputs from other 
partners, from trusts through the private sector, to understand 
what companies are seeing, and to use all that and get it 
widely disseminated to protect others across the Government and 
the private sector in real time.
    I feel that across the Government we are very much 
operational. We very much have turned a corner. If I could have 
one wish, it would be to have been able to act faster on 
Heartbleed, and that would have been for the statutory 
clarification so that we wouldn't have had to get letters of 
authorization for every unique organization that we scan.

                            RESOURCES NEEDED

    Senator Coats. Well, you just began to answer my second 
question, and that was what resources do you need to get to the 
point where--I know it's a constantly evolving challenge here 
from a technological standpoint. But are there resources you 
need now that could accelerate the process of getting this 
whole domain in place relative to meeting all these strategies?
    Dr. Schneck. There are always resources that we could use. 
So we have made, of course, cuts across all of our high-value 
programs and, unfortunately, even in education, given the 
budget picture we were given, to fit that. However, that 
statutory clarification would help us because it reduces the 
amount of time it takes us to act. It makes it very clear what 
our authorities are to help with the information-sharing across 
the private sector that narrowly targeted liability protection.
    I came from industry 8 months ago and that's very helpful 
to a company because it speaks to the general counsel and says: 
This is okay to share with Government and protect others, and 
the company won't get hurt, the breach notification.
    But this is the area on the congressional side. On the 
resource side, we do need more talented people and that means 
manufacturing them and training and educating them. I'm very, 
very passionate about that as well. I'm a product of that. And 
it also means the ability to hire people faster, on-board them 
with the competitiveness that some other agencies have, that we 
do not yet; and certainly to engage with the whole unity of 
effort with the DHS and put more money to this. If we didn't 
have to cut as much, we'd be able to grow a lot faster, and 
this is an urgent environment.

       DATA BREACHES: GOVERNMENT, PRIVATE-SECTOR RESPONSIBILITIES

    Senator Coats. I'm going to ask the second panel this also, 
but I'd just like to get your take. Relative to--there's been 
some very high-profile data breaches among retail sellers and 
the business community. Has that resulted in a significant 
uptick in terms of inquiries and outreach and willingness to be 
more engaged in partnership with the Federal Government that 
you've noticed as a result of those high-profile breaches?
    Dr. Schneck. I would say absolutely. Number one, the 
American public is scared. And number two, I met even 
yesterday--I meet all the time with our sector representatives, 
our partners in the private sector. I met yesterday with some 
executives from the financial community, and they want to know 
how to help; they want to know how to contribute their 
resources and their knowledge. It's the same across all 
sectors.
    So absolutely, this is the time to get this done.
    Senator Coats. My time has expired. Madam Chairman, I just 
think that's so critical as we move forward, and to my other 
colleagues also. What we got hung up on before was the 
reluctance of the private sector to, quote, ``trust'' that they 
could coordinate with the Federal Government in a way that 
would protect their privacy and all that. Now they've seen, I 
think, the capabilities and the necessity of having that 
interaction between the Federal and the private sector. I'm 
glad to hear your answer on that one.
    Senator Landrieu. Thank you, Senator Coats, for your 
leadership. You've been working with members of both sides and 
we think we're making progress, and thank you.
    But I do want to come back after Senator Coons and ask you 
to restate the specific authorization that you lacked, that you 
said you were able to cobble together, but if you had the 
authorization, at least in dot-gov, you would have been able to 
move more quickly. I'll come back to you in just a minute.
    Senator Coons.
    Senator Coons. Thank you, Madam Chair.
    Senator Coats, that is an area of interest for me as well, 
as a former in-house counsel for a private sector company that 
faced security challenges much like the ones you've described. 
I do think we still have undone work in terms of delivering 
clarity.
    Let me focus on that first, if I might. Jurisdictional 
clarity seems to me particularly important for a cyber event 
because, unlike a natural disaster, a cyber event could be a 
crime, a national security event, an act of war. It could 
possibly be all three at the same time. And governmental 
objectives might be in conflict, one agency trying to restore 
power, for instance in an attack on the grid, while another 
agency is trying to preserve evidence needed to catch the 
perpetrators and investigate and prosecute the perpetrators.
    I am concerned about whether we have clear protocols for 
industry and Government for that response and clear lines of 
responsibility so that we can do the restoration work that's 
needed, but without destroying the Government's capacity to 
investigate and prosecute. So I'd be interested in whether you 
feel you have the authority you need to do that today and 
whether we should be considering some legislation that 
clarifies Federal roles and responsibilities to grant authority 
for lead during a cyber attack.
    I'm going to ask my questions first and then see if we've 
got enough time for an answer.
    And then second, Dr. Schneck, I just wanted to commend you 
for your engagement with the workforce and your commitment to 
being a great role model and leader. I think we're going to 
hear in the second panel from the University of Maryland. 
They're doing great work in preparing the cyber workforce. The 
University of Delaware is also working, as are many other 
universities.
    I do want to hear how you think targeted investments in 
cyber education are furthering national security and what more 
we need to do.
    Last, the National Guard is a remarkable, nearly unique 
asset that crosses the civilian and military divides and allows 
us access for national security and homeland security purposes 
to a world-class workforce that is trained and funded by the 
private sector, but because of their either Guard or Reserve 
role can be accessed in times of emergency or on an ongoing 
basis. I wondered if you had any comment, Dr. Schneck, as to 
whether there are initiatives in place to enhance that 
relationship.
    So there are three questions. And, Special Agent Noonan, if 
we have a moment to talk about IP theft and trade secrets theft 
in the finish, that would be great as well.
    Please, Dr. Schneck.
    Dr. Schneck. I'm going to talk very fast because my 
colleagues have very interesting work and I want you to hear 
that. So very quickly, statutory clarification. We currently 
have the authority. We work from a patchwork of different laws, 
including the Homeland Security Act of 2002, that tells us that 
our response is response and mitigation. That's our role--
response and mitigation of cyber threats across Federal, 
civilian, government, State, local tribal, territorial, and 
critical infrastructure private sector.
    The problem--and I knew this from the other side in the 
private sector--is that when the lawyers get involved, and to 
their credit they're protecting the company, and they don't 
really know if we're supposed to be scanning. This even 
happened with the Cabinet agencies that we had to scan for 
Heartbleed to ensure that our citizens who use external-facing 
Web sites, who use a highly credible piece of software called 
Open SSL that happened to have a defect--we didn't want them to 
get hurt.
    So as fast as we could, we went door to door and got a 
letter of authorization from each agency, working with each 
lawyer, to make sure that we could scan it. That cost us 5 to 6 
precious days in some cases, because the whole world knew about 
this vulnerability and all the information that it could 
capture while we were lawyering. So had we had the 
clarification in the law that this was our role, we would have 
gotten started a lot faster.

                 CYBER EDUCATION: TARGETED INVESTMENTS

    On your second question, I'm happy to follow up after in 
writing. I just want to leave time for my colleagues. Targeted 
investments in cybersecurity. I am a big believer in 
innovation. It's not just that I worked for a Silicon Valley 
company. It's that my father was a scientist and I like to 
learn. If we can enable other students to have that and to take 
on cybersecurity as something that is fun, we get our national 
and our global leadership back as a country. You target that 
innovation.
    I've spent a lot of time in Silicon Valley talking to 
venture capitalists and others about the importance of 
protecting your investment. But if we could target that toward 
the universities, target our research toward that, as we do 
with our partners in science and technology and R and D, if we 
could advance a lot of that, I think that we would move forward 
both as a country and in cybersecurity.

                             NATIONAL GUARD

    Finally, on the National Guard, that's a DOD asset. 
However, we believe in collaboration, so we welcome that. As 
you and I talked before, homeland security is local; the 
response needs to be local. What we can add is the 
collaboration. Let them plug into the other areas, whether it's 
us or Secret Service or HSI or Coast Guard, the other 
responses. Let that be plug and play. Let us all work together. 
The added energy will do nothing but help us, and we can learn 
from them. So it's a welcome asset. It's not one we control, 
but it's certainly one that could fit right into our input of 
threat information and certainly those that we would output to 
and welcome to work with.
    Senator Landrieu. Senator Coons, thank you so much. You and 
I think are co-sponsoring a bill related to the role of the 
National Guard, and I would describe the National Guard as well 
positioned to be of great help to our country in this 
particular line of defense, because they have the expertise of 
the military, but their base is homeland, and they draw from a 
wide variety of industry by their nature. It's part-time 
warrior. That is very interesting.
    So I look forward, Senator Coons, to continuing to work 
with you on that possible enhanced partnership.
    Senator Cochran.

                   STATEMENT OF SENATOR THAD COCHRAN

    Senator Cochran. Madam Chair, I got in a little late, but 
I'm glad I was here to at least express the appreciation of 
this committee to our witnesses for helping us better 
understand what the limitations are and what the opportunities 
are that we have in Congress for making good quality decisions 
about Federal regulation, rules, laws, how do you protect 
privacy. Is there a privacy any more? I guess not.
    So it's kind of scary. So you're all we've got. What I'm 
talking about is that the Federal Government's agencies aren't 
prepared to police the use of assets and equipment and 
knowledge and information, and would we want that anyway? These 
are all big questions, and we thank you very much for coming 
here and helping us understand that.

                        DATA BREACHES: DISCOVERY

    Senator Landrieu. Senator Cochran, thank you for your 
leadership.
    Let me ask, if you don't mind--and if you have an 
additional question, our time will allow it. The votes have 
been pushed back slightly.
    But I do have a question for Mr. Noonan. One of the most 
poorly understood facts regarding data breaches is that it's 
rarely the victim company that first discovers the criminal, in 
the case that it is criminal--let's assume and I think, Senator 
Coons, it could be all the above--but a criminal unauthorized 
access to their networks. Rather, it's law enforcement, 
financial institutions, or third parties that identify and 
notify the victim company of the data breach.
    Without going into any specifics, this speaks to the 
importance of timely and trusted information shared between law 
enforcement and the private sector. We've touched on this, but 
everyone is now aware, or most everyone, of the situation at 
Target and what happened when the third party, hired by Target, 
notified them their systems had been breached, what happened 
internally in Target. I think just this week someone has 
stepped aside, because that is still going on.
    So could you explain right now in America, who is the one 
that normally finds out the breach has occurred? And it's 
usually not the victim, as in this case. It's usually who, a 
third party, an Internet provider, you guys, ICE, FBI, Secret 
Service? Who wants to take that?
    Mr. Noonan. Yes, ma'am. From the Secret Service's approach, 
we have a proactive approach to going after cyber criminals. 
It's generally a source of information that we're able to 
obtain, and we obtain it in a number of different ways, whether 
it's through confidential informants, other sources, undercover 
operations, or trusted partners within the industry.
    We're able to take those data, we're able to crunch those 
data, and determine where there's a vulnerability and who 
potentially has been victimized. In many cases, in just this 
year, we've made notifications to actually two other financial 
institutions about their compromise. And I'm telling you that 
if it were not for that notification by law enforcement, the 
Secret Service, to those two financial institutions, they would 
not be in business today.
    So when we talk about potential----
    Senator Landrieu. Can you repeat that, please?
    Mr. Noonan. Yes, ma'am. We've made notification to two 
financial institutions in this year, at which time they didn't 
know that they had an intrusion. We believe that those 
institutions would have gone under if it were not for 
notification to those institutions. They did not lose a single 
dollar because of that advance warning.
    Senator Landrieu. And if some of these institutions that 
would go, could potentially go under, are big enough, you could 
assume lots of other companies and individuals they could take 
down with them, correct?
    Mr. Noonan. Yes. The people who we're talking about the 
cyber criminals, the transnational cyber criminals who have the 
capability to do this, they're very advanced cyber criminals. 
They're going after financial institutions. Their motivation is 
greed. So whatever they can get their hands on to monetize in 
the criminal underground, that's what they're attacking.
    In this particular case--I'm just giving you those two 
particular examples. There are many other examples. There are 
other retailers that we've made notification to this year as 
well that they had potential issues, and we were able to--and 
you've got to understand, that's an advantage because we're 
going out ahead of them losing anything and we're allowing them 
to see and look closer at their systems by information and 
evidence that we're learning in our other cases to say, ``Hey, 
institution, you have a problem, please look in this arena.''
    That's where the advantage of law enforcement is in this 
fight against cyber crime. Law enforcement has a way to go 
outside the fence, if you will, to determine what the criminal 
actors are doing. We're able to look at their criminal network. 
We're able to look at their criminal infrastructure, and 
sometimes ahead of time determine what they're going to do or 
what actions they may take, and in doing so we do make 
notifications to those trusted partners.
    Senator Landrieu. Does ICE want to have anything to answer 
or comment on, Mr. Edge?
    Mr. Edge. With regard to the intrusions that we're 
discussing here, we don't duplicate the efforts that the Secret 
Service initiates. In fact, if we were to discover such an 
intrusion, we would contact our counterparts at Secret Service 
and work with them on the investigative effort that would take 
place.
    We also would assist in the computer forensics analytic 
portion of it as well. So it's a total team effort here. Most 
of the work that we're doing in the cyber space is pursuant to 
the investigative areas in which we work--child exploitation, 
counterproliferation--where we work very closely with DOD and 
we communicate very closely with DOD and try to disrupt and 
dismantle those organizations that are off of our shores, where 
we can certainly make a difference and prevent them from 
continuing to affect our country.
    Senator Landrieu. Okay, thank you all.
    I think we're going to move to our second panel. I just 
want to underscore one additional item. To you, Dr. Schneck: I 
know that you're aware of the extraordinary contribution 
Louisiana Tech has played in developing an education program 
for middle and high schools, also with their college level as 
well. We were one of the universities that received one of the 
first grants in the country, and I look forward to continuing 
to work with you on developing and network of universities and 
programs that are actually meeting the need that's been 
expressed.
    I thank you, Mr. Edge, for recognizing the HERO Child 
Rescue Corps Program, very innovative, that U.S. Immigration 
and Customs is working with Special Operations to use wounded 
warriors while they are convalescing and are unable to perform 
their primary function. They're well trained and suited to be 
warriors on the Internet, and I really think that's using our 
assets really well and I look forward to continuing to support 
that effort.
    I thank you all and we'll move to our second panel.
                       NONDEPARTMENTAL WITNESSES

    Senator Landrieu. As the panel is getting situated and the 
Clerk is helping to seat them, I wanted to let the members know 
that Senator Coats and I thought it would be a good idea to 
have some independent voices at the table to give some critique 
and some different perspective to the Government agencies and 
entities. We really want to know if our agencies and entities 
that we're funding are doing the kind of job that you as 
experts in the field believe they should be doing.
    We know that sometimes you work with these agencies, so 
sometimes it is difficult to criticize them. But we hope that 
you will do it constructively, and we hope that you will do so. 
We want to know what's working in your view, what's not 
working, what progress we're making in these fields, and what 
we're not.
    We've got I think a very excellent panel. First we have Mr. 
Mahon, vice president and chief security officer of 
CenturyLink. I think it's the third largest Internet provider 
in the country, and I'm very proud that it actually is located 
in Monroe, Louisiana, and is growing. It started out as a very 
small telephone company maybe 45, 50 years ago with a handful 
of employees and now it's multi-thousands and just really an 
extraordinary success story.
    Scott Bowers, vice president, government relations, Indiana 
Statewide Rural Electric. Scott, welcome. Mr. Bowers, welcome, 
and we look forward to hearing from you representing the 
hundreds and thousands of coops in this country that are part 
of this effort.
    Christopher Peters, vice president of North American 
Electric Reliability Corporation (NERC)-Critical Infrastructure 
Protection Compliance, Entergy Corporation. Then I think we 
have Dr. Katz from UMD Cybersecurity Center. Thank you all very 
much.
    Why don't we start with you, Mr. Mahon, with CenturyLink. 
But, Dan, did you want to say anything particularly about your 
witness?
    Senator Coats. Well, you talked about his credentials. 
Scott is just someone that comes from the private sector, but 
clearly part of the private sector that deals with critical 
infrastructure. We have these coops all over the United States, 
as you know. I'm sure you have many in Louisiana. We talk about 
Duke Energy and we talk about AEP and so forth and so on, but 
in reaching out to particularly smaller town America and rural 
America, these coops are absolutely essential, and they're very 
much part of the grid.
    So we need to not only be thinking of the big guys, but 
also the little guys. That applies on the retail side and the 
commercial side also. We read about Neiman Marcus and Target 
and so forth. There are thousands, of not hundreds of 
thousands, of smaller businesses out there that are providing 
very necessary services and they are also vulnerable to these 
kind of intrusions.
    So I want to make sure that we cover the whole gamut and 
not just focus on the people at the top.
    Senator Landrieu. Thank you so much.
    We'll start with CenturyLink.
STATEMENT OF R. DAVID MAHON, VICE PRESIDENT AND CHIEF 
            SECURITY OFFICER, CENTURYLINK
    Mr. Mahon. Thank you, Chairman Landrieu, Ranking Member 
Coats----
    Senator Landrieu. You have to lean into the microphone and 
push it right close to you. There you go.
    Mr. Mahon. Chairman Landrieu, Ranking Member Coats, and 
Senator Cochran, thank you for this opportunity to testify 
before you today.
    My way of background, CenturyLink has grown through 
acquisition and innovation over the course of their history and 
today is a commercial entity with $18.3 billion in revenue, 13 
million customers, 47,000 employees. We are a tier one backbone 
provider and we have 55 data centers around the world.
    It's within this context that I would like to speak to you 
about cybersecurity risks, and I would like to talk to you in 
three specific areas. First is the adversary; second, DHS 
programs that have been successful; and third, developing the 
next generation workforce.
    If I can leave you with one thing today, what I would like 
to tell you is: Do not think about cybersecurity risks within 
the context of malware, viruses, or other tactics. What I would 
ask you to think about is the adversary, the people behind the 
computers that are breaching our networks and stealing our 
data.
    The CenturyLink security team divides these groups into 
five very specific areas: nation-state-sponsored; criminal 
enterprises; hactivists; terrorists and sabotage; as well as 
the insider threat. It's important to understand this within 
the context of their objectives and their tactics. Each can 
vary very differently.
    For example, a criminal enterprise that is interested in 
stealing credit cards will attack point of sale systems with a 
particular type of malware. That is quite different to 
defending against a nation-state that is interested in stealing 
intellectual property, maybe about a smartphone operating 
system.
    The reason that this is important is we at CenturyLink are 
tasked with protecting our network, our data, and our customers 
from all of these adversaries, and each one is very different 
and we require very specific information to develop our 
protections and countermeasures. What has happened is the 
context in which we conduct our risk assessments allows us to 
access open source information to better inform our risk 
assessments, to help us deploy our capital as we expand and 
protect our network. But our risk assessments are only as good 
as the information that is available to us.
    The Federal Government is in possession of very sensitive 
and frequently classified information that could be very 
helpful to us in our risk assessments as we defend against 
these bad actors. Two of the programs that at the Department of 
Homeland Security I feel have become very successful are the 
Enhanced Cybersecurity Services (ECS) program and the Einstein 
3A (E3A) program. In each of these programs DHS came together 
with corporate America and resolved the traditional hurdles 
that one encounters, whether they be legal, technical, 
operational, and most importantly, cultural.
    It became very difficult in the early days of developing 
information-sharing programs to acquire information from the 
Federal Government because of the context or the fear that they 
had that corporate America would not be able to protect 
classified information. On the corporate side, there's always 
the concern that if we discuss our vulnerabilities with the 
Federal Government there would be some type of regulatory 
response to our answers.
    Therefore, I believe the value of ECS and E3A has been to 
bring together the private industry and the Department of 
Homeland Security and the representative agencies within the 
Department of Homeland Security to effectively begin to combat 
cyber crime. I do believe it has to go much further. There is 
additional information that the Federal Government frequently 
has around the strategy of these organizations, these nation-
states, and even independent actors, that would be very helpful 
to know if we are going to better protect our networks, our 
data, and our customers.
    Regarding the next generation cyber workforce 
professionals, I believe it is very important to encourage the 
Department of Homeland Security to begin with the K-12 
educational programs that you may have heard about throughout 
the country in various capacities. But specifically the STEM 
programs and other technical programs that first generate the 
interest is what we need. I think CenturyLink, Louisiana Tech, 
and the Cyber Innovation Center in Bossier City have become an 
example of what we can do to better protect the corporate 
infrastructures as well as the Government infrastructures.
    I thank you for your determination to lead DHS in its 
mission and we look forward to supporting you. Thank you.
    [The statement follows:]
                  Prepared Statement of R. David Mahon
    Chairwoman Landrieu, Ranking Member Coats and members of the 
committee, thank you for the opportunity to testify today on an issue 
that is of critical importance to national security, the U.S. economy 
and homeland security. CenturyLink appreciates the leadership role the 
Department of Homeland Security plays in facilitating the cybersecurity 
of the nation's critical infrastructure, with the oversight and 
guidance of this Committee. In today's testimony, I would like to cover 
three key areas where the fiscal year 2015 budget offers worthwhile 
opportunities to strengthen the nation's cyber defenses:
      --Further improving the quality of public-private information 
sharing related to cybersecurity;
      --Leveraging classified cyber threat information to protect 
critical infrastructure and the networks of Federal, State and local 
governments through the Einstein 3 Accelerated and Enhanced 
Cybersecurity Service programs; and
      --Investing in our cybersecurity workforce.
    CenturyLink was founded nearly 85 years ago as a small rural 
telephone company with just 75 paid subscribers and a manual switch in 
the front parlor of the Williams family home in Oak Ridge, Louisiana. 
Our recent and rapid evolution through acquisition and innovation to 
become an $18.3 billion communications, data and cloud company with 
47,000 employees, 13 million customers, a Tier 1 Internet backbone, and 
55 data centers around the world makes us a prime example of how 
technology and communications infrastructure are driving our economy.
    Effective cybersecurity is now central to everything we do, not 
only as a provider, but also as a customer of others. That includes our 
residential and enterprise broadband service, the secure communications 
services we provide to the Department of Defense, U.S. embassies and 
Federal Communications Commission, our cloud computing platforms, and 
the managed security services we provide to critical infrastructure 
owners.
    As the company has grown, we've benefited from excellent State and 
local support, enabling us to cultivate talent in northern Louisiana 
and the many local markets we serve in almost every State. This 
includes developing partnerships with the University of Louisiana--
Monroe (ULM), Louisiana Tech University, the Cyber Innovation Center in 
Bossier City and other institutions. In fact, we are nearing completion 
of a 250,000-square-foot Technology Center of Excellence on our Monroe 
headquarters campus that will house an additional 800 innovation 
professionals devoted to network monitoring, research and development, 
as well as IT and engineering support to our international service 
footprint.
    In addition to our company-specific cybersecurity and risk 
management programs, CenturyLink has had a productive experience 
participating in the public-private partnerships established to share 
information and work collaboratively on industry-wide security 
challenges. Our executives serve on the President's National Security 
Telecommunications Advisory Committee (NSTAC), the Communications 
Sector Coordinating Council (CSCC), the Communications Information 
Sharing and Analysis Center (ISAC), and the FCC's Communications 
Security, Reliability and Interoperability Council (CSRIC), among 
others. Through these efforts, we supported DHS in the creation of the 
National Cybersecurity and Communications Integration Center (NCCIC) 
and CenturyLink maintains a permanent presence on the NCCIC floor.
    We support the voluntary, industry-led approach to protecting the 
security of critical infrastructure networks operated by the private 
sector, and appreciate the work the National Institute of Standards and 
Technology (NIST) has undertaken to create the Cybersecurity Framework, 
as well as DHS's Critical Infrastructure Cyber Community (C\3\) 
Voluntary Program to educate stakeholders and promote the framework's 
use. CenturyLink has found the Framework useful in affirming many of 
the practices that we and other larger carriers already had in place. 
We are also using the Framework as a tool to help our enterprise 
clients assess their own threat level and implement risk-based 
cybersecurity protections.
            the cybersecurity threat and information sharing
    If I could leave the Committee with one thought about cybersecurity 
risks, it is this: Don't limit your thinking to only addressing the 
issues of malware, viruses, denial of service attacks, social 
engineering, botnets or any of the other tactics used. Instead, think 
of cybersecurity in terms of the adversaries--the people on the other 
side of the computer, wherever they may be, who conceive and execute 
the breaches.
    Especially where critical infrastructure is concerned, our 
adversaries are constantly studying their targets, probing networks, 
paying attention to the defenses we put up, and searching for the 
weakest link in the chain--even tracking Federal efforts to promote 
security. Whether it's hacking the Web site of a technical conference 
so targeted employees will download malware when they register, or 
using the compromised systems of an HVAC contractor as an attack 
vector, they are adaptable. This makes the threat more formidable, but 
also offers a clue about how to build our cyber defenses.
    As a general matter, CenturyLink's security team divides cyber 
threats into several key groups, each with varying levels of 
sophistication:
      --Nation-State-Sponsored.--Which are often the most 
sophisticated, and generally motivated by economic and political 
espionage. Combating government-sponsored adversaries requires an 
advanced information security program. These data breaches can go 
completely undetected by the victim organization.
      --Criminal Activity, Including Organized Crime.--These attacks 
have a wide range of sophistication, and are generally focused on 
capturing information that can be monetized.
      --Terrorism and Sabotage.--These are most concerned with doing 
damage, including physical damage, to the target entities.
      --Hacktivism.--Generally less sophisticated, these groups will 
use ``soft targets'' with less sophisticated information security 
practices to garner publicity and make their political points.
      --Insider Threats.--These can be the toughest to guard against 
because they are ``inside the perimeter'' of the target itself.
    Adversaries tend to cluster around an industry sector, based on the 
goals they want to achieve. For example, a criminal cartel that wants 
to exploit consumer credit card information will, perhaps, stand up a 
network of infected computers and launch a particular type of attack on 
point-of-sale systems across numerous retailers, using similar malware, 
attack vectors and tactics for covering their tracks. But a nation-
state that wants to exfiltrate confidential technical specs about a 
smartphone operating system will use a completely different strategy. 
Especially for the more sophisticated adversaries, the best long-run 
defense is to build closely coordinated defensive alliances around the 
targeted industries and our partners in government, and to study our 
adversaries as closely as they study us.
    To draw an analogy, the cat-and-mouse nature of cybersecurity 
resembles offensive and defensive schemes in the National Football 
League. Every season, coaches devise new ``attacks'' to move the ball 
down the field, whether it's the old ``west coast offense'' or last 
year's ``read option.'' If they're successful, defenses that rely on 
the comfort of understanding past, predictable plays won't be prepared 
to stop them, at least for a while. But the minute a new offensive 
scheme succeeds, every defensive coordinator in the league starts 
working on countermeasures to shut it down. And while the short-term 
countermeasure might be a zone blitz or a few tough hits on the 
quarterback, the long-term solution has everything to do with 
continually studying the game tapes and evolving the defense.
    In the world of cybersecurity, we don't have the luxury of watching 
the ``game'' every Sunday, but the never-ending need to study the 
opposition and update defenses is the same. For DHS and the nation's 
critical infrastructure providers, this means continuously refining the 
information sharing relationships to get actionable, tailored 
information to the targeted sectors in as close to real time as 
possible. This will ultimately lead to automating the information 
sharing mechanisms that will allow a targeted entity to use the cyber 
threat information to defend itself without compromising the sources 
and methods of the information provider. This is as much a cultural 
challenge as it is a technical one, because the information at issue is 
so sensitive and the teams are not accustomed to sharing their 
proverbial playbooks.
    In our experience, the DHS leaders are fully aware of the challenge 
and committed to strengthening the partnerships, but doing so is often 
an iterative, painstaking process that involves continuously building 
trust, sophistication and technological capabilities, and we appreciate 
the Committee's continued support for that mission. In the words of 
Bear Bryant, ``defense wins championships.''
 enhanced cybersecurity services (ecs) and einstein 3 accelerated (e3a)
    One of the most critical roles the Department of Homeland Security 
can play is to leverage the classified cyber threat indicators the 
Federal Government gathers through law enforcement, intelligence 
collection and other Government-specific functions to protect private 
sector critical infrastructure and government networks. This is no 
small task because the cyber indicators themselves must be protected 
from our adversaries in an end-to-end secure environment and put to use 
in the field without compromising the sources and methods that yielded 
them in the first pace. To do this, DHS has developed two programs:
      --Enhanced Cybersecurity Services (ECS) for private sector 
critical infrastructure providers as well as State and local 
governments, and
      --Einstein 3 Accelerated (E3A) for Federal civilian networks.
    With both programs, Internet service providers like CenturyLink, 
under the direction of DHS personnel, administer intrusion prevention 
and threat-based protections on traffic entering and leaving the 
networks of participating organizations. Participation is voluntary, 
and non-Federal participants in ECS must first be validated by DHS, but 
those who do participate receive an elevated level of protection from 
the most sophisticated cyber intruders.
    CenturyLink has worked extensively with the Federal Government to 
develop these programs, and provide important protections against the 
most advanced threats while educating the Government on practical 
aspects of providing such services to private industry. Expanding the 
scale and automating the information gleaned within ``circles of 
trust'' is the next critical step in providing effective and time 
critical cybersecurity protections to Government and critical 
infrastructure providers.
    State and local governments administer many functions that are 
important to public safety and the protection of critical 
infrastructure, however, they continue to lag in funding mechanisms. 
DHS has taken the lead to fill this gap temporarily in their support 
for MS-ISAC services, but additional funding for additional services 
such as ECS would help State governments avoid becoming the ``weak 
link'' with their Federal partners.
                 developing the cybersecurity workforce
    CenturyLink appreciates the Department of Homeland Security's 
leadership on developing the nation's cybersecurity workforce, 
including its support for teacher training and university research and 
curriculum development in Louisiana. Especially in the last year, 
CenturyLink has focused on developing and attracting a broad range of 
innovation professionals, including engineers, senior IT personnel, 
product managers, researchers and others to help staff our Technology 
Center of Excellence, which will open early next year.
    Our headquarters are located along the I-20 Corridor that spans 
northern Louisiana and is home to a number of innovation hubs, 
including the National Center for Academic in Information Assurance 
Education at Louisiana Tech University, the Cyber Information 
Technology program at Bossier Parish Community College, and the Cyber 
Innovation Center, a research park and nonprofit organization devoted 
to building the knowledge-based workforce in the region. Computer 
Sciences Corporation recently announced plans to bring 800 new jobs to 
the Cyber Innovation Center, and we are hopeful that as businesses step 
up investment in the region, we can work together to cultivate a world 
class cyber workforce. We would encourage this Committee and DHS to 
place a renewed emphasis on workforce development in the cyber arena by 
addressing the potential shortage of qualified and skilled employees 
that will be needed.
    We also support the National Integrated Cyber Education Research 
Center (NICERC) at the Cyber Innovation Center, which focuses on 
curriculum design, professional development, and collaboration in K-12 
and college education. NICERC has organized programs to give teachers 
the training and tools to prepare students for a career in 
cybersecurity, including problem-solving, critical thinking and 
communication skills. Of special note, NICERC is the lead technical 
institution for DHS's Cybersecurity Education and Training Assistance 
Program (CETAP)--so the teacher-focused cybersecurity education model 
first developed and implemented by NICERC in Louisiana can benefit 
school districts across the nation.
                               conclusion
    While the challenge of building a cyber workforce and protecting 
the nation's critical infrastructure from growing threats is a daunting 
and multifaceted one, we are encouraged by the commitment of the White 
House, DHS and this Committee to bring the right resources to bear. We 
appreciate the determination and attention that Chairwoman Landrieu and 
the committee members have brought to the issue and look forward to 
working with you and the authorizing committees as you support and 
guide DHS in its mission.

    Senator Landrieu. Thank you very much.
    Let's go to you now, Dr. Katz, from the University of 
Maryland, that's played quite a leadership role in all of this.
STATEMENT OF DR. JONATHAN KATZ, PH.D., DIRECTOR, 
            MARYLAND CYBERSECURITY CENTER, UNIVERSITY 
            OF MARYLAND
    Dr. Katz. Chairman Landrieu, Ranking Member Coats, Senator 
Cochran: I'm going to talk about workforce development and 
specifically efforts under way within the University System of 
Maryland. Developing an adequately prepared cybersecurity 
workforce is a daunting challenge. Put simply, demand is far 
outstripping supply. Actually, a great statistic came up 
earlier with mention of the need to educate 200,000 cyber 
professionals each year.
    Now, a critical question is what is meant by cybersecurity 
education. From my point of view and broadly speaking, there 
are really two aspects to be considered here. The first is a 
general cybersecurity education, not just for computer and 
technical students, but for everyone. The same way people come 
in and take English comp or introductory math courses, college 
students need to be exposed to the basics of cybersecurity and 
good cyber hygiene.
    Second, of course, is to grow a dedicated cybersecurity 
workforce, professionals that have deep technical knowledge, as 
well as those with the technical knowledge in core computer 
science and electrical engineering skills, but also with 
expertise in the, quote unquote, ``softer'' areas like 
economics, policy, and psychology.
    I think it's important to keep this in mind when we're 
talking about numbers of cybersecurity professionals needed, to 
keep clear that not every cyber professional is going to be the 
same and not everyone is going to need the exact same 
background in cybersecurity courses.
    Now, the University System of Maryland (USM) has a number 
of programs in place to augment the existing pipeline of future 
cybersecurity professionals. University of Maryland 
institutions are playing their part by not only training 
dedicated cybersecurity professionals, but also educating the 
general public on good cybersecurity practices and policies. 
I'll just mention a few key ways in which USM institutions are 
helping to combat the shortage in our Nation's cybersecurity 
workforce. I'll only be able to touch on a few here.
    USM institutions awarded approximately 4,400 cybersecurity-
related degrees in the 2012-2013 academic year. Four USM 
institutions are NSA and DHS centers of academic excellence in 
information assurance education. UMD College Park, with support 
from Northrop Grumman, launched the Advanced Cybersecurity 
Experience for Students, or ACES, in 2013. This is the Nation's 
first undergraduate honors program in cybersecurity and really 
I think serves as a paragon of the way undergraduate 
cybersecurity education should be done.
    University of Maryland Baltimore County, the Center for 
Cybersecurity Training, offers numerous courses for skill 
enhancement and certification opportunities for active 
professionals. And the University of Maryland College Park is 
going to be offering a series of online courses on 
cybersecurity beginning in the fall, again as a way to reach 
out to the broader public.
    In addition to these educational offerings, USM 
institutions also perform outreach to the wider public to spark 
interest in the field and to try to grow a pipeline of future 
cybersecurity professionals. Some examples here include 
cybersecurity camps for middle school girls and high school 
students, as well as summer camps for high school STEM 
teachers, held as part of the DHS-funded cybersecurity 
education and training assistance program.
    Our educational opportunities cannot be created or refined 
in isolation. USM has numerous cybersecurity programs that are 
developed with input from industry and Government sources. 
Sharing information about current workforce knowledge gaps and 
how best to address them is one of the many ways that USM 
institutions benefit from our interactions with private 
industry and the Federal Government.
    However, as educators we not only train students in the 
problems of today, but must also ensure that they can master 
key fundamentals that will provide the foundation for 
understanding and remediating the cybersecurity threats of 
tomorrow.
    Federal and private support to continue to grow the future 
cybersecurity workforce is essential to closing the demand gap 
for those professionals. Continued or perhaps expanded 
investment from Federal agencies like the Department of 
Homeland Security, the National Science Foundation, and the 
National Security Agency, for example, is critical to 
sustaining the progress that we've already been making.
    Thank you for the opportunity to appear before the 
subcommittee and I look forward to answering your questions.
    [The statement follows:]
                Prepared Statement of Dr. Jonathan Katz
    Chairman Landrieu, Ranking Member Coats: Thank you for the 
invitation, and the opportunity to speak to the subcommittee. It is an 
honor to be here.
    As the committee has previously noted, we are continually faced 
with numerous cybersecurity threats. These threats are not static--in 
fact, the sophistication of attacks cybersecurity seems to change on a 
daily basis. New vulnerabilities are uncovered, different attack 
vectors are employed to exploit a system or a program, and patches for 
critical operating systems are deployed on a near-constant basis. As 
director of the Maryland Cybersecurity Center (MC2), I am extremely 
familiar with the rapidity with which cybersecurity threats continue to 
evolve, and the challenges that these threats present to the Federal 
Government, the private sector, and our Nation's academic institutions.
    Developing an adequately prepared cybersecurity workforce is a 
daunting challenge. Put simply, demand for talented cybersecurity 
professionals is far outpacing the supply. A 2013 (ISC)\2\ Global 
Information Security Workforce Study claims that 56 percent of 
companies nationwide report a workforce shortage. Maryland alone had 
more than 18,000 vacancies for cybersecurity jobs, according to a 
recent Abell Foundation report. And Federal agencies are having 
difficulty filling cybersecurity roles as well, something highlighted 
in 2008 and 2010 by the CSIS Commission on Cybersecurity for the 44th 
Presidency.
    The University System of Maryland (USM), which includes 12 
campuses, has a number of programs in place to augment the existing 
pipeline of future cybersecurity professionals. Maryland institutions 
are playing their part by not only training dedicated cybersecurity 
professionals, but also educating the general public on good 
cybersecurity practices and policies.
    Below are some key ways in which USM institutions are helping to 
combat the shortage in our Nation's cybersecurity workforce:
      --USM institutions offer a broad range of degrees in 
cybersecurity-related fields, and approximately 4,400 cybersecurity-
related degrees (BS, MS, and PhD combined) were awarded in the 2012-
2013 academic year.
      --Four USM institutions (UMD, UMUC, UMBC, and Bowie State) are 
NSA and DHS Centers of Academic Excellence in Information Assurance 
Education.
      --UMD College Park, with support from Northrop Grumman, launched 
the Advanced Cybersecurity Experience for Students (ACES) in 2013. This 
is the Nation's first undergraduate honors program in cybersecurity.
      --UMBC's Center for Cybersecurity Training offers numerous 
courses for skill enhancement and certification opportunities.
      --Multiple USM campuses offer MS programs in cybersecurity, cyber 
policy, and/or digital forensics.
    In addition to our current educational offerings, USM institutions 
also perform outreach to the general public to spark interest in the 
field and communicate cybersecurity best practices. Examples include:
      --Cybersecurity camps for middle-school girls and high-school 
students at UMCP.
      --Summer camps for high-school STEM teachers held at UB as part 
of the DHS-funded Cybersecurity Education and Training Program.
      --``Tech talks'' given by undergraduate cybersecurity-club 
members to the broader undergraduate student body.
    Educational opportunities cannot be created or refined in 
isolation. USM has numerous cybersecurity programs that are developed 
with input from industry and government sources. Sharing information 
about current workforce knowledge gaps, and how to best address them, 
is one of the many ways that USM institutions benefit from our 
sustained and regular interactions with private industry and the 
Federal Government. However, as educators, we must not only train 
students in the problems of today, but must also ensure that they 
master key fundamentals that will provide the foundation for 
understanding and remediating cybersecurity threats of tomorrow.
    Federal and private support to continue to grow the future 
cybersecurity workforce is essential to closing the ``demand gap'' for 
those professionals. Continued--and perhaps expanded--investment from 
Federal agencies, like the Department of Homeland Security, the 
National Science Foundation, and the National Security Agency, for 
example, is critical to sustaining the progress that has already been 
made.
    Again, thank you for the opportunity to appear before the 
subcommittee. I look forward to answering your questions.
    Senator Landrieu. Thank you very much.
    Mr. Bowers.
STATEMENT OF SCOTT R. BOWERS, VICE PRESIDENT OF 
            GOVERNMENT RELATIONS, INDIANA STATEWIDE 
            ASSOCIATION OF RURAL

                         ELECTRIC COOPERATIVES

    Mr. Bowers. Madam Chair, Senator Coats: Thank you for the 
opportunity to address you regarding cybersecurity. I'm here on 
behalf of Indiana Electric Cooperatives (IEC). Currently, IEC 
represents 39 electric distribution cooperatives that serve 
over 1.3 million Hoosiers in 89 of the State's 92 counties. 
Collectively, our member cooperatives employ more than 1,500 
individuals and represent the second largest electric provider 
in Indiana.
    Indiana's electric cooperatives recognize your concerns 
related to cybersecurity. We have taken steps, often 
independent of Government regulation, to provide the security 
and reliability required for our consumers. Due to our 
construct and the areas we serve, most people do not recognize 
the leadership role electric cooperative assumed, specifically 
in the areas of renewable energy sources, energy efficiency, 
and cybersecurity.
    Our 39 distribution cooperatives generally do not own bulk 
electric system assets. Therefore they focus largely on the 
reliability and security of their distribution systems, 
protecting member data, and their data business systems where 
data is processed and stored.
    IEC also represents two generation and transmission 
cooperatives, or G&Ts, Hoover Energy Rural Electric Cooperative 
and Wabash Valley Power Association. Both are fully integrated 
on the NERC compliance registry by applicable function. As 
such, each G&T is required to comply with approved reliability 
standards related to cybersecurity, operations, and system 
reliability.
    Today I'd like to specifically recognize the cybersecurity 
efforts of our two G&Ts. Hoosier Energy maintains a thorough 
cybersecurity program that protects facilities critical to the 
reliability of the bulk electric system against a myriad of 
vulnerabilities. Most notably, Hoosier Energy developed an in-
house scanning utility called the Windows Configuration 
Management Utility (WinCMU) that gives Hoosier Energy complete 
visibility into its systems and reports any unexpected changes 
to its security team.
    Knowing what is on a system is the most important step in 
maintaining a secure environment. During a recent audit by 
NERC, auditors acknowledge this and praised WinCMU and Hoosier 
Energy for going above and beyond the requirements in NERC's 
cybersecurity standards. Compliance with these standards is 
enforced by NERC and the Federal Energy Regulatory Commission 
(FERC).
    In addition to complying with such standards, Hoosier 
Energy's cybersecurity program mitigates and protects against a 
wide range of vulnerabilities, including: one, ignorance, 
indifference, and lack of knowledge of cyber threat protection; 
two, information exfiltration; three, network-based cyber 
attacks; four, unmanaged changes to cyber assets and protective 
systems; and five, direct attacks on cyber assets.
    Wabash Valley, IEC's second G&T, has a strong cybersecurity 
program in place as well. Wabash Valley firmly believes it 
takes every employee being vigilant to ensure the safety of 
their people and their assets. Relative to cybersecurity 
standards, Wabash Valley awaits the implementation of NERC's 
updated Critical Infrastructure Protection (CIP) Standards 
Version 5. Wabash Valley worked proactively to develop its 
cybersecurity plan although it was not required by previous 
versions of the standards.
    Additionally, Wabash Valley engaged an external consultant 
to assess its CIP program and systems. The consultant 
determined Wabash Valley's CIP program was thorough and 
indicated that no changes to its systems were required.
    Under previous NERC reporting standards, Wabash Valley 
established reporting relationships with FBI offices in the 
four States where it has member cooperatives or facilities. 
Although no longer required, Wabash Valley continues to keep 
the FBI or the Joint Terrorism Task Force in the reporting 
chain for cybersecurity events.
    Last, Wabash Valley has established procedures in place for 
NERC alert system and energy sector ISAC-provided 
communications and alerts. These communications are reviewed by 
compliance and technical service personnel to assess a 
potential threat to the G&T. If applicable, systems are 
reviewed and, as appropriate, preventive actions implemented.
    Moving forward, IEC sees several actions and opportunities 
where additional focus and improvement benefit access to power. 
Those include: continued improvement in information-sharing to 
ensure timeliness and actionability to cyber threats; expanding 
the number of clearances permitted for cooperative staff and 
allowing for top secret clearance for select senior-level 
executive staff; avoiding one size fits all solutions, while 
also encouraging flexibility; encouraging the continuation and 
creation of additional partnership opportunities; and improving 
consistency with the Federal standards application and 
compliance process.
    In closing, IEC believe we are on a good path, but 
opportunities to improve still exist. Each of us, not just the 
respective Federal agencies, must assume our individual 
responsibilities to work constructively, effectively, and, most 
importantly, in partnership to address both current and future 
cyber-related threats to the reliability and security of our 
Nation's electric grid.
    Thank you.
    [The statement follows:]
                 Prepared Statement of Scott R. Bowers
    Indiana Electric Cooperatives (IEC), the Nation's first electric 
cooperative service organization, represents 39 electric distribution 
cooperatives that serve over 1.3 million Hoosiers in 89 of the State's 
92 counties. Collectively, our members employ more than 1,500 
individuals and represent the second-largest electric power provider in 
Indiana. We serve a diverse expanse of Indiana communities, from rural 
and farming areas, industrial parks and employment zones to burgeoning 
suburbs. IEC appreciates the opportunity to provide the following 
testimony before the Senate Appropriations Homeland Security 
Subcommittee regarding ``Investing in Cybersecurity: Understanding 
Risks and Building Capabilities for the Future.''
    Indiana's electric cooperatives played a foundational role in 
delivering electricity to communities across Indiana 80 years ago. 
Today, we fuel progress by delivering more than electricity to the 
communities we serve. We contribute to economic development, community 
development and youth and education programs across Indiana. We 
continue to deliver safe, secure, reliable and affordable electric 
power across the State, including hard-to-reach rural areas. These same 
electric cooperatives are at the forefront in the promotion of 
renewable energy sources, energy efficiency programs and technology, 
ensuring electric power sources for future generations.
                              introduction
    IEC recognizes your concerns related to the issue of cybersecurity. 
We have taken steps, sometimes independent of government regulation, to 
provide the security and reliability required and necessary for our 
consumers. Due to our construct and the areas we generally serve, most 
people do not recognize the leadership role electric cooperatives have 
assumed--specifically in the areas of renewable energy sources, energy 
efficiency and cybersecurity.
    IEC has two generation and transmission cooperative (G&Ts) members, 
Hoosier Energy Rural Electric Cooperative (Hoosier Energy) and Wabash 
Valley Power Association (Wabash Valley), who provide Indiana 
distribution cooperatives with wholesale electric power from coal, 
natural gas and renewable energy sources. Both G&Ts are fully 
integrated and registered on the North American Electric Reliability 
Corporation (NERC) Compliance Registry by applicable function. As such, 
each of Indiana's G&T cooperatives are required to comply with approved 
Reliability Standards related to cybersecurity, operations and system 
reliability.
    Our 39 distribution cooperatives generally do not own Bulk Electric 
System (BES) assets. Therefore, they focus largely on the reliability 
and security of their distribution systems, which brings electricity to 
homes and businesses, protecting member data and their business systems 
where the data is processed and stored.
    This afternoon, I would like to specifically recognize the 
cybersecurity efforts of our two G&Ts. I will start by discussing 
Hoosier Energy's efforts to address the cybersecurity threat.
                             hoosier energy
    Hoosier Energy maintains a thorough cybersecurity program that 
protects facilities that are critical to the reliability of the BES 
against a myriad of cyber vulnerabilities. Most notably, Hoosier Energy 
developed an in-house scanning utility called the Windows Configuration 
Management Utility (WinCMU) which gives Hoosier Energy complete 
visibility into its systems and reports any unexpected changes to its 
security team. Knowing what is on a system is the most important step 
in maintaining a secure environment. During a recent audit by NERC, 
auditors acknowledged this and praised WinCMU and Hoosier Energy for 
going above and beyond the requirements in NERC's cybersecurity 
standards. Compliance with these standards is enforced by NERC and the 
Federal Energy Regulatory Commission (FERC).
    In addition to complying with such standards, Hoosier Energy's 
cybersecurity program mitigates and protects against a wide range of 
vulnerabilities including:
      --Ignorance, Indifference and Lack of Knowledge of Cyber Threat 
Protection;
      --Information Exfiltration;
      --Network Based Cyber Attacks;
      --Unmanaged Changes to Cyber Assets and Protective Systems;
      --Direct Attack on Cyber Assets; and
      --Physical Attack on Cyber Assets.
    (See Appendix A for description of these vulnerabilities.)
    IEC's other G&T, Wabash Valley, also has a cybersecurity program 
which includes some similar elements to Hoosier Energy's program. Next, 
I would like to highlight Wabash Valley's efforts to address the issue 
of cybersecurity.
                             wabash valley
    The protection of people and assets are top priorities for Wabash 
Valley. As technology continues to evolve, cybersecurity threats become 
more advanced and increasingly difficult to detect and prevent. Wabash 
Valley firmly believes it takes every employee being vigilant to ensure 
their personal safety and the safety of Wabash Valley's assets (both 
physical safety and cybersecurity).
    Relative to cybersecurity standards, Wabash Valley, along with 
other small entities, awaits the implementation of NERC's Critical 
Infrastructure Protection (CIP) standards, Version 5 (cybersecurity 
standards). Although not required by previous versions of the CIP 
standards, Wabash Valley has already developed a cybersecurity plan. In 
addition, an external consultant was hired by Wabash Valley to perform 
an assessment on its CIP program and systems. The consultant determined 
its CIP program was thorough for a small entity and that no changes to 
systems were required at that point in time.
    Under NERC's event reporting standards, applicable entities were 
required to establish a reporting relationship with the Federal Bureau 
of Investigation (FBI). Wabash Valley established reporting 
relationships with FBI offices in all States and cities where it has 
member cooperatives or plant facilities (Indiana, Ohio, Illinois and 
Missouri). Although direct reporting of events to the FBI is no longer 
required by the NERC standard, Wabash Valley feels it is important to 
continue to keep the FBI or the Joint Terrorism Task Force (JTTF) in 
the reporting chain for cybersecurity (and other) events. Wabash Valley 
is part of the FBI's Strategic Partnership with businesses. As such, 
Wabash Valley receives regular bulletins and communications from the 
FBI to keep them informed about various situations/threats that could 
affect the safety and security of company assets and/or personnel.
    Through the NERC Alert System and the Electric Sector Information 
Sharing and Analysis Center (ES-ISAC) housed within NERC, 
communications and alerts related to various potential threats are 
provided to our industry. It is part of Wabash Valley's established 
procedures for these communications to be reviewed by compliance and 
technical services personnel to assess a potential threat to the G&T. 
If the threat has potential applicability to Wabash Valley, then 
systems are reviewed and, as appropriate, preventive actions 
implemented. If the threat, such as HEARTBLEED, has potential impact 
for company employees on their computer systems at home, information is 
communicated to Wabash Valley employees. On a regular basis, the Wabash 
Valley security officer emails pertinent security topics to staff.
    Wabash Valley welcomes the finalization of the cyber and physical 
security standards in the near future. In the meantime, they will 
continue to seek proactive measures to ensure the security of all G&T 
personnel and assets.
    So where do we go from here? Beyond just the updating of the CIP 
standards, there are other actions that can assist us, the owners and 
operators, in assuring access to power. In talking with both our G&Ts, 
they shared concerns regarding some areas where they see opportunity 
for improvement.
                          information sharing
    While we recognize and appreciate that improvement has been made by 
the Federal Government in the flow and sharing of cyber and physical 
security related information over time, the need for continued 
improvement still exists. Our ability to receive timely and actionable 
information remains a work in progress. The media remains our primary 
source of threat-related information. By the time information is shared 
with us from the Federal agencies, it can be too late for us to address 
the threat. Under our current situation, the damage is already done and 
we have moved into mitigation mode if we were impacted by the threat. 
Improving the timeliness of the threat communication would also better 
position us to take preventive actions on the front end in hopes to 
fend off or, if penetrated, minimize the impact to our system.
    Additionally, expanding the number of ``secret'' clearances 
permitted for cooperative staff and allowing for ``top secret'' 
clearance for select senior-level executive staff would also be 
beneficial. This adjustment in security clearance procedures, along 
with liability protections for information sharing with the Government, 
would allow for more real-time and actionable information to be shared.
                              flexibility
    IEC would strongly encourage Congress and the Federal agencies to 
avoid enacting ``one-size-fits-all'' solutions for cyber and physical 
security. Our member cooperatives share a common mission, core 
principles and similarities in structure, but they are each independent 
and unique in the tactics, processes and protocols they utilize to 
serve their members. By affording Indiana's electric cooperatives that 
flexibility, each of our member cooperatives would be positioned to 
deploy the measures, technologies and systems that best fit their 
operations, assets and efforts to combat cyber and physical threats. In 
addition, each cooperative would be able to account for implementation 
costs, which helps maintain affordability, without compromising the 
security measures.
                              partnerships
    Partnerships have been one of the most beneficial and productive 
tools used by Indiana's electric cooperatives in addressing the 
cybersecurity issue. The partnerships that have been most successful 
for us have generally been cooperative to cooperative based. Indiana's 
electric cooperatives have also benefited from their relationships with 
other private organizations, i.e. ACES, through their interactions with 
their Regional Transmission Organizations (RTO) as well as our national 
association, the National Rural Electric Cooperative Association 
(NRECA). While electric cooperatives were born with the assistance of 
the Federal Government in the 1930s, our approach has generally been to 
work within the cooperative community or the private sector to find 
cost effective solutions to the issues facing our industry. These types 
of partnerships, along with finding additional opportunities to enhance 
the working relationship between the responsible Federal agencies and 
our member cooperatives through our members and through the NRECA, 
should be encouraged as well. The Electricity Sector Coordinating 
Council (ESCC) is a great example of one of these partnerships. With 
the ESCC you see individual cooperative G&Ts, as well as participants 
from the Investor Owned Utilities and Municipal Electric Utilities, and 
the associated trade associations at a table with the Department of 
Energy (DOE), FERC, NERC and the Department of Homeland Security (DHS) 
working together to identify and find solutions.
                              consistency
    Due to the multiple levels of government oversight concerning 
cybersecurity (e.g. FERC, NERC and NERC's regional entities), finding 
consistency in the compliance process has had its challenges. The vague 
nature of some of the cybersecurity standards coupled with 
inconsistencies in the interpretation and auditing of those standards 
have created challenges with cybersecurity compliance for our member 
cooperatives. Refining this process to increase consistency and by 
providing more clarity with the respective standards would help 
streamline the process, enhance our effectiveness and provide greater 
certainty to our cybersecurity initiatives.
                           physical security
    While the focus of this hearing was specific to the issue of 
cybersecurity, IEC would like to briefly address the issue of physical 
security. There has been increased discussion surrounding this issue 
due to recent events and IEC acknowledges the importance of protecting 
our physical assets as well. The current initiative by FERC and NERC to 
develop physical security standards for critical assets is viewed as a 
positive step by Indiana's electric cooperatives. There is more to be 
accomplished with this effort and we welcome the opportunity to engage 
and provide our perspective throughout the process.
                               conclusion
    My comments today outlining areas of opportunity should not be 
viewed negatively on the interactions Indiana's electric cooperatives 
have had to date with the Federal agencies engaged in the cybersecurity 
arena. Our member cooperatives who work most closely with FERC, NERC, 
DHS and DOE, to name a few, would agree significant improvements and 
advancements have been made in all of these areas since the effort 
began. Our primary message for you today is that we are on a good path, 
but opportunities to improve still exist. Each of us, not just the 
respective Federal agencies, must assume our individual responsibility 
to work constructively, effectively and, most importantly, in 
partnership to address both current and future cyber-related threats to 
the reliability and security of our Nation's electric grid.
    appendix a: descriptions of referenced cyber security mitigated 
                            vulnerabilities
Ignorance, Indifference and Lack of Knowledge of Cyber Threat 
        Protection
    Hoosier Energy's cybersecurity program ensures all levels of the 
organization are appropriately engaged. Responsibilities are clearly 
delineated among leadership and those responsible for direct 
cybersecurity activities.
    Training and awareness programs are required for all who have 
access to cyber assets critical to the reliability of the BES. Training 
covers why Hoosier Energy's program is important, how it protects us 
and the relevant responsibilities. In addition, Hoosier performs 
awareness exercises exemplified by a Spearphishing exercise in 2013 
that reduced click-thru rates from 30 percent to 2 percent.
Information Exfiltration
    Hoosier Energy maintains an information protection program that 
identifies and classifies critical information, how it can be shared 
and with whom it can be shared.
Network-Based Cyber Attacks
    Hoosier Energy maintains a separate, isolated network through the 
use of an electronic security perimeter (ESP) that isolates its 
critical cyber assets from less secure corporate network and 
neighboring utility connections. All communication is denied by 
default. Allowed communications are limited to specific protocols and 
approved sources from outside the ESP.
Direct Attack on Cyber Assets
    Like in the ESP, communication is denied by default at each 
individual cyber asset.
    In addition:
      --All relevant security patches are applied judiciously
      --Malicious software prevention is installed and kept current
      --Strong passwords are required and changed periodically
      --Unnecessary physical ports are blocked or disabled
Unauthorized Access and Changes to Cyber Assets and Protective Systems
    All access is provisioned on the principle of need-to-know. No 
access is granted without first successfully completing a background 
check.
    ESP communications are monitored and logged around the clock. Any 
change in configuration or any attempts at unauthorized access 
automatically creates an alert.
    The WinCMU creates a baseline for each protected cyber asset. The 
WinCMU performs a daily comparison of the actual configuration and the 
baseline to systematically identify and alert on unexpected changes.
Physical Attack on Cyber Assets
    All critical cyber assets are protected within a physical security 
perimeter (PSP) with access controlled using key cards, monitoring and 
logging.

    Senator Landrieu. Thank you very much for that excellent 
testimony.
    Mr. Peters with Entergy.
STATEMENT OF CHRISTOPHER PETERS, VICE PRESIDENT NERC/
            CRITICAL INFRASTRUCTURE PROTECTION 
            COMPLIANCE, ENTERGY CORPORATION
    Mr. Peters. Good afternoon, Chairwoman Landrieu, Ranking 
Member Coats. Let me begin by thanking you for convening this 
panel and for inviting Entergy to participate. I'm pleased to 
appear here today to discuss Entergy's point of view on cyber 
and physical security threats to our system, the benefits of 
the public-private partnership process, and our experiences to 
date interfacing with the Electricity Sector Information-
Sharing and Analysis Center (ES-ISAC).
    By way of background, Entergy Corporation is an integrated 
energy company engaged primarily in electric power production 
and retail distribution. For some time now, Entergy has 
recognized the uptick in cyber and physical threats that have 
the potential to impact the reliability, safety, and security 
of our operations and the Nation's power grid. We accord such 
threats the same attention as we have always given the forces 
of nature, including ice storms, tornadoes, hurricanes, floods, 
and extreme heat, all of which can threaten the delivery of 
safe, reliable power.
    Entergy supports a comprehensive strategy to managing our 
cyber and physical security defenses. This strategy leverages 
our corporate resources to minimize impacts from intentional 
and unintentional cyber or physical threats to our energy 
portfolio.
    Importantly, these threats have strong support at the board 
of director and CEO level, which we believe is essential to 
implementing an enterprise-wide security program with the right 
amount of people for a security workforce and sufficient 
funding of the technologies required to deal with threats and 
breaches.
    The threat landscape is inherently unpredictable and 
evolving, which is why mastering the fundamentals of cyber and 
physical security is best the best defense. In most cases 
attacks exploit lapses in basic operations that have been 
either ignored or which were not fully deployed.
    One priority for Entergy is threat management. When a new 
threat emerges, Entergy conducts an internal review of our 
defense in depth plans to validate the existing security 
control framework and make changes as necessary. Accordingly, 
increasing physical security threats to energy delivery 
infrastructures have triggered reviews and updates to our 
security plans and posture, including the implementation of 
additional physical security controls in key facilities.
    Public-private partnership participation is a key element 
in our cyber and physical security program and can be a 
significant force multiplier when leveraged. To strengthen our 
posture, over the past several years we have participated in a 
number of public-private programs. Allow me to highlight one 
program we feel is particularly helpful. Since 2008 Entergy has 
received and responded to over 40 NERC alerts related to grid 
security threats from the ES-ISAC. Based on the content of each 
alert, we quickly assemble cross-functional teams of subject 
matter experts to evaluate the highlighted vulnerabilities, 
assess potential impacts, and carry out appropriate mitigation 
steps.
    Entergy considers the ES-ISAC a vital partner in achieving 
electric sector-wide situational awareness, improving national-
level response and coordination, and fostering collaboration 
among key electric sector stakeholders.
    The public-private partnership model is not perfect and 
will continue to evolve over time to ensure that the private 
sector can realize maximum value from our federally funded 
programs and technologies. Every utility must drive the daily 
transformation of their own cyber and physical security 
programs to defend against constantly changing threat 
landscapes.
    Before concluding, I'd like to add that Entergy is a strong 
advocate of regulations and legislation that would bolster 
information-sharing between public and private entities about 
cybersecurity risks and events, allowing that the protections 
are built in for confidentiality and non-recourse. We believe 
access to information of this kind will help enhance the 
security posture of utilities.
    Thank you again for giving Entergy the opportunity to share 
its views and I hope you found these comments helpful. We look 
forward to continuing to work with you in the coming year to 
ensure strong public-private relationships aimed at better 
securing the energy sector's critical infrastructure. I'm happy 
to answer any questions you may have.
    [The statement follows:]
                Prepared Statement of Christopher Peters
    Good afternoon, Chairwoman Landrieu, Ranking Member Coats, and 
distinguished members of the subcommittee. Let me begin by thanking you 
for convening this panel and for inviting Entergy to participate. My 
name is Chris Peters and I am Entergy's vice-president for NERC and 
Critical Infrastructure Protection compliance, reporting to Entergy's 
executive vice president and chief operating officer.
    I am pleased to appear here today to discuss Entergy's point of 
view on cyber and physical security threats to our system, the benefits 
of the public-private partnership process, and our experiences to date 
interfacing with the Electricity Sector-Information Sharing and 
Analysis Center (ES-ISAC).
    By way of background, Entergy Corporation is an integrated energy 
company engaged primarily in electric power production and retail 
distribution. Entergy owns and operates power plants with approximately 
30,000 megawatts of electric generating capacity, including more than 
10,000 megawatts of nuclear power. We deliver electricity to 2.8 
million customers in Arkansas, Louisiana, Mississippi, and Texas. We 
have approximately 14,000 employees.
    For some time now, Entergy has recognized the uptick in cyber and 
physical threats that have the potential to impact the reliability, 
safety and security of our operations and the Nation's power grid. We 
accord such threats the same attention as we have always given to 
forces of nature, including ice storms, tornadoes, hurricanes, floods, 
and extreme heat--all of which can threaten the delivery of safe, 
reliable power.
    Entergy supports a comprehensive strategy to managing our cyber and 
physical security defenses. This strategy leverages our corporate 
resources to minimize impacts from intentional and unintentional cyber 
or physical threats to our energy portfolio. Importantly, these efforts 
have strong support at the Board and CEO level, which we believe is 
essential to implementing an enterprise-wide security program with the 
right amount of people for a security workforce and sufficient funding 
of the technologies required to deal with threats and breaches.
    The threat landscape is inherently unpredictable and evolving, 
which is mastering the fundamentals of cyber and physical security is 
the best defense: In most cases successful attacks exploit lapses in 
basic operations that have been either ignored or which were not fully 
deployed.
    One priority for Entergy is threat management. When a new threat 
emerges, Entergy conducts an internal review of our defense-in-depth 
plans to validate the existing security control framework and make 
changes as necessary. Accordingly, increasing physical security threats 
to energy delivery infrastructures have triggered reviews and updates 
to our security plans and posture, including the implementation of 
additional physical security controls at key facilities.
    Public-private partnership participation is a key element in our 
cyber and physical security program and can be a significant force 
multiplier when leveraged. To strengthen our posture, over the past 
several years we have participated in a number of public-private 
programs:
      --The Government Forum of Incident Response and Security Team 
Conference;
      --The FBI's Classified Cybersecurity Threat Briefings;
      --NERC's GridEx and GridEx II sector-wide exercises;
      --DOE's Electricity Subsector Cybersecurity Capability Maturity 
Model (ES-C2M2) and the Control Systems Cybersecurity Training 
delivered by Idaho National Labs;
      --More than a few DHS' initiatives, including: Monthly 
Unclassified Nuclear Sector Threat Teleconferences, the Control Systems 
Cybersecurity Program, the Cyber Security Evaluation Tool (CSET), 
Classified Nuclear Cybersecurity Threat Briefings at the National 
Security Agency, the Enhanced Critical Infrastructure Protection 
Initiative, and the Cyber Storm III exercise; and
      --Lastly, Entergy worked closely with NIST and participated in 
several workshops during the drafting of the Cybersecurity Framework in 
relation to Executive Order (EO) 13636: Improving Critical 
Infrastructure Cybersecurity.
    Allow me to highlight one program we feel is particularly helpful. 
Since 2008, Entergy has received and responded to over 40 NERC alerts 
related to grid security threats from the ES-ISAC. Based on the content 
of each alert, we quickly assemble cross-functional teams of subject 
matter experts (SMEs) to evaluate the highlighted vulnerabilities, 
assess potential impacts, and carry out appropriate mitigation steps. 
Entergy considers the ES-ISAC to be a vital partner in achieving 
electric sector-wide situational awareness, improving national-level 
response and coordination, and fostering collaboration among key 
electric sector stakeholders.
    The public-private partnership model is not perfect and will 
continue to evolve over time to ensure that the private sector can 
realize maximum value from federally funded programs and technologies. 
Every utility must drive the daily transformation of their own cyber 
and physical security programs to defend against constantly changing 
threat landscapes.
    Before concluding, I would like to add that Entergy is a strong 
advocate of regulations and legislation that would bolster information 
sharing between public and private entities about cybersecurity risks 
and events. Allowing that protections are built in for confidentiality 
and non-recourse, we believe access to information of this kind will 
help enhance the security posture of utilities.
    Thank you for giving Entergy the opportunity to share its views and 
I hope you've found these comments helpful. We look forward to 
continuing to work with you in the coming year to ensure strong public-
private relationships aimed at better securing the energy sectors' 
critical infrastructure. I am happy to answer any questions you may 
have.

    Senator Landrieu. Thank you all very much.
    Let me begin with a question to each of you, starting with 
Dr. Katz. If you could recommend in a minute or less something 
for the Department of Homeland Security to focus on improving 
their current operations--I agree with Senator Coats that the 
Department has turned the corner. They have the appropriate, I 
think, leadership in place on this issue. Lots of initial 
challenges have been sorted out. But if you could give 1 minute 
of testimony about what you would suggest Homeland Security do; 
take the next step in a specific area, whether it's in 
education, whether it's in collaboration, whether it's in 
authorization, et cetera, et cetera, what would you say?
    Dr. Katz. From my point of view, I think really focusing on 
cybersecurity workforce development will be very helpful. I 
think you hit the nail on the head in the previous panel when 
you mentioned that the requirements for cybersecurity 
professionals really need to be laid out precisely, because 
hearing that 200,000 students a year are needed is not very 
helpful unless we know precisely what kind of background those 
professionals need and, really more importantly, without an 
understanding of the fact that those 200,000 professionals are 
not all going to be identical. They're going to be people--
you're going to need people with different needs and different 
backgrounds, and breaking that out further and really 
understanding that would be a big step forward and would allow 
the Nation's academic institutions to better prepare to meet 
that need.
    Senator Landrieu. Yes, and I'm going to continue to press 
my staff and other staffs and any witnesses. If there is such 
an effort going on, in a comprehensive, clear way trying to 
identify that specifically, I'd like to know about it, because 
I keep looking and haven't found it. For instance, in your 
testimony you said you've graduated 4,000 in cybersecurity-
related fields. Would that include math? Would that include 
general math or economics, et cetera?
    Dr. Katz. Actually, I believe it's fairly broad, so 4,000--
--
    Senator Landrieu. Is very broad, and it's ``cyber-related 
fields.'' Well, you know, our Nation has a great demand for 
math teachers that have to go into the classroom to teach 
traditional math. We can't doublecount. Those are teachers we 
need for the math classroom. Where are our math graduates going 
into--this is additional cyber.
    I really am going to continue to press on this until I can 
get a clear understanding to make sure we're moving in that 
direction. But thank you for that.
    What would you say at CenturyLink--and I really appreciate 
understanding the role that the Internet providers--and there 
are three main providers, correct, AT&T, Verizon, CenturyLink? 
Who else would you put on that list?
    Mr. Mahon. We would be the top three.
    Senator Landrieu. Is it fair to say that everybody's 
business comes through your networks, everybody's?
    Mr. Mahon. At one point or another, that's an accurate 
statement.
    Senator Landrieu. So one thing to consider is the outward 
perimeter, that you're it. If your systems can be secure and 
our Government partnership with the three of you can be very 
good and solid, together we could do a lot of protection for 
what's inside of that perimeter, is kind of the way I'm 
thinking about it. Is that how you talk with Verizon and AT&T, 
and what would you say to the Department of Homeland Security 
about that?
    Mr. Mahon. Your assessment is correct. What I would say 
about the Department of Homeland Security is, while they do 
have very good programs with ECS and E3A, we do need to move it 
to the next level. The majority of the Homeland Security 
information-sharing model is a one-size-fits-all. They get 
broad-based information from other Government agencies, they 
put it in a format suitable for dissemination across all 
verticals, all infrastructures, small to large corporations. 
While that's very helpful, if you are a small to medium-sized 
company and don't have a sophisticated information security 
program it is of limited value to the larger corporations, 
particularly the critical infrastructures.
    The analogy that I often use is that you're invited to a 
wedding and you can bring a gift to the bride. She certainly 
appreciates it, but she would prefer you go to her wedding 
registry and select something she really needs.
    That's really where we need to go today. We have very 
specific collection requirements on how to protect our network. 
We do not have access to all the threat information, and I 
believe the Government, whether it's through the Department of 
Homeland Security or other agencies, would be of better 
assistance to us if we gave them very specific requests to see 
if they could be fulfilled for information.
    Senator Landrieu. Thank you. That's very helpful.
    Mr. Bowers, what would you say?
    Mr. Bowers. I would say that our exposure to DHS has been 
fairly limited. Most of what we have done has been primarily 
through FERC, NERC, and the regional entities that work 
underneath NERC.
    Senator Landrieu. The reason for that, just to clarify--you 
of course know it--is that this grid or this infrastructure is 
the only mandatory regulated infrastructure, to my 
understanding, the electric grid, through FERC and NERC. So the 
other private sector companies that have financial 
infrastructure or other energy infrastructure are not. And it's 
been the problem or the challenge, as Senator Coats has pointed 
out, it's hard to get the groups together to figure that out.
    But you in the electric sector are working through it 
fairly well. I know there have been problems, but would you say 
that that's generally correct?
    Mr. Bowers. Yes, I would agree with that. We've certainly 
seen tremendous progress over the 7 years. I think as we've 
worked with the respective Federal agencies and as they've 
gotten to know us better, as we've gotten to know them better, 
it's certainly created a much more productive partnership.
    As it relates to funding or areas of emphasis, I'll go back 
to a couple of things that I mentioned. Obviously, providing 
funds to help bolster and streamline the information-sharing 
process. One of the things is being able to get real-time 
information that is actionable. A lot of times that's not the 
situation, and I know that's not the goal. The goal is for 
everyone involved to be able to try to avoid these types of 
situations, and when they do occur obviously to then mitigate 
them to the best of our ability.
    In addition, I mentioned supporting or the expansion of 
security clearances. I think that will be beneficial to the 
information-sharing component. Then also, just as we've 
continued to work through these various standards, bringing 
that level of consistency, both in the standards, the 
interpretation, as well as the auditing consistency, would be 
areas of emphasis for our perspective.
    Senator Landrieu. Mr. Peters, and then we'll get to Senator 
Coats for his questions.
    Mr. Peters. Senator, I think DHS has done a great job at 
raising awareness around control system security, and it's my 
understanding that 80 percent of the control systems that are 
coming on line have been tested for various types of cyber 
intrusions and basic security features. As we look to upgrade 
our legacy control systems to next generation, that increased 
funding and support for R&D for control systems that have 
advanced cyber features would be very beneficial. I know 
there's been a tremendous amount of success between DHS, the 
Idaho National Labs, and various control systems vendors in 
this area. So I would recommend championing continued support 
for that area.
    Senator Coats. Mr. Mahon, how do you work with the smaller 
businesses, the community banks, the smaller retails, smaller 
investment houses, and so forth? Obviously, the bigs--and we 
just have to look at the response of Target and, say, Neiman 
Marcus and others--have spent a very considerable amount of 
money to upgrade their systems, to put more security in place, 
at very, very considerable cost.
    But the smaller entities really can't afford to do that. 
Yet they have the same vulnerabilities, maybe not to as many 
people, but to sizable--and Scott, I think I would ask you 
also. You know, you're serving more rural communities, 
customers and so forth. How do you find the resources to do 
what you need to do and keep everybody on an even keel?
    Mr. Mahon. Well, the small to mid-sized businesses have 
concluded, Senator, exactly what you just stated, that the cost 
of IT and the type of cybersecurity protections they need they 
cannot afford. One of our lines of products and services is 
referred to as Managed Security Services. We spend the time 
with those customers explaining our information security 
program, the security across our core network, and our Managed 
Security Services products.
    When they look at these types of products they can acquire 
through companies like CenturyLink, they can frequently make 
the informed decision that it is better actually to outsource 
your security to companies like CenturyLink, because we can 
provide them with subject matter experts and a scale model that 
they could not have an equivalent model of should they decide 
to build it on their own.
    They are also suffering from the same shortage of 
professionals in the industry. The larger corporations 
obviously are able to attract them away with a little bit more 
sophisticated work in some situations. So they also suffer from 
workforce development issues.
    Senator Coats. Scott.
    Mr. Bowers. Senator, I think it ultimately comes back to 
what our mission is, and our mission is to provide safe, 
reliable, and affordable electricity to the members that we 
serve. I would throw ``secure'' into that as well, based on the 
dynamics of the last decade plus.
    With that, our distribution cooperatives are our first 
line. They work very closely with their two G&Ts. The G&Ts take 
and have more interaction with the Federal Government as it 
relates to these issues, but with the G&Ts and the distribution 
cooperatives, they work very closely together to make sure that 
they are making--that the distribution systems are secure.
    Our distribution cooperatives obviously are very concerned 
about the security of our member personal data. Those are 
things as foundational of who we are and that we are member-
owned. It's very near and dear to us and ultimately to who we 
are, and we have to make sure that we provide the reliability 
and security and make those investments, while also trying to 
balance the affordability aspect on top of that.
    Senator Coats. I'll take a response from anybody on the 
panel. How do you provide for security against insider access, 
the equivalent of a Snowden, but within the retail sector or 
the financial sector or whatever here, not the intelligence 
sector? What types of security procedures and hiring procedures 
and security clearances and so forth and monitoring that, of 
course?
    We hear today that, as has been indicated, there are just 
independent actors that somehow want to cause some chaos, 
whether for personal gain or whether for just the sport of it. 
How do you monitor all that and ensure that you don't fall 
victim to something like that?
    Mr. Mahon. We have an insider threat program at 
CenturyLink. It depends upon where you are in the organization. 
If you're working classified work, you have security clearances 
and the Government process around that, as you know, is pretty 
rigorous.
    But also, there are other positions within the company that 
you also have to be super-vigilant around. We have some 
baseline background checks we do on all employees as they enter 
the organization. But really the insider threat is just the 
problem, the fact that they're an insider. So really it becomes 
more of a training program for your managers and your 
supervisors to spot concerning behavior, so they understand 
when someone is performing in a manner that is out of the norm.
    These types of events that we frequently see in the media 
of an insider doing extensive damage, if you were to do an 
after-action on them you would learn most typically that there 
were signs of behavior that came to the attention of key 
supervisors, other employees, or managers. They just either 
weren't trained to spot it, they didn't realize the 
significance of it, or they didn't have a way to report it to 
the appropriate organization that could do something about it.
    So there is a very formal insider training program in a lot 
of corporations like CenturyLink and they are effective. Do you 
still have problems? Obviously, you can't spot everyone who's 
an insider. But there are ways to manage those risks to an 
acceptable level.
    Senator Coats. Anybody else want to address that?
    [No response.]
    Senator Coats. My time has run out and our time I think has 
run out. We can submit questions for further response, but I 
want to thank all of you and thank the Chair for convening this 
hearing, and thank all of you for participating in this. This 
is a critical issue that we need to get it right, because, as 
our former Homeland Security Secretary once said, the 
perpetrators or the criminals, the actors, the States, et 
cetera, they only have to be successful once; we have to be 
successful 100 percent of the time in trying to stop all their 
efforts. So it's a real challenge. I appreciate all of your 
work in terms of trying to keep us safe from all these cyber 
attacks and intrusions.
    Thank you.
    Senator Landrieu. Yes, and thank you, Senator Coats, for 
your leadership. We wanted to conduct this hearing jointly and 
the Senator provided a lot of background to allow us to do 
that.
    I thank all of our witnesses for your testimony today. I am 
committed to doing all we can in this subcommittee to continue 
to focus on these issues.

                     ADDITIONAL COMMITTEE QUESTIONS

    We're going to leave the record open for 2 weeks. Questions 
should be submitted to the committee staff by close of business 
Wednesday, May 21.
    [The following questions were not asked at the hearing, but 
were submitted to the Department subsequent to the hearing:]
               Questions Submitted to Dr. Phyllis Schneck
            Questions Submitted by Senator Mary L. Landrieu
                          workforce development
    Question. Deputy Under Secretary Phyllis Schneck, has the Secretary 
decided to reassess all of the cybersecurity education, training, and 
outreach goals of the Department--including the goal to educate 1.7 
million students by 2021?
    If so, in what timeframe will the reassessment be completed?
    What analysis and method will be used to create a metric that meets 
the nature of the threat?
    Answer. The Department of Homeland Security (DHS) has conducted a 
reassessment of its combined efforts to provide cybersecurity 
education, training, and outreach throughout the Nation. The Department 
determined that it can reach the goal of 1.7 million American students 
of all ages within the original timeframe through a unity of effort 
across the Department. The 1.7 million students include participants in 
a number of programs:
      --DHS continues the Integrated Cybersecurity Education 
Communities (ICEC) project and will extend the grant that supports this 
project, providing an additional $5 million to the grantee to ensure 
that the project grows in the summer of 2015.
      --DHS continues to support the National Centers of Academic 
Excellence and Scholarship for Service programs, which collectively 
reaches over 18,000 students per year.
      --DHS sponsorship of cybersecurity competitions, particularly at 
the high school level, increases the number of students receiving 
hands-on education in cybersecurity by approximately 12,000 students 
each year.
      --The Federal Virtual Training Environment and Cybersecurity 
Training Events are available to 125,000 students each year.
      --The National Initiative for Cybersecurity Careers and Studies 
(NICCS) portal directs thousands of Americans across the country to 
cybersecurity education and training programs each year.
    Pertaining to your question on the analysis and methods used to 
create a metric that meets the nature of the threat: The cybersecurity 
threat is dynamic and consists of nation-States, criminal 
organizations, individual actors, and systems degradation. The 
Department approaches its cybersecurity and its broader critical 
infrastructure security and resilience missions from a risk management 
perspective which incorporates associated threats, vulnerabilities and 
consequences. Under the National Infrastructure Protection Plan (NIPP), 
the critical infrastructure community evaluates the effectiveness of 
risk management efforts within sectors and at national, State, local, 
and regional levels by developing metrics for both direct and indirect 
indicator measurement.
    Within the NIPP structure, sector specific agencies work with 
representatives from private industry (sector coordinating councils or 
SCCs)--to bring insight to both sides in each sector. Such measures 
inform the risk management efforts of partners throughout the critical 
infrastructure community and help build a national picture of progress 
toward the vision of the NIPP as well as the National Preparedness 
Goal. Among other functions, the NIPP evaluation process also includes 
the collection of performance data to assess progress in achieving 
identified outputs and outcomes, and assessing progress toward 
achievement of the national priorities, goals and vision.
    DHS also places tremendous value on the effectiveness of our cyber 
specific programs, and is continuously exploring new ways to increase 
their impact. A key focus is on the future of cyber threats, and how to 
quantify mitigations that must be built today in order to be in place 
when needed later. For example, NPPD is studying the effectiveness of 
delivering classified indicators through the Enhanced Cyber Security 
Services (ECS) program to determine the appropriate balance of cost, 
benefit, and impact per indicator. While this balance can be hard to 
determine, it is the only technology that can defend at the network 
perimeter against some of the most crippling threats, such as 
destructive malware, and is priceless in an instance that could save an 
entire network or organization from a crippling attack.
   protection of federal networks and working with the private sector
    Question. Deputy Under Secretary Schneck, what is the Department 
doing specifically to look long term at the effectiveness of Einstein, 
Continuous Monitoring and Diagnostics, and all the rest of the suite of 
acquisitions and programs to protect networks and plan for major 
procurements?
    How do you know programs are continuing to be innovative?
    How is the Department including industry in this planning so that 
they can also plan long term for investments in solutions?
    Answer. Effectiveness of the Continuous Diagnostics and Mitigation 
(CDM) program is monitored through annual performance targets, 
performance measures, and quarterly reports. Once the program has 
entered the operations and maintenance phase, it will conduct annual 
operational assessments, consistent with applicable DHS requirements 
and OMB Guidance for Information Technology Business Cases (formerly 
known as Exhibit 300s).
    The National Cybersecurity Protection System (NCPS) program office 
tracks effectiveness of the ENSTIEN system and the protection it offers 
through a number of different means. By analyzing intrusion prevention 
alerts that are generated based on both commercial and Government-
provided classified cyber indicators the program office is able to 
better understand the effectiveness of the information that is being 
used to take action on malicious traffic. The Cyber Pilot Program (CPP) 
also works to identify gaps in current capabilities and initiates pilot 
programs that may bring new value. For example, while signature-based 
systems will continue to have a place in cyber defense for the 
foreseeable future, there is recognition that behavioral-based systems 
are also required as part of defense in-depth. The NCPS Program Office 
is currently in the process of planning a CPP pilot that is analyzing a 
behavior-based system in a real-world Department/Agency Security 
Operations Center (SOC).
    As EINSTEIN and Continuous Diagnostics and Mitigation capabilities 
are deployed across Federal Executive Branch civilian agencies, the 
Department will continue to measure the impacts of these capabilities 
on the security posture of Federal agencies. Even facing increased 
threats, impacts can be reduced using real-time action and the ability 
to leverage what was learned in each event to protect ourselves and 
others from future attempts. Furthermore, over the long term, the 
Department recognizes that the cyber threat landscape evolve quickly 
and, as such, it will identify pursue cybersecurity solutions that 
quickly close gaps in network protection.
    Overall, CDM and EINSTEIN are designed to fuse together in the 
future, to create a presence within the .gov for detection of threats 
at the perimeter and inside each network. That presence manifests in 
intrusion detection/prevention and CDM capabilities, but also serves as 
information collection across the .gov. This situational awareness can 
leverage the power of the fastest computers to correlate events seen on 
different networks and form intelligence that can mitigate threats that 
previously would have gone unnoticed.
    Pertaining to your question on knowing the programs will continue 
being innovative: The NCPS and the CDM program are deeply committed to 
continued innovation. They are structured to be responsive to the 
constantly evolving and dynamic threat environment by taking advantage 
of the private sector's business imperative to remain innovative for 
competitive purposes. Within NCPS, EINSTEIN's Intrusion Prevention 
Security Service (IPSS) will be deployed as a managed commercial 
service provided by the major Tier 1 Internet Service Providers. 
Deploying IPSS as a managed service allows those services to evolve at 
industry speed based on best commercial practices.
    At its inception, the CDM program decided in the interest of 
efficiency, expediency and effectiveness to pursue commercial best fit 
in acquiring necessary tools for continuous diagnostics and mitigation. 
The CDM Tools/Continuous Monitoring as a Service (CMaaS) blanket 
purchase agreement (BPA) is based on General Services Administration 
Schedule 70 and includes a process by which the BPA can be updated as 
new commercial off-the-shelf products become available and are judged 
to be technically acceptable to meet the requirements of the CDM 
program. Furthermore, a feature of the BPA requires each of the vendor 
companies to regularly perform technology refresh of solutions that are 
proposed and delivered to departments and agencies.
    In an effort to ensure that the program has the ability to evolve 
and adapt to emerging technologies, the NCPS program office has ensured 
that it has a flexible infrastructure that can accommodate a range of 
technologies and scale them to meet real world scenarios. For example, 
in support of the NCPS Block 2.2 Information Sharing capability, the 
program office has focused initial efforts on deploying the key 
infrastructure components necessary to support information sharing such 
as Identity, Credential & Access Management (ICAM), a secure portal to 
provide a user interface, an enterprise service bus to support data 
translation between applications, and a Cross-Domain Solution (CDS) to 
support data exchanges at different classification levels. 
Additionally, as the number of incidents increase, more data is 
collected from the incidents themselves and is then correlated and 
disseminated. This information sharing will reduce impacts due to 
better real time detection, and our ability to use each event to 
protect the larger ecosystem.
    Information sharing takes two forms: human and machine. Human 
information sharing includes personal relationships, as well as reports 
generated from data collected and correlated by NPPD programs that is 
formed into a human-informative visualization or reports. Information 
in the form of cyber threat indicators can be sent between machines at 
Internet speed, so that when a threat targets a site, that site already 
knows of the threat as it was alerted by an indicator.
    Overall, CDM and EINSTEIN are designed to fuse together in the 
future, to create a presence within the .gov for detection of threats 
at the perimeter and inside each network. That presence manifests in 
intrusion detection/prevention and CDM capabilities, but also serves as 
information collection across the .gov. This situational awareness can 
leverage the power of the fastest computers to correlate events seen on 
different networks and form intelligence that can mitigate threats that 
previously would have gone unnoticed.
    Pertaining to your question on how the Department is including 
industry in the planning: CDM has a long history of collaboration with 
industry, using technologies developed in private sector and 
continually reconnecting with their private sector vendors to ensure 
that the CDM leverages the latest private sector innovations.
    Prior to release of the original Blanket Purchase Agreement (BPA), 
in June and August 2012, the program held industry days to provide 
insight into the program's upcoming solicitation approach. Once the BPA 
was established in August 2013, the program conducted additional 
Industry Days (regarding the next set of solicitations for CDM tools 
and integration services for up to 60 agencies), training (both 
overview and hardware asset management), special notices, advanced 
notices, Web sites and considering other means to ensure active 
collaboration with industry.
    The CDM program actively collaborates with its Agency stakeholders, 
as well as the 17 vendor companies that hold prime contracts under the 
BPA. The program has an established Leap Ahead technologies program 
that conducts outreach with industry to be kept apprised of 
technological developments as they are made available commercially. The 
Program is budgeted to manage the procurement and program lifecycle 
activities to include a BPA recompete starting in fiscal year 2017.
    The NCPS Program Office utilizes Requests for Information (RFI) and 
actively participates in Industry Days at both the Department and 
program level to keep industry informed. Additionally, NSD's Cyber 
Pilot Program conducts market research as part of its gap analysis 
process.
                                 ______
                                 
              Questions Submitted by Senator Thad Cochran
    Question. I think we understand the importance of traditional 
ranges for testing and exercising with conventional weapons like 
aircraft, guns, or missiles.
    Could you explain to the subcommittee the function and value of 
developing and utilizing ranges in the cyber domain? Are there ongoing 
efforts to connect the cyber ranges so that we can test cyber tools on 
more realistic virtual ranges and perform larger, more high fidelity 
exercises in the cyber domain?
    Answer. Ranges in the cyber domain allow cyber professionals to 
test system operations and their own skills and abilities. Overall, 
ranges directly contribute to DHS's commitment to ensuring that 
operational software and/or hardware systems are validated against both 
best practices and the systems' compliance with Government 
requirements. NPPD leads the Federal Government's effort to secure 
civilian Government computer systems, and work with industry and State, 
local, tribal, and territorial governments to secure critical 
infrastructure and information systems. DHS must validate information 
system security configurations both prior to and after deploying the 
system in an operational environment. With these requirements in mind, 
cyber ranges provide a controlled, predictable environment where 
operational systems can be tested and evaluated against known stressors 
such as cyber attacks or improper configuration. For example, a 
simulated environment could be used to conduct user acceptance training 
and to complete performance and load testing of the National 
Cybersecurity Protection System (NCPS) applications. This type of 
environment would inject real-world threat data and measurement 
instruments, offering a valuable realistic training experience for 
personnel.
    In addition to NPPD programs, operational elements across the DHS 
enterprise could also leverage a range to validate and test the 
capabilities of present and future security and forensics products. A 
range that allows for large-scale testing within an adaptable 
environment would provide the capability to verify the potential 
benefits of products and tools before purchase, test tools against new 
threats, and allow personnel to familiarize themselves with innovative 
tools.
    Pertaining to your question on ongoing efforts to connect to cyber 
ranges: Yes, the DOD Enterprise Cyber Range Environment Forum has 
developed a charter to federate the cyber ranges across the DOD 
enterprise so that tools testing capability can be integrated with the 
ability to conduct exercises.
    Question. There has been much discussion about how involved the 
Federal Government should be in defending infrastructure owned by non-
Federal entities.
    How would you define the threshold for what types of non-Federal 
infrastructure might qualify as ``critical'' for these purposes?
    Answer. The Federal Government does not have thresholds for when it 
would defend non-Federal infrastructure from cyber attacks. The 
Department, working with public and private sector partners, has 
identified infrastructure--both public and private--where a 
cybersecurity incident could reasonably result in catastrophic regional 
or national effects on public health or safety, economic security, or 
national security. The resulting list of entities, identified under 
Executive Order 13636, has been briefed to relevant Congressional 
Committees and the entities themselves have been notified of their 
designation.
    The statutory definition of critical infrastructure is, ``Systems 
and assets, whether physical or virtual, so vital to the United States 
that the incapacity or destruction of such systems and assets would 
have a debilitating impact on security, national economic security, 
national public health or safety, or any combination of those 
matters.'' 42 U.S.C. section 5195c(e). Cooperation with these entities 
and clearly defining lanes of responsibility across the Federal 
Government are vitally important for our engagement with these 
entities.
    We have heard about the importance of cooperation and clearly 
defined lanes of responsibility across the Federal Government for our 
cybersecurity efforts.
    Question. What are your respective roles in receiving and sharing 
threat information with the private sector?
    Answer. DHS shares timely and actionable cybersecurity information 
across its partners and constituents to establish and maintain shared 
situational awareness. The types of cyber information DHS shares most 
often include alerts and warnings, analysis of actor tactics, 
techniques and procedures to aid in incident detection, indicators of 
malicious activity and supporting contextual information, best 
practices, vulnerability information and assessments, and trend 
analysis.
    Working across the department with our cyber capabilities housed in 
the U.S. Secret Service, Coast Guard, CBP, ICE, and others, DHS has 
several programs in place to help facilitate the sharing of timely, 
actionable information to and from the private sector:
      --The National Cybersecurity and Communications Integration 
Center (NCCIC) is a 247 center responsible for providing a common 
operating picture for cyber and communications across the Federal, 
State, and local government, intelligence and law enforcement 
communities, and the private sector. The NCCIC is based in DHS's Office 
of Cybersecurity and Communications (CS&C), a component of the National 
Protection & Programs Directorate (NPPD). On both a steady-state and 
emergency basis, it fuses, coordinates, and shares information from its 
operational elements, including the:
        --The U.S. Computer Emergency Readiness Team (US-CERT), which 
responds to cybersecurity incidents and analyzes information from 
multiple sources to develop timely and actionable alert and warning 
products for public and private sector partners.
        --The Industrial Control Systems Cyber Emergency Response Team 
(ICS-CERT), which works to reduce risk to the Nation's critical 
infrastructure through public-private partnerships and by providing 
onsite support to private sector industrial control systems owners and 
operators for protection against and response to cyber threats, 
including incident response, forensic analysis, and site assessments.
        --The National Coordinating Center for Telecommunications 
(NCC), which leads and coordinates the initiation, restoration, and 
reconstitution of National Security/Emergency Preparedness (NS/EP) 
telecommunications services or facilities under all conditions.
        --NCCIC Operations and Integration (NO&I), which leverages 
planning, coordination, and integration capabilities to synchronize 
analysis, information sharing, and incident response efforts to ensure 
effective synchronization across capabilities.
        --Integrating information from all partners--private and public 
sectors, including State, local, tribal and Federal, in both the cyber 
and communications arenas--the NCCIC creates and shares a common 
operational picture, coordinates response activities, and protects our 
Nation's critical networks.
      --Through the Cybersecurity Information Sharing and Collaboration 
Program (CISCP), DHS has established a systematic approach to cyber 
threat information sharing and collaboration between DHS and the 16 
critical infrastructure sectors.
        --By sharing unclassified cyber threat indicators, DHS enables 
the detection, prevention, and mitigation of threats. This builds a 
more holistic understanding of cyber threat activity occurring across 
the 16 critical infrastructure sectors and across the Federal 
Government.
        --Through these partnerships, CISCP enables information sharing 
and collaboration with our critical infrastructure partners to share 
new cyber threat, incident, and vulnerability information This exchange 
is conducted in near-real time to enhance collaboration and to better 
understand the threat and improve network defense for the entire 
community.
        --A key aspect of CISCP is its bi-directional information 
sharing construct. CICSP participants submit indicators of cyber threat 
activity on their network to DHS that can be shared with other CISCP 
participants in an anonymized, aggregated fashion. Furthermore, the 
NCCIC allow cleared sector participants onto the NCCIC floor to ensure 
close coordination and communication when an event occurs.
                                 ______
                                 
             Questions Submitted by Senator Lisa Murkowski
    Question. The President's Executive Order (EO) 13636 on 
cybersecurity and its accompanying Presidential Policy Directive (PPD) 
21 directed the National Institute of Standards and Technology to 
develop a voluntary cybersecurity framework in partnership with private 
industry. As you know, the Energy Policy Act of 2005 established 
mandatory cyber and physical security standards for the electric 
industry through the Federal Energy Regulatory Commission/North 
American Electric Reliability Corporation (FERC/NERC) stakeholder 
process. Via the FERC/NERC stakeholder process these cybersecurity 
standards have been continuously updated and revised since the law's 
enactment to reflect ever-changing cyber threats. The industry is now 
on CIP Version 5 which includes 12 new requirements and also 
prioritizes cyber assets.
    How does the voluntary framework called for in EO 13636 and PPD-21 
interface with the mandatory standards already in place for the 
electric industry? For example, what if a voluntary measure under the 
NIST framework conflicts with a mandatory standard?
    Answer. Because the Cybersecurity Framework is a voluntary 
approach, organizations can determine how to best use the Framework so 
that it meets their business requirements. It is designed to be 
supplemental, not a replacement for industry regulations. If utilities 
are currently regulated, or become subject to regulation, then 
regulations would take compliance precedence and the Framework could be 
used to supplement these requirements.
    Question. What actions are DHS either currently undertaking or 
planning to undertake to protect the grid (at both the transmission and 
distribution level) from cyber threats? To what extent is DHS 
duplicating ongoing grid-protection efforts by FERC, NERC and State 
public utility commissions?
    Answer. The Department's National Protection and Programs 
Directorate (NPPD) supports critical infrastructure owners and 
operators in preparing for, preventing, protecting against, mitigating 
from, responding to, and recovering from all-hazards events, such as 
cyber incidents, terrorist attacks, and natural disasters. The National 
Infrastructure Coordinating Center (NICC) and the National 
Cybersecurity and Communications Integration Center (NCCIC) fulfill 
this DHS responsibility within the critical infrastructure partnership.
    Stakeholders throughout the critical infrastructure community--
owners and operators; Federal partners; regional consortia; and State, 
local, tribal, and territorial governments--can, and do, connect to the 
NICC and NCCIC. In turn, these centers, along with an integrated 
analysis function, build situational awareness across critical 
infrastructure sectors based on partner input and provide information 
with greater depth, breadth, and context than information from any 
individual partner or sector.
    As a part of the NCCIC's overall cyber coordination and response 
capabilities, NCCIC operates the Industrial Control Systems Cyber 
Emergency Response Team (ICS-CERT). ICS-CERT coordinates control 
systems-related security incidents and information sharing with 
government, and private sector constituents, including vendors, owners 
and operators, and international and private sector CERTs. The focus on 
control systems cybersecurity provides a direct path for coordination 
of activities among all members of the critical infrastructure 
stakeholder community as well as representatives from law enforcement. 
This effort spans all phases of electric power and includes:
      --Standards Development.--In 2010, ICS-CERT was a key member of 
the Smart Grid Interoperability Panel, Cyber Security Working Group 
which helped develop and issue the NIST Guidelines for Smart Grid Cyber 
Security (NISTIR 7628, September 2010).
      --Cybersecurity Assessments.--To date, ICS-CERT has directly 
assisted 50 asset owners in the electric subsector by performing these 
assessments and providing strategies for improving their defensive 
posture.
      --Vulnerability Handling and Dissemination of Mitigation 
Strategies.--To date, ICS-CERT has addressed over 600 vulnerabilities, 
many of which affect devices and software used in electric grid control 
systems.
      --Incident Response Services.--To date, ICS-CERT has provided 
incident response services to 114 electric sector organizations by 
analyzing malware, reviewing digital media from hard drives and log 
files, and recommending strategies for recovery and preventing future 
intrusions.
      --Training to improve asset owners' cybersecurity skills and 
practices:
        --ICS-CERT provides cybersecurity training to network 
administrators and control system professionals. Courses in 
cybersecurity principles and best practices are offered through on-line 
courses and instructor-led classes.
      --Situational Awareness.--ICS-CERT provides actionable 
situational awareness through briefings, alerts, advisories, and 
indicator bulletins. ICS-CERT conducts both unclassified and classified 
briefings and disseminates information on the Secure Portal and on its 
Web site.
    Pertaining to your question on the extent DHS is duplicating 
ongoing efforts by FERC, NERC, and State public utility commissions: 
DHS is not duplicating efforts with the Federal Energy Regulatory 
Commission (FERC), the North American Electric Reliability Corporation 
(NERC), or the State public utility commissions but rather ensuring 
coordination of efforts. As instructed by Presidential Policy Directive 
21, among other authorities, DHS provides cybersecurity information 
sharing, technical assistance and national coordination to enhance the 
security resilience of U.S. critical infrastructure. DHS does not 
directly provide the protection but assists critical infrastructure 
owners and operators in securing their own systems and coordinating 
their information sharing across sectors and between different 
partners.
    NCCIC/ICS-CERT coordinates regularly with NERC via the Electricity 
Sector Information Sharing and Analysis Center (ES-ISAC) to ensure 
sharing of incident related information and dissemination of 
information products. This eliminates duplication of effort when 
triaging threat and vulnerability information. ICS-CERT also partners 
with FERC to conduct assessments at utilities to ensure consistent 
messaging and a unified methodology for assessing cybersecurity. In 
addition, ICS-CERT hosts weekly Secure Video Teleconferences, and 
conducts monthly information sharing sessions with energy sector 
stakeholders via both classified and unclassified means, that are 
attended by the Department of Energy, the non-regulatory Office of 
Energy Infrastructure Security (OEIS) within the Federal Energy 
Regulatory Commission (FERC), the Nuclear Regulatory Commission (NRC), 
the Federal Bureau of Investigation (FBI), NERC and the ES-ISAC.
    Question. You testified that NPPD is working with DOE to implement 
a sustained outreach strategy to energy sector chief executive officers 
to elevate risk management of evolving physical and cyber threats to 
the enterprise level.
    Please explain more fully. What other sectors has DHS undertaken 
such an outreach effort with?
    Answer. In addition to incident response activities, ICS-CERT and 
the FBI, in coordination with the Department of Energy (DOE), the 
Electricity Sector Information Sharing and Analysis Center (ES-ISAC), 
Transportation Security Administration (TSA), the Oil and Natural Gas 
and Pipelines Sector Coordinating Council's Cyber Security Working 
Group, and other partners conducted a series of ``Action Campaign'' 
briefings at both the Secret and Unclassified levels to provide further 
context of a specific threat and to highlight mitigation strategies. 
The briefing campaign began in June 2013 and covered major markets 
across the United States. These classified briefings have reached over 
750 private sector attendees, many of whom were directly associated 
with power grid operations. Outreach activities in the form of risk and 
mitigation briefings play a key role in mitigating risks to critical 
infrastructure.
    While the energy sector was the focus for the action campaign 
briefings, NCCIC/ICS-CERT has always allowed other cleared sector 
participants to join these briefings. In addition, ICS-CERT holds 
regular monthly and quarterly classified and unclassified briefings for 
the nuclear, manufacturing, chemical, dams, water, transportation 
sectors.
    Question. You testified that ``[l]egislation providing a single 
clear expression of DHS cybersecurity authority would greatly enhance 
and speed up the Department's ability to engage with affected entities 
during a major cyber incident and dramatically improve the 
cybersecurity posture of Federal agencies and critical 
infrastructure.'' Such legislation, however, could undermine the 
mandatory cybersecurity standards we already have in place for the 
electricity industry as a result of the 2005 Energy Policy Act.
    Please comment. Is DHS proposing to usurp the grid protection 
authorities already granted by Congress to FERC and NERC?
    Answer. NERC and FERC have clear functions--one is to increase the 
functionality and reliability through standards for grid operations and 
the other is the U.S. regulator of grid owners and operators. The 
Administration is not seeking to supplant these efforts. Rather it has 
asked the Congress to codify the existing voluntary cybersecurity 
technical assistance and mitigation role the Department of Homeland 
Security (DHS) plays in supporting critical infrastructure.
    DHS is neither a regulator nor a standards body for the electric 
sector, but provides cybersecurity assistance through information 
sharing and technical assistance on a voluntary basis when requested. 
DHS, under PPD-21, is responsible for leading and coordinating the 
national effort to protect critical infrastructure from all hazards, 
including cyber incidents, by managing risk and enhancing resilience 
through collaboration with the critical infrastructure community. To 
achieve this end, DHS works with public and private sector partners, 
including the Department of Energy, FERC, and NERC, to identify and 
promote effective solutions for security and resilience to manage the 
evolving risk environment.

                         CONCLUSION OF HEARING

    Senator Landrieu. Without further business, the 
subcommittee is adjourned. Thank you.
    [Whereupon, at 3:30 p.m., Wednesday, May 7, the hearing was 
concluded, and the subcommittee was recessed, to reconvene 
subject to the call of the Chair.]